Main Nav

Message from msheiny@seas.upenn.edu

Hello, Does anyone here have any recommendations for tools (preferably open-source) that will scan web-servers for vulnerable application frameworks + plug-ins? Stuff like looking for out-of-date Drupal, Joomla, etc. Obviously I can find some of these tools with Google on my own, just curious if anyone has any positive experience with any in particular. Thanks! -- -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ Michael Sheinberg Network Security Administrator, CETS School of Engineering and Applied Science -~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~

Comments

Message from peliso@rit.edu

W3AF is an open source web application scanner. The links are at: http://w3af.sourceforge.net/ https://community.rapid7.com/community/open_source/w3af Paul Lepkowski, CISSP, GIAC-GPEN RIT Information Security Office Enterprise Information Security Lead Engineer Staff Council Representative   Rochester Institute of Technology Ross 10-A200 151 Lomb Memorial Drive Rochester, NY 14623 (585) 475-6972 paul.lepkowski@rit.edu   CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.
Message from gwillia5@uccs.edu

+1 for W3AF for general web applications and code. OpenVAS will detect specific application framework issues. Nessus will do the same. Here is a great article from last August that dives into each Web Application Scanner and its features. Open Source and Commercial http://sectooladdict.blogspot.com/2011/08/commercial-web-application-sca... Greg Williams IT Security Principal University of Colorado at Colorado Springs Website: http://www.uccs.edu/itsecure
A relatively inexpensive product is Acunetix (www.acunetix.com). Their pricing is very reasonable and affordable for EDUs. We use it in combination with open source web app scanners.

Randy Marchany
VA Tech IT Security Office & Lab


Message from seth@icir.org

Message from seth@icir.org

Message from iavdagic@seas.harvard.edu

We use couple different commercial web application scanners. Most frequently we use Cenzic's Hailstorm Application Risk Controller. This scanner combines pretty high accuracy with a very low rate of false positives. Vulnerability discovery is driven by the "Smart Attack" library, which encapsulates best practices to test attack resistance. Also, this tool generates good reports with web vulnerability summary, total vulnerability risk score, and details on all the specific findings, but I'm not enormously impressed with the fit and finish of the user interface. I hope this helps. _________________________________________________ Indir Avdagic, CISM, CISSP, ACSA, TICSA Director of Information Security Harvard University - SEAS Email: indir_avdagic@harvard.edu Phone: (617) 496-3502    "There is an infinite capacity to improve everything" _________________________________________________
If you have 501(c)(3) status, the Nessus ProfessionalFeed subscription is free. http://www.tenable.com/about-tenable/tenable-in-the-community/tenable-ch... David Pirolo Warner Pacific College On Tue, 2012-02-07 at 17:38 -0500, Brian J Smith-Sweeney wrote: >

We used to use Acunetix but they steadfastly refused to negotiate indemnity issues here.