Re: Web Application Source Vulnerability Scanners

[Javier Fernandez-Sanguino <jfernandez () germinus com>]

Ory Segal wrote:
> Hi,
>
> The problem with most open source tools is that they are very strong in 
> CGI Scanning, but when it comes to mutating real HTTP requests, and 
> testing the web application layer, they lack good engine features. They 
> do not have features such as:

Ok. Not completely true. Let's take a look at httpush:
http://sourceforge.net/projects/httpush
(the answers would be similar if you took Spike proxy or other inline 
proxies)

> 1) Application level tests such as manipulation of : HTML form 
> parameters (SQL Inj., Buffer Overflows, Poison null byte, Format strings 
> bugs, Cookies, HTTP Headers etc...)

It has a Plugin API in which you can code this tests. Some are already 
available.

> 2) Automatic testing validation.

It does not have those. But I don't understand the point of doing it either.

> 3) Good reporting abilities

Good ol' text files.

> 4) Session management/Transient management - Keeping the scanner 'in 
> session'. This gives you the ability to scan web applications that force 
> you to login, and may kick you out of session, if you caused some error 
> - I believe that most large web apps have this. I believe that AppScan 
> is the only scanner to perform this action.

It does this fairly well since it's managed by the browser, httpush is a 
semi-transparent proxy.

> 5) Good performance

Fairly good performance as a proxy.


> 6) Contstant updates.

Not in httpush case but not really necessary.


> 7) Logging of raw HTTP traffic

Httpush can do that.

> 8) The ability to easily implement new tests.

Same here.

Now, I don't develop httpush myself. But I find it a _very_ useful web 
application scanner. I think the same of Spike proxy and RFP Procy BTW. 
However, it's not a "web application _Source_ vulnerability scanner". 
But, then again, your answer does not answer the original post either 
(since you are not talking of _source_ scanners either)

Regards

Javi