Re: Opinions on Burp Suite Web App Scanner



I second Fabio...
If you want to verify your web app is secure, then get a pentester to
do the job.
Burp is meant to be a helping hand to the pentester, not an assurance tool.

BR,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
---
The information contained in this communication is intended solely
for  the  use  of the individual or entity to whom it is addressed
and others authorized to receive it.  It may  contain confidential
or legally privileged information.  If  you  are  not the intended
recipient you are hereby notified that  any  disclosure,  copying,
distribution  or  taking any action in reliance on the contents of
this  information  is  strictly  prohibited  and  may be unlawful.

If you have received this communication in error, please notify the
sender immediately  by  responding  to this email and then delete
 it from your system.


On Wed, Oct 19, 2011 at 8:15 AM, Meenal Mukadam
<meenal.mukadam@xxxxxxxxx> wrote:

Dear Jon,

Webscarab was my #1 but after using Burp I had to hand over the #1
title to Burp Suite. Many 'on-the-fly' options for testing makes it a
pentesters best friend. You can also refer to this article if you want
more information about different scanners and their accuracy:
http://ha.ckers.org/blog/20100203/accuracy-and-time-costs-of-web-application-security-scanner-report/

Regards,
Meenal Mukadam


On Wed, Oct 12, 2011 at 10:41 AM, Ben de Bont <bendebont@xxxxxxxxx> wrote:

BurpSuite is my pen-test teams tool of choice.  The spider and scanner are
great, and it has a lot of other functionality that is very useful.  It is
also cheap - get it.

- Ben de Bont

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Derrenbacker, L. Jonathan
Sent: Wednesday, October 12, 2011 8:31 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: Opinions on Burp Suite Web App Scanner

I have budget for a web app vulnerability scanner, and I was wondering if
anyone has opinions on the professional version Burp Suite with the scanner
option.
Is the scanner any good? Accurate?

This is the website if anyone doesn't know what it is:
http://portswigger.net/burp/scanner.html



Thanks,
Jon

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: out of box scanner
    ... If you are looking for best web application tool involving manual and automated techniques, Burp rules the web app pen testing today. ... I would highly suggest taking a look at the scanner list here: ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: Opinions on Burp Suite Web App Scanner
    ... Opinions on Burp Suite Web App Scanner ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: out of box scanner
    ... I would highly suggest taking a look at the scanner list here: ... Information Assurance Certification Review Board ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • RE: oracle database scanner
    ... You could check out AuditPro - which is a commercial database and operating ... It works with Oracle, Sun Solaris, Linux, HP-UX, Windows (all ... Subject: oracle database scanner ... Information Assurance Certification Review Board ...
    (Pen-Test)