Comparison between different tools with different goals and price ranges

This topic contains 15 replies, has 8 voices, and was last updated by  m0wgli 6 years, 5 months ago.

  • Author
    Posts
  • #8331
     dmarques 
    Participant

    Hi,

    We are now deciding some investments for this year and I have the chance to buy some new tools.
    I’ve been looking around for the most known tools at least, but there’s different goals and price ranges on them.
    For example, I need a tool for web vulnerability scanning with some urgency.
    From what I’ve read, Burp Suite and Acunetix seems good options.  But their price ranges are completely different.
    So, does the major price difference really justifies for the additions on Acunetix?
    Second question, spending a bit more than the Acunetix pricing for example, I could go into a more complete tool, like Metasploit Pro or Core Impact, but are they as good as Acunetix for web vulnerability scanning?

    So any inputs are welcome so I can balance myself and make the best investment possible.

    Thanks.

  • #52373
     Matthias2012 
    Participant

    Hi,

    if you not fixed on open source, have you also had an eye on the lan security scanner from GFI.com?
    Afaik, you can download a trial version..

    Regards

  • #52374
     impelse 
    Participant

    Use/buy the tool that help you to do the job in the right way plus you feel comfortable use it.

  • #52375
     m0wgli 
    Participant
  • #52376
     cd1zz 
    Participant

    I hate Acunetix, I use Burp Pro for everything now.

  • #52377
     dmarques 
    Participant

    Thanks for the inputs.
    I did knew that report, but it’s quite helpful.

    From what I’ve seen from that study, Acunetix seems to be a bit better than Burp, but the price is 10 times more, so my question is does anyone think that Acunetix justifies that huge difference? 
    Also, anyone uses both that can have some inputs?

    Thanks

  • #52378
     cd1zz 
    Participant

    I completely disagree. Just gave Acunetix another shot this week on a client and hate it even more. Worst. Product. Ever.

    If all you need are pretty reports with false positives, Acunetix is your tool.

  • #52379
     hayabusa 
    Participant

    I pretty much use burp, all the time.  

    Two reasons:

    A.) Acunetix, with all it’s bells and whistles, is costly and tends to be unreliable, from my experience (I second cd1zz on that)

    B.)  Burp just WORKS, and works well / consistently.  I personally know no experienced and trustworthy pentesters, who would disagree.

    I guess if you’re prepared to cross-check every finding from Acunetix, using tools like burp, anyway, to validate the findings, having multiple tools is nice.  But if you can do without it, and get by without it, I’d stick to burp.

    It’s really the same with most of the GUI vuln tools, etc.  Sure, they’re handy and faster, in many cases, than manual testing.  But they usually come with a hefty cost associated, and if I can show the same vulnerabilities using free tools, without having to cross-check findings, etc, then I prefer to save my time and money.

    My 2 cents, anyway…

  • #52380
     Jamie.R 
    Participant

    I have always used burp suite and the paid version is worth the money. However if you looking for free alternative ZAP by OWASP is pretty good.

  • #52381
     dmarques 
    Participant

    Hi,

    Thanks for the inputs.

    I have also another question in mind.
    We’ve been talking about web apps testing, but we also do network, client side, wireless testing, etc.
    So one other option would be to go into a professional tool, like metasploit pro or core impact, that both do web apps also.
    Of course the prices are even higher, but has anyone compared the web apps testing with tools like burp compared to metasploit pro or core impact?

    Thanks

  • #52382
     Jamie.R 
    Participant

    I never used them as a pro version but I guess it depends what your looking for but I don’t think there is any tool that can do a job 100%. I find most tools that I use will find low hanging fruit but more advance SQL and XSS need manual work to exploit them.

    There is another web tool that you can buy think its called web inspector.

  • #52383
     BillV 
    Participant

    Burp is great and you can’t go wrong with the price.

    Some additional options (both free):

    w3af – Web Application Attack and Audit Framework

    arachni – Web Application Security Scanner Framework

  • #52384
     dmarques 
    Participant

    Yeah, I totally know that there’s no bullet proof solution and no point and click on this area, but what I’m looking is for a major package and tool for web apps and for network also, that’s why I mentioned Core Impact and Metasploit Pro.

    And anyone has some thoughts on Core Impact vs Metasploit Pro?

    Thanks

  • #52385
     cd1zz 
    Participant

    They’re both awesome for pen testing.  Core impact has exploits in it that are not public and Meta Pro can help automate large pentests, it is a phishing platform and does some other stuff. Not sure about web app scanning, I doubt it. That would be be creeping into their other product, Nexpose. I always turn the Nexpose spidering/scanning option off. In my opinion, web app scanners are only as good as the guy using it. Burp is the only option + someone who knows what they’re doing.

    For network, you need a good vuln scanner. I like Nexpose. However, there are a billion vulns that dont show up in a vuln scanner either. Again, it depends on the person driving. I guess what I’m saying is that you need multiple tools. Meta pro and core are expensive, the rest are not. What you give up in the pro, you can make up with old school metasploit.

  • #52386
     dmarques 
    Participant

    Hi,

    I understand what you mean and that are good comments.
    Thanks for the inputs.

  • #52387
     m0wgli 
    Participant

    Regarding Metasploit Pro, I saw this on the Rapid7 site today: OWASP Top 10 2013: What’s New – and How to Audit Your Web Apps

    In this webinar for IT administrators, web app developers and security professionals, Michael Belton will talk about the brand new OWASP Top 10 2013 and why they’re an important guideline for securing web applications, focusing on the changes since the previous OWASP Top 10 version. At the end, Christian Kirsch and Joe Dubin will show how Metasploit Pro can be leveraged to test web applications to test for OWASP Top 10 2013 vulnerabilities in your applications.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?