Re: Spi's products worth a try? Or any suggestions for developers' tool?
caseytay_at_nets.com.sg
Date: 11/09/05
- Previous message: Justin.Ross_at_signalsolutionsinc.com: "Re: Nessus - open or closed source?"
- In reply to: Cory Stoker: "Re: Spi's products worth a try? Or any suggestions for developers' tool?"
- Next in thread: Thomas Ryan: "RE: Spi's products worth a try? Or any suggestions for developers' tool?"
- Reply: Thomas Ryan: "RE: Spi's products worth a try? Or any suggestions for developers' tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Cory Stoker <cory@clearnetsec.com> Date: Wed, 9 Nov 2005 09:46:57 +0800
Hi Cory,
This is regarding ur statement abt SPI webinspect. u mentioned:
"Also if
your site utilizes Javascript heavily, SPI will have a tougher time
crawling your site and analyzing it. If a site has Javascript you
would manually crawl the site first then analyze the pages crawled."
my Ques:
1) why would Webinspect have a tough time crawling sites with Javascripts?
2) why do u advise that the pentester 1st do a manual walkthru scan, then
analyse from there onwards, instead of doing a Auto scan 1st?
Regards,
Casey
Cory Stoker
<cory@clearnetsec
.com> To
Aman Raheja
11/08/2005 03:56 <araheja@techquotes.com>,
AM pen-test@securityfocus.com
cc
Subject
Re: Spi's products worth a try? Or
any suggestions for developers'
tool?
I have used SPI Web inspect and it is a pretty good tool. It is not
a run and forget tool but it is valuable in a web assessment. Mostly
it is a time saver as it does many tests automatically so you do not
have to write scripts for the repetitive tasks. One thing that rocks
is the SPI toolkit option for Web Inspect as it is a framework for
manual testing that is pretty comprehensive. However the licensing
scheme for Web Inspect is very restrictive and expensive for a tool
of this nature IMHO. For example the cheaper licenses restrict you
to a single IP but the site wide license is very pricey. Also if
your site utilizes Javascript heavily, SPI will have a tougher time
crawling your site and analyzing it. If a site has Javascript you
would manually crawl the site first then analyze the pages crawled.
--- Cory Stoker ClearNet Security On Nov 3, 2005, at 11:55 PM, Aman Raheja wrote: > Hello > Anyone has any experience with Spi's tools for web application > vulnerability scanning? > http://www.spidynamics.com/products/index.html > I need to suggest developers' tool so that they can self assess > their application and reduce the overhead of the testing team. > Any advice? > Thanks in advance. > Regards > Aman Raheja > > http://www.techquotes.com > > > ---------------------------------------------------------------------- > -------- > Audit your website security with Acunetix Web Vulnerability Scanner: > Hackers are concentrating their efforts on attacking applications > on your website. Up to 75% of cyber attacks are launched on > shopping carts, forms, login pages, dynamic content etc. Firewalls, > SSL and locked-down servers are futile against web application > hacking. Check your website for vulnerabilities to SQL injection, > Cross site scripting and other web attacks before hackers do! > Download Trial at: > > http://www.securityfocus.com/sponsor/pen-test_050831 > ---------------------------------------------------------------------- > --------- > > ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------------- *************************************************************************** IMPORTANT NOTICE: This email and any files transmitted with it is intended only for the use of the person(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and delete the email. Thank you. *************************************************************************** Casey Tay Kian Chuan Data Security Analyst Data Security DID : 65-6374-0653 TEL : 65-6272-0533 FAX : 65-6275-7712 Network For Electronic Transfers (S) Pte Ltd 298 Tiong Bahru Road #04-01/06 Central Plaza Singapore 168730 http://www.nets.com.sg ******************************************************************************** IMPORTANT NOTICE: This email and any files transmitted with it is intended only for the use of the person(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, please immediately notify the sender and delete the email. Thank you. ******************************************************************************** ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
- Previous message: Justin.Ross_at_signalsolutionsinc.com: "Re: Nessus - open or closed source?"
- In reply to: Cory Stoker: "Re: Spi's products worth a try? Or any suggestions for developers' tool?"
- Next in thread: Thomas Ryan: "RE: Spi's products worth a try? Or any suggestions for developers' tool?"
- Reply: Thomas Ryan: "RE: Spi's products worth a try? Or any suggestions for developers' tool?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
