Web Application Vulnerability Scanner suggestions? [closed]
Solution 1:
I've had good results from wapiti - it scans your web forms and attempts injections and XSS attacks against them.
If you have the time, I'd suggest getting the backtrack distribution - it's a modified ubuntu liveCD that's been loaded up with nikto, wapiti, openVAS (a fork of nessus) and hundreds of other great security audit tools; I've used it in a few audits and had good results- it's definitely worth exploring the tools on it,.
See the nikto step by step guide here.
Solution 2:
Check out Nikto
Solution 3:
Start at,
The top 10 list from Insecure.org -- who give us the wonderful Nmap
Some other things that appear to be missed in that list,
-
Webshag - Web Server Audit Tool
webshag is a free, multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning and file fuzzing.
IEEE: Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks, 17-19 Dec. 2007
But, you will need IEEE access to for that.WebOptimization.com: Server Vulnerability Scanning Service
Not free! But there is a 14 day free trial.
Solution 4:
Paros Proxy is a proxy that can do spidering and automated scans.
This is a short manual to test it:
- Lauch paros.jar
- Configure your browser proxy for localhost:8080
- Navigate through the pages you want to analyze
- Complete the list with the option 'Analyze -> Spider...'
- Do an automatic scan 'Analyze -> Scan All'
- Generate a report 'Report -> Last Scan Report'
I also like w3af which is a more advanced tool for web app analysis, in a similar fashion of metasploit but for web apps.
Solution 5:
some tools I've used, and had pretty good luck with are:
- Burp Proxy
- HP WebInspect (costs money)
- Google RatProxy (requires you to browse to the site, but it works OK and it's free)
- Fortify (not a scanner but very good at finding stuff)
- Vericode
I've also seen decent results from Cenzic Hailstrom.