Web vulnerability scanner

This topic contains 7 replies, has 5 voices, and was last updated by  JasonInnor 3 years ago.

  • Author
    Posts
  • #8431
     zenlakin 
    Participant

    I have looked around a bit online and have seen several options in such products like ZAP, Burp, Appscan, Accunetix…. etc…. I wanted to see what some of you might recommend for a good enterprise class web vulnerability scanner? I would be looking for something that could scale to ongoing scanning about around 150-250 medium to large websites. These website would range from having HTML, flash, javascript, ajax, and recently HTML5 incorporated in them. I use ZAP and Burp more for pentests as I am not sure they would scale or are even meant for scanning a large number of site in an ongoing fashion.

  • #52923
     cd1zz 
    Participant

    Appscan is like 30K and up, is that an option?

  • #52924
     zenlakin 
    Participant

    We already have appscan but I have been finding that it seems to be limited and have been having issues with recording login sessions as the browsers aren’t supported even though my version of appscan is fully up to date… Also, with large websites I find that it hangs a lot and I tend to receive a fair amount of out of memory errors and the application crashes and I have to star the scan all over.

  • #52925
     cd1zz 
    Participant

    This is kind of a tough situation because most of these products are crappy. Burp is the best, but only for one site at a time. It doesn’t do well even with large, single sites.

    The problem you’re going to face is that the “right” product you find that can handle such a huge workload is probably going to give you the same marginal results, at best.

    The only product that really comes to mind that you might want to consider is Nexpose. It does web app scanning, although I’m not sure how well, and it can get pricey but it’s worth a look. You can schedule and it seems to perform well on larger engagements. I was also going to say appscan but you already don’t like that product.

  • #52926
     caissyd 
    Participant

    Have you look at this site?
    http://sectooladdict.blogspot.ca/2012/07/2012-web-application-scanner-benchmark.html

    Very good information can be found there about web application vulnerability scanners!!

  • #52927
     BillV 
    Participant

    Give arachni a shot. In my experience, and based on my quick glance at the results of their testing it seems they agree, this free tool can compete with the commercial tools.

  • #52928
     BillV 
    Participant

    I missed the part about enterprise and scaling.. it’s probably not the best option for that.

  • #52929
     JasonInnor 
    Participant

    Ive looked everywhere and cant find how to delete the .MDX files that are generated on my web server. I can find code for the desktop and even the delete when exit code. Problem is this is a web project and doesnt ever exit. The other day I had over 7k of the .MDX files. How can I make them go away.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?