WebApp Sec mailing list archives
RE: Tools comparison and evaluation question (AppScan)
From: "arian.evans" <arian.evans () anachronic com>
Date: Fri, 17 Feb 2006 13:14:20 -0600
Serg, I have an older list of tools here: http://www.owasp.org/docroot/owasp/misc/OWASP_DC_2005_Presentations/Track_2- Day1/AppSec2005DC-Arian_Evans_Tools-Taxonomy.ppt This info is dated. Several tools have matured, but so is the complexity of applications on the Internet. I used to say SPI had the best proxy, but it really depends on what you are testing. SPI's proxy does not provide a way to manipulate data if you have serialized data passing client<->server in the HTTP stream (e.g.-you have something like an Eclipse rich client). A few other products have proxies that do. I'll be releasing an updated vendor list in PDF around the end of the month, and possibly a sample testing app or two. There is still enough variance between which tools do which tasks better, that the best benchmark is your own software. For a while SPI and Watchfire were the clear leaders, but now there are some other tools with strengths (and weaknesses) to consider. At the end of the day it all relies on what *you* need to do. There does not yet exist a sample application and methodology in the public domain for performing useful synthetic benchmarks. (I hope SiteGenerator will change this soon.)
software, what you find useful about it, what not, any annoyances, missing functionality, etc.
On sites with complex javascript menus with lots of links and URL parameters, I have observed AppScan to hang or go into loops when turned lose in completely automated fashion. That said, overall it is still one of the best tools in the automated scanning domain.
Second: Can anyone recommend any simular type of software, preferably open source (although not at all essential), and describe its performance, usability and "usefulness" so to speak using AppScan as a reference
Here's a list of tools I would consider evaluating: Acunetix Enterprise WVS 3.0 Cenzic Hailstorm 3.0 NT Objectives NTOSpider 2.1 Syhunt Sandcat Suite SPI Dynamics WebInspect 5.8 Watchfire Appscan 6 Manual testing tools: Burp Suite 1.01 Ecyware BlueGreen Inspector Paros Proxy OWASP Webscarab -ae ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- Tools comparison and evaluation question (AppScan) Serg Belokamen (Feb 16)
- RE: Tools comparison and evaluation question (AppScan) arian.evans (Feb 17)
- <Possible follow-ups>
- RE: Tools comparison and evaluation question (AppScan) Peine,Holger (Feb 17)
- Re: Tools comparison and evaluation question (AppScan) Lucien Fransman (Feb 17)
- Re: Tools comparison and evaluation question (AppScan) Serg B. (Feb 17)
- Re: Tools comparison and evaluation question (AppScan) Lucien Fransman (Feb 17)
- FW: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Serg B. (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)
- Re: Tools comparison and evaluation question (AppScan) Ratna Kumar (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Rui Pereira (WCG) (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Xyberpix (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Peter Wood (Feb 17)
(Thread continues...)