NYCPHP Meetup

NYPHP.org

[nycphp-talk] Web app security scanners

max max at neuropunks.org
Tue Apr 18 11:23:57 EDT 2006


Well, heres a short followup on this.
I used the acunetix free web based scanner, and it seems to be pretty thourough.
The free report of course has no details in it, only number of potentials problems.
However, looking at the webserver logs, you can see what they were checking for, and it looks serious.
They try 13 different XSS attacks, 3 sql injections, cookie rewriter, all kinds of dir traversal, and 
trace/track/connect http request issues.
I still dont think im going to dish out 3 something K for the full version, but at least from their brief report you can check the logs for their requests, and see your server's response, and try it yourself.
Pretty educational overall actually.


On Sat, Apr 15, 2006 at 01:09:38PM -0500, Max Gribov wrote:
> Hello all,
> does anyone know of any opensource/free web app security scanner?
> Basically, I just want something (else besides me) to go through all the
> GET's and POST's on my PHP site and see if XSS/sql injection/etc is
> possible.
> I certainly did an audit of my own code, but another pair of eyes,
> especially automated, would never hurt.
> Something down the lines of Nessuss only for web apps basically.
> I've seen this: www.acunetix.com, and signed up for a trial audit, but
> am wondering if there is something I can actually download.
> I havent seen anything on freshmeat or even google, most things are
> either tutorials or non-free.
> 
> thanks!
> 
> max
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 



More information about the talk mailing list