| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Jun 13 18:45:49 2005 From: tgoogle at yandex.ru (tgoogle) Subject: Web application Security Scanner Ok I define concretely my task. I wish to find quickly potential holes (XSS, SQL injection and e.t.c.) in the any Web sites, for example www.yandex.ru. I do not know, what OS or database using on server. Many program can find only known CGI bugs or need some interactive with database or environment. >I do not actually think that any of the tools listed below are what you are >looking for. > >* Nikto is a web vulnerability scanner that can identify KNOWN >vulnerabilities, as well as some variations on them. It is unable to >understand application logic or identify any custom security >vulnerabilities. >* Nessus is much like Nikto - only it's not limited to web. >* Absinthe is the only tool that can help with custom application >vulnerabilities, but it's not really an automated scanner such as the one >you are looking, but rather an assisting the exploitation of SQL Injection. >It still requires a certain level of expertese to succesfully operate. > >I think what you are looking at is rather one of the commercial tools, such >as SPI Dynamics WebInspect, Watchfire's AppScan or KaVaDo's ScanDo. > >Ofer Maor >CTO >Hacktics (http://www.hacktics.com/) > > >-----Original Message----- >From: full-disclosure-bounces@...ts.grok.org.uk >[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of tgoogle >Sent: Monday, June 13, 2005 19:10 >To: full-disclosure@...ts.grok.org.uk >Cc: deepquest@....com >Subject: Re: [Full-disclosure] Web application Security Scanner > > >Thanks, > >I shall test all these programs, tomorrow I send my results. For example, i >try to find vulnerabilities in www.yandex.ru and www.google.ru sites :). > >You really consider that all these programs are capable found vulnerability >in UNKNOWN scripts? > >I need BEST program, which can found Maximum bugs in any custom Web >application. > > >>http://www.0x90.org/releases/absinthe/ >>http://www.nessus.org/download/ with some plugins >>http://www.cirt.net/code/nikto.shtml >> >>The "best" depends of your target, the OS you use, if you looking for >>opensource products or commercial ones. >>Just google there many of them. >> >> >>Deepquest >>"Justification of windows usage is a combinaison of Stockholm >>Syndrome and cognitive dissonance." >>-------------------------------------------------------------- >>Propaganda http://deepquest.code511.com/blog >>FIB http://www.futureisbeta.com >>PGP DH/DSS http://www.futureisbeta.com/pgp >>-------------------------------------------------------------- >> >>> Did you know the best Web app security scanner? >>> >>> I need scanner, which would find SQL injections, XSS, php include >>> and other bug in unknown Web application. >>> >>> Thanks >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> >> > > >-- >??????.?????: ????? ????????? ????? ?? ?????????! >http://mail.yandex.ru/monitoring/ >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > -- "????????????" - ????? ??? ????? ? ????? ?????! http://so.yandex.ru/
Powered by blists - more mailing lists