'webinspect'에 해당되는 글 3건

  1. 2010.07.08 Web Vulnerability Scanners Comparison
  2. 2009.12.16 Web Application Security Scanner List
  3. 2009.02.09 웹 어플리케이션 취약점 스캐너
2010.07.08 11:02

Web Vulnerability Scanners Comparison

Acunetix Web Vulnerability Scanner placed first in a paper released by Adam Doup´e, Marco Cova, and Giovanni Vigna from the University of California, Santa Barbara.  In the paper “Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners”, the authors compared the capalities of eleven black box web security scanners (both commercial and open source) against a realistic test web application called WackoPicko.

“In comparison, our work, to the best of our knowledge, performs the largest evaluation of web application scanners in terms of the number of tested tools (eleven, both commercial and open-source), and the class of vulnerabilities analyzed. In addition, we discuss the effectiveness of different configurations and levels of manual intervention, and examine in detail the reasons for a scanner’s success or failure.”

“we decided to create our own test application, called WackoPicko. It is important to note that WackoPicko is a realistic, fully functional web application.  As opposed to a simple test application that contains just vulnerabilities, WackoPicko tests the scanners under realistic conditions. To test the scanners’ support for clientside JavaScript code, we also used the open source Web Input Vector Extractor Teaser (WIVET). WIVET is a synthetic benchmark that measures how well a crawler is able to discover and follow links in a variety of formats, such as JavaScript, Flash, and form submissions.”



출처 : http://www.acunetix.com

Trackback 0 Comment 0
2009.12.16 11:37

Web Application Security Scanner List

The following list of products and tools provide web application security scanner functionality.  Note that the tools on this list are not being endorsed by the Web Application Security Consortium - any tool that provides web application security scanning functionality will be listed here.  If you know of a tool that should be added to this list, please contact Brian Shura at bshura73@gmail.com.

Commercial Tools

Software-as-a-Service Providers

Free / Open Source Tools


출처 : http://projects.webappsec.org

Trackback 0 Comment 0
2009.02.09 20:48

웹 어플리케이션 취약점 스캐너

1. 1세대 스캐너

    - nikto(perl)기반 *.nix 계열에서 사용

    - n_stealth (http://nstalker.com/) 22,000개의 웹 취약점 db 이용하여 웹스캔


2. 2세대 스캐너(상용)-sql_injection

   - Absinthe(http://www.0x90.org) -*.nix계열 sql_injection가능

   - Data thief(http://www.appsecine.com

   - wposion(http://sourceforge.net/project/wposion) - unix기반

     ;open source group에서 만든 툴 sql injection 가능....


3. 2.5세대 스캐너(상용) web application 모든보안테스트 가능

    - appscan(http://www.watchfire.com)

    - webinspect(SPIDymics)(http://www.spidynamics.com)

    - scando(http://www.kavado.com)

      ; 개발단계에서부터 검사할 수 있는 툴

    - Acunetix(http://www.acunetix.com) 가장최근에나옴,asp전용

※ 2.5세대 돌리면 거의 모든 취약점이 나옴.


Trackback 0 Comment 0