lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <42ADC637.000008.22764@pantene.yandex.ru>
Date: Mon Jun 13 18:45:49 2005
From: tgoogle at yandex.ru (tgoogle)
Subject: Web application Security Scanner

Ok
I define concretely my task. 

I wish to find quickly potential holes (XSS, SQL injection and e.t.c.) in the any Web sites, for example www.yandex.ru. I do not know, what OS or database using on server.

Many program can find only known CGI bugs or need some interactive with database or environment. 




>I do not actually think that any of the tools listed below are what you are
>looking for.
>
>* Nikto is a web vulnerability scanner that can identify KNOWN
>vulnerabilities, as well as some variations on them. It is unable to
>understand application logic or identify any custom security
>vulnerabilities.
>* Nessus is much like Nikto - only it's not limited to web. 
>* Absinthe is the only tool that can help with custom application
>vulnerabilities, but it's not really an automated scanner such as the one
>you are looking, but rather an assisting the exploitation of SQL Injection.
>It still requires a certain level of expertese to succesfully operate. 
>
>I think what you are looking at is rather one of the commercial tools, such
>as SPI Dynamics WebInspect, Watchfire's AppScan or KaVaDo's ScanDo. 
>
>Ofer Maor
>CTO
>Hacktics (http://www.hacktics.com/)
>
>
>-----Original Message-----
>From: full-disclosure-bounces@...ts.grok.org.uk
>[mailto:full-disclosure-bounces@...ts.grok.org.uk] On Behalf Of tgoogle
>Sent: Monday, June 13, 2005 19:10
>To: full-disclosure@...ts.grok.org.uk
>Cc: deepquest@....com
>Subject: Re: [Full-disclosure] Web application Security Scanner
>
>
>Thanks,
>
>I shall test all these programs, tomorrow I send my results. For example, i
>try to find vulnerabilities in www.yandex.ru and www.google.ru sites :).
>
>You really consider that all these programs are capable found vulnerability
>in UNKNOWN scripts?
>
>I need BEST program, which can found Maximum bugs in any custom Web
>application.
>
>
>>http://www.0x90.org/releases/absinthe/
>>http://www.nessus.org/download/ with some plugins 
>>http://www.cirt.net/code/nikto.shtml
>>
>>The "best" depends of your target, the OS you use, if you looking for
>>opensource products or commercial ones.
>>Just google there many of them.
>>
>>
>>Deepquest
>>"Justification of windows usage is a combinaison of Stockholm
>>Syndrome and cognitive dissonance."
>>--------------------------------------------------------------
>>Propaganda              http://deepquest.code511.com/blog
>>FIB                     http://www.futureisbeta.com
>>PGP DH/DSS              http://www.futureisbeta.com/pgp
>>--------------------------------------------------------------
>>
>>> Did you know the best Web app security scanner?
>>>
>>> I need scanner, which would find SQL injections, XSS, php include  
>>> and other bug in unknown Web application.
>>>
>>> Thanks
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>>
>>
>
>
>-- 
>??????.?????: ????? ????????? ????? ?? ?????????!
>http://mail.yandex.ru/monitoring/
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
>


-- 
"????????????" - ????? ??? ????? ? ????? ?????!  http://so.yandex.ru/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ