WebApp Sec mailing list archives

RE: FW: Tools comparison and evaluation question (AppScan)

From: "Erwin Geirnaert" <egeirnaert () securityinnovation be>
Date: Fri, 17 Feb 2006 17:43:58 +0100

 
Nobody played with HailStorm from Cenzic yet?

From my personal experience: it looks great and has a good performance

to scan web apps. It allows to automate certain things like boundary
testing, privilege escalation or bypass authorization. 

Because I do a lot of manual security testing with open-source tools, I
don't like tools that only scan things by fuzzing parameters and show a
lot of false positives. If I can't see how attacks are executed and I
can't customize the attack patterns it has no usage for me.

All depends on what you are looking for: low hanging fruit or an
assessment tool that can be used and shared in the development phase by
developers nd testers.

I hope that the project at Owasp about the web app scan market (is it a
project or an individual initiative?) is able to shed some light on the
real power of commercial tools. I can imagine that when you need
automated assessment tools and only can rely on Google or banners on
security sites (or even mailing list adds :)) to learn about these
products, you don't know what to choose.

Erwin




-----Original Message-----
From: Peter Wood [mailto:peterw () firstbase co uk] 
Sent: vrijdag 17 februari 2006 16:06
To: webappsec () securityfocus com
Cc: Charles'
Subject: Re: FW: Tools comparison and evaluation question (AppScan)

We use WebInspect on a daily basis too, and have done so since version
1.0.  It's an excellent tool with some excellent (and constantly
improving) utilities.

Pete

At 13:46 17/02/2006 +0000, Xyberpix wrote:

I use WebInspect pretty much ona  daily basis, and wouldn't trade it
for anything.
As far as tools go, it really is a worthwhile addition.

xyberpix

-----Original Message-----
From: Burke, Charles
Sent: Friday, February 17, 2006 7:47 AM
To: 'Serg Belokamen'
Subject: RE: Tools comparison and evaluation question (AppScan)  >>
Also, WebInspect is a very good (commercial) tool.  It also includes
some invaluable utilities (Sql Injector, etc) that are a step above
their open source competitors.

-----Original Message-----
From: Serg Belokamen [serg.belokamen () gmail com]
Sent: Friday, February 17, 2006 2:04 AM
To: webappsec () securityfocus com
Subject: Tools comparison and evaluation question (AppScan)  >>  >>
Hi All,  >>  >>I am currently looking at using/evaluating a tool

called AppScan (by  >>watchfire.com).


So the question is in two parts and ASAP reply would be greatly
appreciated.

First:
Without starting a flame war (hopefully) or marketing campaign

(another

hopefully) can any one tell me abut their experience with the

software,  >>what you find useful about it, what not, any annoyances,
missing  >>functionality, etc.


Second:
Can anyone recommend any simular type of software, preferably open
source (although not at all essential), and describe its performance,
usability and "usefulness" so to speak using AppScan as a reference
point.

  Thanks,
      Serg



--------------------------------------------------------------------
Peter Wood FBCS CITP MIEEE MIMIS CISSP
Chief of Operations
First Base Technologies
Office: +44 (0)1273 454525
Mobile: +44 (0)7774 239915
www.fbtechies.co.uk
www.white-hats.co.uk


------------------------------------------------------------------------
-
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gR
l
------------------------------------------------------------------------
--


-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!"
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world
examples of recent hacking methods such as: SQL Injection, Cross Site
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------

Current thread:

RE: Tools comparison and evaluation question (AppScan), (continued)
- RE: Tools comparison and evaluation question (AppScan) Burke, Charles (Feb 17)
  - Re: Tools comparison and evaluation question (AppScan) Ratna Kumar (Feb 17)
  - RE: Tools comparison and evaluation question (AppScan) Rui Pereira (WCG) (Feb 17)
- Re: FW: Tools comparison and evaluation question (AppScan) Xyberpix (Feb 17)
  - Re: FW: Tools comparison and evaluation question (AppScan) Peter Wood (Feb 17)
    - RE: FW: Tools comparison and evaluation question (AppScan) David Munge (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Xyberpix (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) King, Stuart (REHQ-LON) (Feb 17)
- RE: Tools comparison and evaluation question (AppScan) Talwar, Mansi (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) Brokken, Allen P. (Feb 17)
- RE: FW: Tools comparison and evaluation question (AppScan) Erwin Geirnaert (Feb 17)
  - RE: (OWASP Web App Tool Project) Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
- RE: FW: Tools comparison and evaluation question (AppScan) Joe White (Feb 17)
  - RE: FW: Tools comparison and evaluation question (AppScan) arian.evans (Feb 18)
    - Re: Tools comparison and evaluation question (AppScan) Tommy (Feb 19)
- Re: RE: Tools comparison and evaluation question (AppScan) mr . dan . friedman (Feb 19)
- RE: RE: Tools comparison and evaluation question (AppScan) Gavin, Michael (Feb 19)
- Re: RE: RE: Tools comparison and evaluation question (AppScan) david_allouch (Mar 22)