From: petercheung@gawab.com
Date: Thu Sep 23 2004 - 06:27:44 EDT
There is a paper from BlackHat:
http://www.blackhat.com/presentations/bh-federal-03/bh-fed-03-grossman-up.pdf
which showed that automatic scanning solves half a problem. It's a must for any tester to dig into the web application to analyse it manually.
petercheung@gawab.com
>
>I have to agree with you here - the cost of button pushing can be
>immense. I think SPI is a great tool, though not entirely perfect. I
>can't imagine trying to do multiple or large web sites all by hand - it
>simply wouldn't be as thorough for the same money. Of course, the ideal
>is to have enough volume for a consultants license for a year, then the
>cost is easily justified. That said, a tool is just a tool, and
>shouldn't be relied on for more than "brute force" checking of inputs,
>etc. Human intelligence is essential to doing a good job.
>
>Mark Lachniet=20
>
>> -----Original Message-----
>> From: A.R. [mailto:r00t@northernfortress.net]=20
>> Sent: Thursday, September 16, 2004 8:45 PM
>> To: chuan.delahosseraye@accenture.com
>> Cc: andrew@beegads.com; pen-test@securityfocus.com
>> Subject: RE: Web Application Tester
>>=20
>> I think that when having to choose between a free and a=20
>> commercial tool, it's all about figuring out the return of investment.
>>=20
>> If it takes one week to manually inspect an application with
>> nikto+wget+webscarab+achilles+spike, and only 1 day using Appscan for
>> the "grunt" work plus 2 days for the manual refinement, the 4=20
>> days I gain are worth more than the ~1,000 dollars I have to=20
>> spend for a 7-days Appscan license.
>>=20
>> In the end, I usually prefer to use Paros (free tool), but I=20
>> think that in some situations AppScan/WebInspect can be at=20
>> least worth a look, even if their price makes them look=20
>> unprofitable at first sight.
>>=20
>> NB: I have never used AppDetective, so I am not saying in any=20
>> way that the other tools are better
>>=20
>> Just my 2 cents, of course :)
>>=20
>> A.
>>=20
>> On Wed, 2004-09-15 at 15:27, chuan.delahosseraye@accenture.com wrote:
>> > According to my previous search on a Web pen-test tools, AppScan,=20
>> > WebInspect and Scando are all much more expensive than=20
>> AppDetective.=20
>> > If cost is a concern, it might be possible to combine a=20
>> selection of=20
>> > free tools such as:
>> >=20
>> > - Nessus
>> > - Nikto
>> > - WebScarab
>> > - Achilles
>> >=20
>> > But this would involve a lot of Manual works.
>> >=20
>> > Hope this helps
>> > Chuan
>> >=20
>> > -----Original Message-----
>> > From: A.R. [mailto:r00t@northernfortress.net]
>> > Sent: 15 September 2004 12:27
>> > To: andrew@beegads.com
>> > Cc: pen-test@securityfocus.com
>> > Subject: Re: Web Application Tester
>> >=20
>> > Andrew,
>> >=20
>> > I don't know what's your budget, but for web applications=20
>> you can try=20
>> > the following commercial products:
>> >=20
>> > - AppScan, by Sanctum (www.sanctuminc.com)
>> > - WebInspect, by Spidynamics (www.spidynamics.com)
>> > - ScanDo, by Kavado (www.kavado.com)
>> >=20
>> > ...Or the good ol' Paros=20
>> (http://www.proofsecure.com/download.shtml),
>> > open source and free
>> >=20
>> > Hope this helps
>> >=20
>> > Alberto Revelli
>> > Northern Fortress, Inc.
>> >=20
>> > On Tue, 2004-09-14 at 22:49, Andrew Bagrin wrote:
>> > > Does anyone know of an application tester similar to AppDetective=20
>> > > thats not as hard on the pocket book?
>> > > I need to pentest a web app and am looking for some tools
>> > >=20
>> > > Thanks,
>>=20
>>=20
>>
------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:05 EDT