RE: Web Application Tester

From: Lachniet, Mark (mlachniet@sequoianet.com)
Date: Tue Sep 21 2004 - 08:49:39 EDT

• Next message: Clement Dupuis: "RE: LDAP Pentest"
• Previous message: Todd Towles: "RE: LDAP Pentest"
• Maybe in reply to: Andrew Bagrin: "Web Application Tester"
• Next in thread: Darren Bounds: "Re: Web Application Tester"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have to agree with you here - the cost of button pushing can be
immense. I think SPI is a great tool, though not entirely perfect. I
can't imagine trying to do multiple or large web sites all by hand - it
simply wouldn't be as thorough for the same money. Of course, the ideal
is to have enough volume for a consultants license for a year, then the
cost is easily justified. That said, a tool is just a tool, and
shouldn't be relied on for more than "brute force" checking of inputs,
etc. Human intelligence is essential to doing a good job.

Mark Lachniet

> -----Original Message-----
> From: A.R. [mailto:r00t@northernfortress.net]
> Sent: Thursday, September 16, 2004 8:45 PM
> To: chuan.delahosseraye@accenture.com
> Cc: andrew@beegads.com; pen-test@securityfocus.com
> Subject: RE: Web Application Tester
>
> I think that when having to choose between a free and a
> commercial tool, it's all about figuring out the return of investment.
>
> If it takes one week to manually inspect an application with
> nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
> the "grunt" work plus 2 days for the manual refinement, the 4
> days I gain are worth more than the ~1,000 dollars I have to
> spend for a 7-days Appscan license.
>
> In the end, I usually prefer to use Paros (free tool), but I
> think that in some situations AppScan/WebInspect can be at
> least worth a look, even if their price makes them look
> unprofitable at first sight.
>
> NB: I have never used AppDetective, so I am not saying in any
> way that the other tools are better
>
> Just my 2 cents, of course :)
>
> A.
>
> On Wed, 2004-09-15 at 15:27, chuan.delahosseraye@accenture.com wrote:
> > According to my previous search on a Web pen-test tools, AppScan,
> > WebInspect and Scando are all much more expensive than
> AppDetective.
> > If cost is a concern, it might be possible to combine a
> selection of
> > free tools such as:
> >
> > - Nessus
> > - Nikto
> > - WebScarab
> > - Achilles
> >
> > But this would involve a lot of Manual works.
> >
> > Hope this helps
> > Chuan
> >
> > -----Original Message-----
> > From: A.R. [mailto:r00t@northernfortress.net]
> > Sent: 15 September 2004 12:27
> > To: andrew@beegads.com
> > Cc: pen-test@securityfocus.com
> > Subject: Re: Web Application Tester
> >
> > Andrew,
> >
> > I don't know what's your budget, but for web applications
> you can try
> > the following commercial products:
> >
> > - AppScan, by Sanctum (www.sanctuminc.com)
> > - WebInspect, by Spidynamics (www.spidynamics.com)
> > - ScanDo, by Kavado (www.kavado.com)
> >
> > ...Or the good ol' Paros
> (http://www.proofsecure.com/download.shtml),
> > open source and free
> >
> > Hope this helps
> >
> > Alberto Revelli
> > Northern Fortress, Inc.
> >
> > On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:
> > > Does anyone know of an application tester similar to AppDetective
> > > thats not as hard on the pocket book?
> > > I need to pentest a web app and am looking for some tools
> > >
> > > Thanks,
>
>
> --------------------------------------------------------------
> ----------------
> Ethical Hacking at the InfoSec Institute. All of our class
> sizes are guaranteed to be 12 students or less to facilitate
> one-on-one interaction with one of our expert instructors.
> Check out our Advanced Hacking course, learn to write
> exploits and attack security infrastructure. Attend a course
> taught by an expert instructor with years of in-the-field pen
> testing experience in our state of the art hacking lab.
> Master the skills of an Ethical Hacker to better assess the
> security of your organization.
>
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------
> -----------------
>
>

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------

• Next message: Clement Dupuis: "RE: LDAP Pentest"
• Previous message: Todd Towles: "RE: LDAP Pentest"
• Maybe in reply to: Andrew Bagrin: "Web Application Tester"
• Next in thread: Darren Bounds: "Re: Web Application Tester"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT