web app scanner

sla.ckers.org is
ha.ckers sla.cking

This is a place for us to start seriously talking about vendors. Who's great, who's not, what's it cost, how does it relate to their competitors and would we buy it? A place to talk about snakeoil, and brilliant products alike. Marketing fluff is forbidden.

Go to Topic: Previous•Next

Go to: Forum List•Message List•New Topic•Search•Log In

web app scanner

Posted by: toolbox

Date: January 11, 2010 11:06AM

Hello sla.ckers.org posters,

I'm looking for recommendations on a generally easy-to use web application scanner. It doesn't need to be free. It can be an application or server-based, but I'd like to steer clear of appliances.

I need one that can handle form, cookie, HTTP, and NTLM authentication and provides decent reporting and logging. Missing critical but hard-to-find vulnerabilities is acceptable, as long as the tool catches the most common issues (xss, plain text credentials, injection, etc) quickly.

Thanks for the opinions. :-D

Options: Reply•Quote

Re: web app scanner

Posted by: br0kan

Date: January 11, 2010 02:52PM

Well you've got a lot of options here if you're welling to pay...here are a few (in no particular order)

1. IBM Rational AppScan (multiple versions)
2. HP WebInspect (multiple versions)
3. Cenzic Hailstorm (multiple versions)
4. Acuenetix WVS
5. NT Objectives NTOspider
6. nStalker Enterprise Edition
7. Burp Proxy

If I were you I would also strongly consider WhiteHat Sentinel, despite the fact that it's not an application based scanner, it's one of the better solutions out there.

Here is a report summary on some of these solutions
http://www.whitehatsec.com/home/assets/reports/EMA_AppSecurity09SUMMARY.PDF