.

Web Application Vulnerability Scanner

<<

only_samurai

Newbie
Newbie

Posts: 6

Joined: Tue Aug 12, 2008 3:40 pm

Post Tue Aug 12, 2008 3:51 pm

Web Application Vulnerability Scanner

Howdy all,

I've been working with a few web application vulnerability scanners lately and was looking for alternatives. The current pool I've pulled from includes Cenzic's hailstorm, Grendel-Scan, and the free version (xss only) of Acunetix's  scanner.

So far I've been impressed with hailstorm's functionality, however; the 50K per license price tag is an issue when multiple scans need to be run at the same time.

Grendel-Scan, a free, open-sourced scanner, provides a solution to the cost issue; however, is less robust than hailstorm.

Acunetix's scanner impressed me the least of these three, but as I mentioned above, I only used the free version.

What I'm looking for is a list of alternatives. More important than the cost is the functionality and coverage the tool provides.

Thanks!
<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Tue Aug 12, 2008 5:35 pm

Re: Web Application Vulnerability Scanner

I was really impressed with HP WebInspect, it did everything I was looking for. But I'm still evaluating right now, so far all I've compared it to was Accunetix, which I thought was a real value for how cheap it is. The trial version only includes 2 of the many modules it has, but I'm sure you know that.
<<

KrisTeason

User avatar

Hero Member
Hero Member

Posts: 515

Joined: Sat Sep 08, 2007 7:48 pm

Location: /dev/null

Post Tue Aug 12, 2008 6:45 pm

Re: Web Application Vulnerability Scanner

eCPPT (Silver/Gold), eWPT, GSEC, GISP, GCIH, OSCP, OSWP
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Wed Aug 13, 2008 1:53 am

Re: Web Application Vulnerability Scanner

A couple of years ago we trial App Scan, it wasnt to bad, but seemed very limited at the time, and it was expensive.

Another I have heard is good, but I have not seen it myself is CAST, might be worth a look.
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Wed Aug 13, 2008 6:22 am

Re: Web Application Vulnerability Scanner

I've used Nikto in the past with varying levels of success. However I haven't done much in this field so don't have much to compare it to.

As mentioned in sectools list referenced by KrisTeason it is often behind the curve when it comes to bleedingedge threats, but the chances are if your developers have left old, well known vulnerabilities about the place it could be a safe bet that your vulnerable to the newer stuff regardless of what your audit tool tells you.
<<

only_samurai

Newbie
Newbie

Posts: 6

Joined: Tue Aug 12, 2008 3:40 pm

Post Wed Aug 13, 2008 11:23 am

Re: Web Application Vulnerability Scanner

I am currently setting up HP's WebInspect to see how that plays out for my goals. I'll be sure to post afterwards with my findings.

As for the Nikto solution, it is my understanding that Nikto is more for CMS/open-source products like PHPBB and is less useful on completely custom applications. Am I incorrect in that?
<<

Simon

User avatar

Newbie
Newbie

Posts: 18

Joined: Tue Aug 19, 2008 7:59 pm

Post Tue Aug 19, 2008 8:29 pm

Re: Web Application Vulnerability Scanner

WebInspect I've used in the past....very thorough with a HUGE number of false positives.  Takes a LONG time to run and is not light/easy on a server.

Acunetix I've found to be a very good scanner for the price.  Assuming you're running the scanner as your "high level overview" and then going after the application manually (as you should), it does a great job.  I have yet to run into an application where it's missed something that WI would have caught.

Paros (started life as Paros Proxy) is free, Java-based, and has a number of advantages over tools like Acunetix and WI.  First and foremost, it started out life as a proxy....meaning that you add pages into it by browsing to them (assuming your browser has it set as the proxy).  This gives you control over both what pages you scan as well as the default values to use on forms.  This last part is key -- it _really_ sucks to get caught by basic input validation when there's juicy vulnerabilities lurking just beneath that layer....It's nowhere near as thorough as Acunetix and WI and takes a bit longer to setup, but is well worth the time, IMO.  And it's free.

I've used Hailstorm, but was not impressed and the price is insane.

Honestly, I've never run into a site where the 9,001 different ways that WI checks for SQL Injection (for example) found something that the rather basic checks in Acunetix and Paros missed....so I'd save yourself the money and go with one of the lesser-priced solutions.
C|EH, ECSA, C|EI
http://www.halock.com
<<

only_samurai

Newbie
Newbie

Posts: 6

Joined: Tue Aug 12, 2008 3:40 pm

Post Wed Aug 20, 2008 10:00 am

Re: Web Application Vulnerability Scanner

Thanks for the input. I'd like to defend Hailstorm a bit, it's price is rather out there, but as tools go it seems to be extremely robust. WebInspect stuck me as a so-so tool, due to as you said the false positives and high run time. It's also the only scanner I've used that affected the customer's environment. Even on "standard" mode it put a large amount of garbage into the customer's database.

I've not given Paros a try yet, but will surely add that to my list of freebie scanners. Between Paros and Grendel I'll have a decent setup for free scanning and with hailstorm and/or WebInspect I'll be able to do the "enterprise level" scanning.

-samurai
<<

Simon

User avatar

Newbie
Newbie

Posts: 18

Joined: Tue Aug 19, 2008 7:59 pm

Post Wed Aug 20, 2008 10:17 am

Re: Web Application Vulnerability Scanner

Hailstorm isn't doing anything that the others aren't doing (unless by "robust" you mean stable and doesn't chew up system resources).

In order for a web app scanner to be effective, it needs to submit forms.  Often many times, as it should ideally only be testing a single parameter at any given time to avoid running afoul of simple input validation checks.    This is the main source of "garbage" being injected into a database and one of the biggest drawbacks to automated vulnerability scanners on web apps (IMO) -- they're extremely noisy and have a strong tendency to alter the database (not to mention sending LOTS of emails, if the website has email functionality).

If you're going against a production environment, I would strongly suggest avoiding the automated scanners altogether -- stick with manual checks where you can be a bit more intelligent about what you inject.    If you're going against a testing/staging environment that can be reset after your testing is complete, then go to town with the scanner -- the garbage data won't matter and it's a good, quick way to give you a high-level overview of the application so that you can target your manual efforts more effectively.

Hope this helps!
C|EH, ECSA, C|EI
http://www.halock.com
<<

Otter

Newbie
Newbie

Posts: 41

Joined: Tue Jul 03, 2007 1:03 pm

Post Thu Aug 21, 2008 1:30 am

Re: Web Application Vulnerability Scanner

Paros, as many have mentioned is certainly handy to use as a proxy, and some light scanning.  The price is right.  Spike Proxy Lite has similar benefits albeit clunkier. 

In the commercial realm where you start getting into a lot better coverage, and the tool starts understanding sessions and how to relogin after losing a session, I've used both WebInspect and  Watchfire now IBM Rational Appscan.  These two are quite comparable.  Appscan is definitely worth a look, and is what I've been using most these days.      I believe free trial licenses aren't too hard to come by for evaluation purposes.  Get hooked up with some of the sales guys via the website and you should be able to have a thorough test drive:

http://www-01.ibm.com/software/awdtools/appscan/
<<

Simon

User avatar

Newbie
Newbie

Posts: 18

Joined: Tue Aug 19, 2008 7:59 pm

Post Thu Aug 21, 2008 1:08 pm

Re: Web Application Vulnerability Scanner

WebInspect and AppScan have historically jockeyed for the "top spot" (though this distinction is not without debate).    I wonder what's going to happen now that they're both owned by IBM?

As an aside, Paros can certainly maintain a login session -- just enable Session Tracking within Paros and login to the app from your browser.  Paros will maintain the sessionid during the scan.  So long as you don't include the logout page (or similar) in your paros scan, I've found it to actually be more reliable than WI (since it can handle things like SSO through a different domain).
C|EH, ECSA, C|EI
http://www.halock.com
<<

Otter

Newbie
Newbie

Posts: 41

Joined: Tue Jul 03, 2007 1:03 pm

Post Thu Aug 21, 2008 2:59 pm

Re: Web Application Vulnerability Scanner

Simon wrote:WebInspect and AppScan have historically jockeyed for the "top spot" (though this distinction is not without debate).    I wonder what's going to happen now that they're both owned by IBM?



Heh.  You're getting your megacompanies confused I'm afraid.  HP bought SPI.  IBM bought Watchfire.  :-)    They'll slog it out more than ever.

Thanks for the tip on Paros.  Since I got access to WI and AS, I haven't used its scanning functionality, so my impressions are based on a rather old version apparently!
<<

Simon

User avatar

Newbie
Newbie

Posts: 18

Joined: Tue Aug 19, 2008 7:59 pm

Post Thu Aug 21, 2008 3:13 pm

Re: Web Application Vulnerability Scanner

Otter wrote:
Simon wrote:WebInspect and AppScan have historically jockeyed for the "top spot" (though this distinction is not without debate).    I wonder what's going to happen now that they're both owned by IBM?



Heh.  You're getting your megacompanies confused I'm afraid.  HP bought SPI.  IBM bought Watchfire.  :-)    They'll slog it out more than ever.

Thanks for the tip on Paros.  Since I got access to WI and AS, I haven't used its scanning functionality, so my impressions are based on a rather old version apparently!



Drat!  Right you are!

That'll teach me to post in between rounds of caffeine ;)
C|EH, ECSA, C|EI
http://www.halock.com
<<

toggmeister

Post Thu Sep 18, 2008 3:25 pm

Re: Web Application Vulnerability Scanner

Hey how about:

Nstalker - nstealth (free and pay)
w3af (free)
dirbuster (owasp - free)
wapiti (free)


By the way I love acunetix, got a lic and about to beta test v6 which has some shiny new features  ;)

Togg
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Fri Sep 19, 2008 2:32 pm

Re: Web Application Vulnerability Scanner

Was just using nikto yesterday in the lab. I wasn't real impressed with the run time even against one host on one port. For now, I'll stick with Nessus and Nmap to help identify targets. I will be looking at the other tools here though. Thanks gang.
Mike Conway
CISSP
CompTia Security +
C|EH

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software