EH-Net

Hi everyone,

Just a quick question: What web app fuzzer do you use? I know there are many of them, but I was wondering which one you prefer and why.

Thanks

BurpSuite primarily.

+1

We've had Accunetix and Hailstorm, but I hate both. I always end up using Burp because it gives me the most manual control. I still think web app testing is 80% human.

+2

I often find myself running Acunetix just because we have it. I've yet to get results even remotely comparable to what I do with Burp.

Accunetix has pretty reports :)

Clients love pretty.

I have also tried w3af, but have not had much luck with it. Recently I have been playing with ZAP(OWASP).

Not entirely a fuzzer, but also been looking at Fiddler.

Remember my mantra: "Always be cynical. Use more than one tool for each job."

That said, I would recommend BurpSuite Pro be added to your list.

Guess which one I was using... BurpSuite.

I wanted to know if someone was using another one and for what reason...

But with BurpSuite, you basically learn about one tool and you can do a whole bunch of things with it.

Thanks for your answers.

Acunetix and Burp Suite Pro (the pro version makes quite a difference)  ;) As Grendel said in this post, but also countless other times, don't rely on one single tool, use multiple. Acunetix has its issues, but mostly it's better than most other automated scanners.
PS: I don't consider Burp an automated scanner, even though it has one, but the amount of "tools" it includes is amazing, meaning I use it primarily for manual attacks, while using its scanner too.