RE: Web Application Tester

From: A.R. (r00t_at_northernfortress.net)
Date: 09/17/04

  • Next message: Jerry Shenk: "RE: [Dailydave] RE: Network Exploitation Tools akaExploitationEngines & FUD" 
    To: chuan.delahosseraye@accenture.com
Date: Fri, 17 Sep 2004 00:44:34 +0000

    I think that when having to choose between a free and a commercial tool,
    it's all about figuring out the return of investment.

    If it takes one week to manually inspect an application with
    nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
    the "grunt" work plus 2 days for the manual refinement, the 4 days I
    gain are worth more than the ~1,000 dollars I have to spend for a 7-days
    Appscan license.

    In the end, I usually prefer to use Paros (free tool), but I think that
    in some situations AppScan/WebInspect can be at least worth a look, even
    if their price makes them look unprofitable at first sight.

    NB: I have never used AppDetective, so I am not saying in any way that
    the other tools are better

    Just my 2 cents, of course :)

    A.

    On Wed, 2004-09-15 at 15:27, chuan.delahosseraye@accenture.com wrote:
    > According to my previous search on a Web pen-test tools, AppScan,
    > WebInspect and Scando are all much more expensive than AppDetective. If
    > cost is a concern, it might be possible to combine a selection of free
    > tools such as:
    >
    > - Nessus
    > - Nikto
    > - WebScarab
    > - Achilles
    >
    > But this would involve a lot of Manual works.
    >
    > Hope this helps
    > Chuan
    >
    > -----Original Message-----
    > From: A.R. [mailto:r00t@northernfortress.net]
    > Sent: 15 September 2004 12:27
    > To: andrew@beegads.com
    > Cc: pen-test@securityfocus.com
    > Subject: Re: Web Application Tester
    >
    > Andrew,
    >
    > I don't know what's your budget, but for web applications you can try
    > the following commercial products:
    >
    > - AppScan, by Sanctum (www.sanctuminc.com)
    > - WebInspect, by Spidynamics (www.spidynamics.com)
    > - ScanDo, by Kavado (www.kavado.com)
    >
    > ...Or the good ol' Paros (http://www.proofsecure.com/download.shtml),
    > open source and free
    >
    > Hope this helps
    >
    > Alberto Revelli
    > Northern Fortress, Inc.
    >
    > On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:
    > > Does anyone know of an application tester similar to AppDetective
    > > thats not as hard on the pocket book?
    > > I need to pentest a web app and am looking for some tools
    > >
    > > Thanks,

    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. All of our class sizes are
    guaranteed to be 12 students or less to facilitate one-on-one interaction
    with one of our expert instructors. Check out our Advanced Hacking course,
    learn to write exploits and attack security infrastructure. Attend a course
    taught by an expert instructor with years of in-the-field pen testing
    experience in our state of the art hacking lab. Master the skills of an
    Ethical Hacker to better assess the security of your organization.

    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------

  • Next message: Jerry Shenk: "RE: [Dailydave] RE: Network Exploitation Tools akaExploitationEngines & FUD"