[Intrusions] need a suggestion of tool for pentest webapplication.

Evans, Arian Arian.Evans at fishnetsecurity.com
Mon Jul 11 16:15:54 GMT 2005

Hello, I started the OWASP Taxonomy and Tools project
precisely because of responses like this. Unfortunately
the software security space is still rather immature
and there are very different opinions on what "testing"
software for security consists of, let alone what
"software security" consists of. For more discussion see:

webappsec at securityfocus.com (the list OWASP uses)
websecurity at webappsec.org (the WASC mailing list)
sc-l at securecoding.org (smarter brains than mine here)

> I gather you are looking for a web vulnerability scanner.  
> You can do a reasonable job with the freeware nikto 
> (http://www.cirt.net/code/nikto.shtml).

I'm not sure what constitutes "reasonable" but I could
not agree less. Common basic holes (e.g. weak session
tokens in cookies) that allow complete ownership of
an application are not testable w/nikto without creation
of a custom plugin that doesn't exist. Free tools that
you can do something useful with:

> I am partial to AppScan 
> (http://www.watchfire.com/products/security/default.aspx) or
> WebInspect 
> (http://www.spidynamics.com/products/webinspect/index.html).
> WebInspect is the incumbent in the market.  AppScan is an up 
> and comer that is making good progress into the market.  In
> my opinion AppScan has better reporting than WebInspect
> including very good compliance reporting.

This information is completely incorrect. AppScan was the first
commercial "web app scanner" widget (Perfecto, then Sanctum).
It is now owned by Watchfire, a 'dashboard' company. The tool has
excellent reporting but the question is what is it reporting on?
It is ineffectual for proper testing of an application. The ability
to parse javascript, for example, while superior to many of the
tools out there, is still weak.

I have seen comments like "ScannerX is faster than ScannerY"
which usually reflects the fact that ScannerX is skipping entire
sections of an application because it can't test it. This breeds
a false sense of security with the majority of network security
folks who don't understand what the tool is or isn't doing.

WebInspect has nice tools for augmenting manual/eyeball testing.
AppScan for example has no fuzzer, no way to test session tokens,
etc. etc. even though it has "great reporting".

The "up and comer" in my opinion is NTO Spider. There are a lot
of other tools out there as well.


These tools are evolving rapidly right now so while I might say
"WebInspect has the best javascript parsing" that could change
tomorrow if NTO or someone else releases a superior parsing engine.
My opinions here are based upon the specific environments I test
these tools in which may be different from yours. YMMV.

<standard_disclaimer> I work for a reseller of these types of
widgets but I am != SE/"sales engineer" aka product advocate.

Arian Evans
Sr. Security Engineer
FishNet Security

KC Office:  816.421.6611
Direct: 816.701.2045
Toll Free:  888.732.9406
Fax:  816.474.0394


The information transmitted in this e-mail is intended only for the addressee and may contain confidential and/or privileged material. 
Any interception, review, retransmission, dissemination, or other use of, or taking of any action upon this information by persons or entities
other than the intended recipient is prohibited by law and may subject them to criminal or civil liability. If you received this communication 
in error, please contact us immediately at 816.421.6611, and delete the communication from any computer or network system.

More information about the Intrusions mailing list