Re: Sensepost Wikto vs E-Or

-------- Original Message --------
Subject: Sensepost Wikto vs E-Or
Date: Fri, 05 May 2006 15:49:44 +0800
From: Mike Gilligan <mikewgilligan@xxxxxxxxxxx>
To: pen-test@xxxxxxxxxxxxxxxxx

Hi list
Could someone familiar with the whole Web Application Assessment space
educate me on the differences between the Sensepost Wikto and E-Or tools?
They both appear to be Web Application Assessment tools but I'm sure there
are subtle if not very obvious differences that I'm missing.


Perhaps I can shed some light on this. Wikto was never intended for web
application testing - it does very little in the application space, but is
rather used the find problems on the server hosting the application -e.g.
it does an intelligent run of the Nikto database, it looks for common
directories and files in the found directories, and it performs a scan of
the Google Scan database. In other words - Wikto will spot mistakes on the
web server, but does not say anything about the web application (or very

E-Or on the other hand is aimed at the application itself - it does not
try to comment on the web server where the application is hosted. As such,
E-Or will look for problems in parameter handling, database injection etc.
and not if the web server hosting the application is secure. The crowbar
application plays in the same space - it on a lower level - e.g. sending
different forms of the same request and looking at the differences in the

In the past couple of months it became clear that these type of testing is
very much related - e.g. the lines between application and server is
blurring more and more. As such SensePost will be releasing an
appplication that will combine the efforts put into Wikto, E-Or and
Crowbar into a single application - this will be called the SensePost Suru
WebProxy and is due for release at BlackHat Las Vegas 2006.

Wikto, E-Or and Crowbar can be found at

I hope this shed some light on the use of the different applications.

Roelof Temmingh
+ 27 12 460 0880

This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you:
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.