Howdy all,

I've been working with a few web application vulnerability scanners lately and was looking for alternatives. The current pool I've pulled from includes Cenzic's hailstorm, Grendel-Scan, and the free version (xss only) of Acunetix's  scanner.

So far I've been impressed with hailstorm's functionality, however; the 50K per license price tag is an issue when multiple scans need to be run at the same time.

Grendel-Scan, a free, open-sourced scanner, provides a solution to the cost issue; however, is less robust than hailstorm.

Acunetix's scanner impressed me the least of these three, but as I mentioned above, I only used the free version.

What I'm looking for is a list of alternatives. More important than the cost is the functionality and coverage the tool provides.

Thanks!

Might find these useful:

http://sectools.org/web-scanners.html

I've used Nikto in the past with varying levels of success. However I haven't done much in this field so don't have much to compare it to.

As mentioned in sectools list referenced by KrisTeason it is often behind the curve when it comes to bleedingedge threats, but the chances are if your developers have left old, well known vulnerabilities about the place it could be a safe bet that your vulnerable to the newer stuff regardless of what your audit tool tells you.

WebInspect I've used in the past....very thorough with a HUGE number of false positives.   Takes a LONG time to run and is not light/easy on a server.

Acunetix I've found to be a very good scanner for the price.   Assuming you're running the scanner as your "high level overview" and then going after the application manually (as you should), it does a great job.   I have yet to run into an application where it's missed something that WI would have caught.

Paros (started life as Paros Proxy) is free, Java-based, and has a number of advantages over tools like Acunetix and WI.   First and foremost, it started out life as a proxy....meaning that you add pages into it by browsing to them (assuming your browser has it set as the proxy).   This gives you control over both what pages you scan as well as the default values to use on forms.   This last part is key -- it _really_ sucks to get caught by basic input validation when there's juicy vulnerabilities lurking just beneath that layer....It's nowhere near as thorough as Acunetix and WI and takes a bit longer to setup, but is well worth the time, IMO.   And it's free.

I've used Hailstorm, but was not impressed and the price is insane.

Honestly, I've never run into a site where the 9,001 different ways that WI checks for SQL Injection (for example) found something that the rather basic checks in Acunetix and Paros missed....so I'd save yourself the money and go with one of the lesser-priced solutions.

Hailstorm isn't doing anything that the others aren't doing (unless by "robust" you mean stable and doesn't chew up system resources).

In order for a web app scanner to be effective, it needs to submit forms.  Often many times, as it should ideally only be testing a single parameter at any given time to avoid running afoul of simple input validation checks.    This is the main source of "garbage" being injected into a database and one of the biggest drawbacks to automated vulnerability scanners on web apps (IMO) -- they're extremely noisy and have a strong tendency to alter the database (not to mention sending LOTS of emails, if the website has email functionality).

If you're going against a production environment, I would strongly suggest avoiding the automated scanners altogether -- stick with manual checks where you can be a bit more intelligent about what you inject.    If you're going against a testing/staging environment that can be reset after your testing is complete, then go to town with the scanner -- the garbage data won't matter and it's a good, quick way to give you a high-level overview of the application so that you can target your manual efforts more effectively.

Hope this helps!

WebInspect and AppScan have historically jockeyed for the "top spot" (though this distinction is not without debate).    I wonder what's going to happen now that they're both owned by IBM?

As an aside, Paros can certainly maintain a login session -- just enable Session Tracking within Paros and login to the app from your browser.   Paros will maintain the sessionid during the scan.   So long as you don't include the logout page (or similar) in your paros scan, I've found it to actually be more reliable than WI (since it can handle things like SSO through a different domain).

Drat!   Right you are!

That'll teach me to post in between rounds of caffeine

Was just using nikto yesterday in the lab. I wasn't real impressed with the run time even against one host on one port. For now, I'll stick with Nessus and Nmap to help identify targets. I will be looking at the other tools here though. Thanks gang.