AppScan vs WebInspect
Gaurav Shah
I was trying to find more information about these 2 scanner - IBM Rational Appscan & HP WebInspect.
If you compare these 2, which of them is a better web application vulnerability scanner & why?
Please assist.
--
Thanks & Regards
Gaurav Shah.
91-9552504002.
raj009
AppScan is good.. little heavy on small systems..
Ritesh Sinha
> Hi All,
>
> I was trying to find more information about these 2 scanner - IBM Rational
> Appscan & HP WebInspect.
> If you compare these 2, which of them is a better web application
> vulnerability scanner & why?
>
> Please assist.
>
I think its difficult to say outright which scanner is the best. If
you have the time and resources then you should definitely carry out a
trial on your own to evaluate them against the requirements that you
may have. While it may be obvious that a good scanner should be able
to identify all vulnerabilities (which is highly unlikely), one could
also ask the following questions :
- Is the scanner required to produce reports in a certain format that
is required by management?
- Will the product be used by a single user on a one off basis or is
it required to be accessible to multiple users simultaneously?
- What is the level of proficiency of the users utilising the scanner?
This is probably very important as a scanner might give you leads as
to where you might want to test the application further.
Vulnerabilities identified by a scanner should definitely be
re-checked manually and this requires a proficient security
professional.
I've used both products and I'm perhaps more partial to HP WebInspect
since I've used it more than AppScan. If you're still evaluating
products I think you should give Acunetix a shot as well.
This is a slightly old (feb 2010) report of an independent evaluation
of scanners: http://www.ntobjectives.com/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf
All the best!
Ritesh
> --
> Thanks & Regards
> Gaurav Shah.
> 91-9552504002.
>
> --
> null - Spreading the right Information
> null Mailing list charter:
> http://null.co.in/section/about/null_list_charter/
>
> This list is supported by Institute of Information Security
> http://iisecurity.in
> Real-world hackers, real-world training – Certified Professional Hacker at
> IIS (http://iisecurity.in)
>
Gaurav Shah
--
null - Spreading the right Information
null Mailing list charter: http://null.co.in/section/about/null_list_charter/
This list is supported by Institute of Information Security http://iisecurity.in
Real-world hackers, real-world training – Certified Professional Hacker at IIS (http://iisecurity.in)
TAS
You can also search through the archives of web app sec mailing list.
-
TAS
http://twitter.com/p0wnsauc3
Oscar
TAR
Oscar
--
Saumil Shah
I cannot resist jumping into this discussion. So I will dive in, and then exit as quickly as I dive in.
For someone who has built scanners for the past 11 years, this is a very interesting topic. Net-Square built Foundscan, NTOSpider and a few other internal scanners used by Trusecure, ISEC partners and others. We wrote some books too and what not, and have come to one conclusion:
Automated scanning is as effective as Anti-virus.
Which isn't saying much. The scanners we wrote only caught 20-30% of vulns. Low Hanging Fruit, if you may call it. And hence we maintain that if there has to be a pen-test done, it MUST be manual. No way around it. Of all the huge holes we've found in the past six years, none of them were such that they could be detected with ANY scanner.
Someone was asking about whitepapers. The ONLY whitepaper I would love to refer and share is this:
WHY JOHNNY CAN'T PENTEST
http://www.cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf
I even share this whitepaper with our clients. No scanner has gone beyond 40% detection rate in its tests.
I generally like to say that for web hacking, you only need two tools - a browser, and a clear mind.
regards
-- Saumil
saumil udayan shah | ceo | www.net-square.com | sau...@net-square.com | +91 98254 31192
On 13-Jun-2011, at 7:47 PM, TAS wrote:
> There was a proper analysis done on this subject and the guy who did also released a statistical paper on it. It did get quite an attention and was also discussed at length. A quick Google should get you the paper. If not let me know I will find it out.
>
> You can also search through the archives of web app sec mailing list.
>
>
> -
> TAS
> http://twitter.com/p0wnsauc3
>
webDEViL
Abhishek Lyall
Abhishek Lyall
raj009
Totally agree. This answer is exactly what is the fact and covering
much more. But his question was just about 2 scanners and which one is
best. If he want to know how to test a web app then Yes it is "only
need two tools - a browser, and a clear mind." and additionally a
proxy .. :) ..... Scanners never find out business critical and
logical issues of applications.
>
> > --
> > Thanks & Regards
> > Gaurav Shah.
> > 91-9552504002.
>
> > --
> > null - Spreading the right Information
> > null Mailing list charter:http://null.co.in/section/about/null_list_charter/
>
>
> > --
> > null - Spreading the right Information
> > null Mailing list charter:http://null.co.in/section/about/null_list_charter/
>
AmarDeep Singh
All said is true but to answer your basic question in this thread, I would say AppScan has a little edge over WebInspect. I have used both and few major differences that I feel in both are :
1. Non-Standard URL structure support : AppScan supports this ((Through Registry Configuration - Supports URLs that do not conform to HTTP RFC, such as eBay/PayPal URLs) where as WebInspect does it partially (only for session tokens in path) - Does not support complex non-standard URLs such as eBay/PayPal
2. Web Services Scanning, including SOAP v1.2 : AppScan fully supports this whereas WebInspect does this partially.
3. Support for concurrent/non-concurrent session login : WwebInspect does not supports this whereas AppScan does.
4. Ability to "Re-Scan" without starting a completely new scan : AppScan has this ability whereas WebInspect does not (need to pull up scan template).
5. AJAX Testing Capabilities : AppScan supports testing of JSON-based AJAX applications, and can manipulate JSON parameters. Whereas WebInspect seems to be having problems with properly manipulating JSON parameters.
I have listed few differences above, but there are many more. Of course there are some features which are there in WI and not AS but then I feel they are not of much importance for example in WebInspect Multiple scans can be opened/run in different scan tabs whereas AppScan lacks this.
Thanks,
Amardeep Singh
This list is supported by Institute of Information Security http://iisecurity.in
Nanda Kumar
I too totally agree. Usually the company which build the scanner will be one cylce behind the new vulnerability and latest tricks.
More over the cost and license and third part integration ( in advance) will be very difficult part.
-Nanda
This list is supported by Institute of Information Security http://iisecurity.in
