WebApp Sec mailing list archives
RE: FW: Tools comparison and evaluation question (AppScan)
From: "Erwin Geirnaert" <egeirnaert () securityinnovation be>
Date: Fri, 17 Feb 2006 17:43:58 +0100
Nobody played with HailStorm from Cenzic yet?
From my personal experience: it looks great and has a good performance
to scan web apps. It allows to automate certain things like boundary testing, privilege escalation or bypass authorization. Because I do a lot of manual security testing with open-source tools, I don't like tools that only scan things by fuzzing parameters and show a lot of false positives. If I can't see how attacks are executed and I can't customize the attack patterns it has no usage for me. All depends on what you are looking for: low hanging fruit or an assessment tool that can be used and shared in the development phase by developers nd testers. I hope that the project at Owasp about the web app scan market (is it a project or an individual initiative?) is able to shed some light on the real power of commercial tools. I can imagine that when you need automated assessment tools and only can rely on Google or banners on security sites (or even mailing list adds :)) to learn about these products, you don't know what to choose. Erwin -----Original Message----- From: Peter Wood [mailto:peterw () firstbase co uk] Sent: vrijdag 17 februari 2006 16:06 To: webappsec () securityfocus com Cc: Charles' Subject: Re: FW: Tools comparison and evaluation question (AppScan) We use WebInspect on a daily basis too, and have done so since version 1.0. It's an excellent tool with some excellent (and constantly improving) utilities. Pete At 13:46 17/02/2006 +0000, Xyberpix wrote:
I use WebInspect pretty much ona daily basis, and wouldn't trade it for anything. As far as tools go, it really is a worthwhile addition. xyberpix-----Original Message----- From: Burke, Charles Sent: Friday, February 17, 2006 7:47 AM To: 'Serg Belokamen' Subject: RE: Tools comparison and evaluation question (AppScan) >> Also, WebInspect is a very good (commercial) tool. It also includes some invaluable utilities (Sql Injector, etc) that are a step above their open source competitors. -----Original Message----- From: Serg Belokamen [serg.belokamen () gmail com] Sent: Friday, February 17, 2006 2:04 AM To: webappsec () securityfocus com Subject: Tools comparison and evaluation question (AppScan) >> >> Hi All, >> >>I am currently looking at using/evaluating a tool
called AppScan (by >>watchfire.com).
So the question is in two parts and ASAP reply would be greatly appreciated. First: Without starting a flame war (hopefully) or marketing campaign
(another
hopefully) can any one tell me abut their experience with the
software, >>what you find useful about it, what not, any annoyances, missing >>functionality, etc.
Second: Can anyone recommend any simular type of software, preferably open source (although not at all essential), and describe its performance, usability and "usefulness" so to speak using AppScan as a reference point. Thanks, Serg
-------------------------------------------------------------------- Peter Wood FBCS CITP MIEEE MIMIS CISSP Chief of Operations First Base Technologies Office: +44 (0)1273 454525 Mobile: +44 (0)7774 239915 www.fbtechies.co.uk www.white-hats.co.uk ------------------------------------------------------------------------ - This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR l ------------------------------------------------------------------------ -- ------------------------------------------------------------------------- This List Sponsored by: SpiDynamics ALERT: "How A Hacker Launches A Web Application Attack!" Step-by-Step - SPI Dynamics White Paper Learn how to defend against Web Application Attacks with real-world examples of recent hacking methods such as: SQL Injection, Cross Site Scripting and Parameter Manipulation https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl --------------------------------------------------------------------------
Current thread:
- RE: Tools comparison and evaluation question (AppScan), (continued)
- RE: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)
- Re: Tools comparison and evaluation question (AppScan) Ratna Kumar (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Rui Pereira (WCG) (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Xyberpix (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Peter Wood (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) David Munge (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Peter Wood (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Xyberpix (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) King, Stuart (REHQ-LON) (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Talwar, Mansi (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) Brokken, Allen P. (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) Erwin Geirnaert (Feb 17)
- RE: (OWASP Web App Tool Project) Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
- RE: FW: Tools comparison and evaluation question (AppScan) Joe White (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
- Re: Tools comparison and evaluation question (AppScan) Tommy (Feb 19)
- RE: FW: Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
- Re: RE: Tools comparison and evaluation question (AppScan) mr . dan . friedman (Feb 19)
- RE: RE: Tools comparison and evaluation question (AppScan) Gavin, Michael (Feb 19)
- Re: RE: RE: Tools comparison and evaluation question (AppScan) david_allouch (Mar 22)
- RE: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)