On Thu, Oct 16, 2008 at 04:11:52PM +1100, Amos Shapira wrote: > Hello, > > I need to find tools to run penetration testing on our external web > interfaces (a web application and an HTTP-based data interface). > > The idea is to be able to run automatic tests on new releases before > deployment. Stress is "automatic".
Hi Amos, Depending on the application's potential risk, you may need to consider supplementing the automated tests with manual testing as well. Automated testing can be very limited. While most automated solutions I've used are pretty decent at finding reflected XSS, some types of SQLi and other injection flaws, they were all lacking in other vulnerability classes such as broken authentication and session management, many types of CSRF attacks and business logic flaws. For example, flaws like the famed micro-deposits theft ( http://blog.wired.com/27bstroke6/2008/05/man-allegedly-b.html ) would be missed by most automated scanners and IDS systems. > > Has anyone here got good experience with such tools? I'm digging through > the net and found lots of lists (e.g. > http://www.samurainet.org/blog/2008/05/12/web-application-penetration-testing-my-tools-of-the-trade/) My thoughts on some of the tools listed in the URL above: ChickenFoot - Personally, I find Firebug more versatile. LiveHTTPHeaders and Tamper Data - nice tools for one off request manipulation, but using a proper proxy (like webscarab, paros or burp [burp is not GPL] will be faster for testing an entire application. User Agent Switcher - Don't make the mistake of only testing your application on one browser. There are multiple nuances that allow certain vulnerabilities (usually different types of XSS payloads) to run on one browser but wont execute on another). Nessus - no longer free and very limited in finding vulnerabilities in custom code. Finally, w3af is another excellent tool not mentioned, though its not entirely automated, but it is scriptable. -- - Josh ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
