NYCPHP Meetup

NYPHP.org

[nycphp-talk] Web app security scanners

max at neuropunks.org max at neuropunks.org
Tue Apr 18 22:09:27 EDT 2006


Yup, it was this http://www.acunetix.com/vulnerability-scanner/audit.aspx
They do verify if your email address matches the site though.
In my case, the IP block the dev site was on is owned by our company, so I emailed them from my work email, and they queued it up. The email about verification did come from a real human too.
If you\'d like, I can email you off list the logfiles from the webserver so you can see the queries they make.





--- Original Message ---
From: inforequest <1j0lkq002 at sneakemail.com>
Sent: Tue, 18 Apr 2006 10:41:14 -0700
To: talk at lists.nyphp.org
Subject: Re: [nycphp-talk] Web app security scanners

> 
> Thanks Max. Did you go for the \"free website audit\" because I dl\'ed the 
> free scanner and it says it only runs against their test sites, not your 
> own sites. Thanks.
> 
> -=john andrews
> http://www.seo-fun.com
> 
> 
> max max-at-neuropunks.org |nyphp dev/internal group use| wrote:
> 
> >Well, heres a short followup on this.
> >I used the acunetix free web based scanner, and it seems to be pretty thourough.
> >The free report of course has no details in it, only number of potentials problems.
> >However, looking at the webserver logs, you can see what they were checking for, and it looks serious.
> >They try 13 different XSS attacks, 3 sql injections, cookie rewriter, all kinds of dir traversal, and 
> >trace/track/connect http request issues.
> >I still dont think im going to dish out 3 something K for the full version, but at least from their brief report you can check the logs for their requests, and see your server\'s response, and try it yourself.
> >Pretty educational overall actually.
> >
> >
> >On Sat, Apr 15, 2006 at 01:09:38PM -0500, Max Gribov wrote:
> >  
> >
> >>Hello all,
> >>does anyone know of any opensource/free web app security scanner?
> >>Basically, I just want something (else besides me) to go through all the
> >>GET\'s and POST\'s on my PHP site and see if XSS/sql injection/etc is
> >>possible.
> >>I certainly did an audit of my own code, but another pair of eyes,
> >>especially automated, would never hurt.
> >>Something down the lines of Nessuss only for web apps basically.
> >>I\'ve seen this: www.acunetix.com, and signed up for a trial audit, but
> >>am wondering if there is something I can actually download.
> >>I havent seen anything on freshmeat or even google, most things are
> >>either tutorials or non-free.
> >>
> >>thanks!
> >>
> >>max
> >>_______________
> >>
> 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> New York PHP Conference and Expo 2006
> http://www.nyphpcon.com
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 
> 



More information about the talk mailing list