March 29, 2013 at 12:51 pm #8331
We are now deciding some investments for this year and I have the chance to buy some new tools.
I’ve been looking around for the most known tools at least, but there’s different goals and price ranges on them.
For example, I need a tool for web vulnerability scanning with some urgency.
From what I’ve read, Burp Suite and Acunetix seems good options. But their price ranges are completely different.
So, does the major price difference really justifies for the additions on Acunetix?
Second question, spending a bit more than the Acunetix pricing for example, I could go into a more complete tool, like Metasploit Pro or Core Impact, but are they as good as Acunetix for web vulnerability scanning?
So any inputs are welcome so I can balance myself and make the best investment possible.
March 29, 2013 at 5:06 pm #52373Matthias2012Participant
if you not fixed on open source, have you also had an eye on the lan security scanner from GFI.com?
Afaik, you can download a trial version..
March 29, 2013 at 10:04 pm #52374impelseParticipant
Use/buy the tool that help you to do the job in the right way plus you feel comfortable use it.
March 30, 2013 at 9:44 am #52375m0wgliParticipant
April 1, 2013 at 4:01 am #52376
I hate Acunetix, I use Burp Pro for everything now.
April 6, 2013 at 9:45 pm #52377
Thanks for the inputs.
I did knew that report, but it’s quite helpful.
From what I’ve seen from that study, Acunetix seems to be a bit better than Burp, but the price is 10 times more, so my question is does anyone think that Acunetix justifies that huge difference?
Also, anyone uses both that can have some inputs?
April 6, 2013 at 11:19 pm #52378
I completely disagree. Just gave Acunetix another shot this week on a client and hate it even more. Worst. Product. Ever.
If all you need are pretty reports with false positives, Acunetix is your tool.
April 7, 2013 at 12:27 am #52379hayabusaParticipant
I pretty much use burp, all the time.
A.) Acunetix, with all it’s bells and whistles, is costly and tends to be unreliable, from my experience (I second cd1zz on that)
B.) Burp just WORKS, and works well / consistently. I personally know no experienced and trustworthy pentesters, who would disagree.
I guess if you’re prepared to cross-check every finding from Acunetix, using tools like burp, anyway, to validate the findings, having multiple tools is nice. But if you can do without it, and get by without it, I’d stick to burp.
It’s really the same with most of the GUI vuln tools, etc. Sure, they’re handy and faster, in many cases, than manual testing. But they usually come with a hefty cost associated, and if I can show the same vulnerabilities using free tools, without having to cross-check findings, etc, then I prefer to save my time and money.
My 2 cents, anyway…
April 8, 2013 at 9:23 am #52380Jamie.RParticipant
I have always used burp suite and the paid version is worth the money. However if you looking for free alternative ZAP by OWASP is pretty good.
April 8, 2013 at 5:21 pm #52381
Thanks for the inputs.
I have also another question in mind.
We’ve been talking about web apps testing, but we also do network, client side, wireless testing, etc.
So one other option would be to go into a professional tool, like metasploit pro or core impact, that both do web apps also.
Of course the prices are even higher, but has anyone compared the web apps testing with tools like burp compared to metasploit pro or core impact?
April 9, 2013 at 8:24 am #52382Jamie.RParticipant
I never used them as a pro version but I guess it depends what your looking for but I don’t think there is any tool that can do a job 100%. I find most tools that I use will find low hanging fruit but more advance SQL and XSS need manual work to exploit them.
There is another web tool that you can buy think its called web inspector.
April 9, 2013 at 11:39 am #52383
April 9, 2013 at 12:07 pm #52384
Yeah, I totally know that there’s no bullet proof solution and no point and click on this area, but what I’m looking is for a major package and tool for web apps and for network also, that’s why I mentioned Core Impact and Metasploit Pro.
And anyone has some thoughts on Core Impact vs Metasploit Pro?
April 10, 2013 at 1:31 pm #52385
They’re both awesome for pen testing. Core impact has exploits in it that are not public and Meta Pro can help automate large pentests, it is a phishing platform and does some other stuff. Not sure about web app scanning, I doubt it. That would be be creeping into their other product, Nexpose. I always turn the Nexpose spidering/scanning option off. In my opinion, web app scanners are only as good as the guy using it. Burp is the only option + someone who knows what they’re doing.
For network, you need a good vuln scanner. I like Nexpose. However, there are a billion vulns that dont show up in a vuln scanner either. Again, it depends on the person driving. I guess what I’m saying is that you need multiple tools. Meta pro and core are expensive, the rest are not. What you give up in the pro, you can make up with old school metasploit.
April 10, 2013 at 1:48 pm #52386
I understand what you mean and that are good comments.
Thanks for the inputs.
April 10, 2013 at 9:14 pm #52387m0wgliParticipant
Regarding Metasploit Pro, I saw this on the Rapid7 site today: OWASP Top 10 2013: What’s New – and How to Audit Your Web Apps
In this webinar for IT administrators, web app developers and security professionals, Michael Belton will talk about the brand new OWASP Top 10 2013 and why they’re an important guideline for securing web applications, focusing on the changes since the previous OWASP Top 10 version. At the end, Christian Kirsch and Joe Dubin will show how Metasploit Pro can be leveraged to test web applications to test for OWASP Top 10 2013 vulnerabilities in your applications.
You must be logged in to reply to this topic.