.

Web vulnerability scanner

<<

zenlakin

User avatar

Newbie
Newbie

Posts: 13

Joined: Thu May 19, 2011 6:45 am

Post Tue May 07, 2013 9:14 pm

Web vulnerability scanner

I have looked around a bit online and have seen several options in such products like ZAP, Burp, Appscan, Accunetix.... etc.... I wanted to see what some of you might recommend for a good enterprise class web vulnerability scanner? I would be looking for something that could scale to ongoing scanning about around 150-250 medium to large websites. These website would range from having HTML, flash, javascript, ajax, and recently HTML5 incorporated in them. I use ZAP and Burp more for pentests as I am not sure they would scale or are even meant for scanning a large number of site in an ongoing fashion.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed May 08, 2013 6:23 pm

Re: Web vulnerability scanner

Appscan is like 30K and up, is that an option?
<<

zenlakin

User avatar

Newbie
Newbie

Posts: 13

Joined: Thu May 19, 2011 6:45 am

Post Wed May 08, 2013 8:02 pm

Re: Web vulnerability scanner

We already have appscan but I have been finding that it seems to be limited and have been having issues with recording login sessions as the browsers aren't supported even though my version of appscan is fully up to date... Also, with large websites I find that it hangs a lot and I tend to receive a fair amount of out of memory errors and the application crashes and I have to star the scan all over.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Wed May 08, 2013 9:47 pm

Re: Web vulnerability scanner

This is kind of a tough situation because most of these products are crappy. Burp is the best, but only for one site at a time. It doesn't do well even with large, single sites.

The problem you're going to face is that the "right" product you find that can handle such a huge workload is probably going to give you the same marginal results, at best.

The only product that really comes to mind that you might want to consider is Nexpose. It does web app scanning, although I'm not sure how well, and it can get pricey but it's worth a look. You can schedule and it seems to perform well on larger engagements. I was also going to say appscan but you already don't like that product.
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Mon May 13, 2013 7:06 am

Re: Web vulnerability scanner

Have you look at this site?
http://sectooladdict.blogspot.ca/2012/07/2012-web-application-scanner-benchmark.html

Very good information can be found there about web application vulnerability scanners!!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed Jul 17, 2013 9:07 pm

Re: Web vulnerability scanner

Give arachni a shot. In my experience, and based on my quick glance at the results of their testing it seems they agree, this free tool can compete with the commercial tools.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Wed Jul 17, 2013 9:09 pm

Re: Web vulnerability scanner

I missed the part about enterprise and scaling.. it's probably not the best option for that.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software