NYCPHP Meetup

NYPHP.org

[nycphp-talk] Web app security scanners

inforequest 1j0lkq002 at sneakemail.com
Tue Apr 18 13:41:14 EDT 2006


Thanks Max. Did you go for the "free website audit" because I dl'ed the 
free scanner and it says it only runs against their test sites, not your 
own sites. Thanks.

-=john andrews
http://www.seo-fun.com


max max-at-neuropunks.org |nyphp dev/internal group use| wrote:

>Well, heres a short followup on this.
>I used the acunetix free web based scanner, and it seems to be pretty thourough.
>The free report of course has no details in it, only number of potentials problems.
>However, looking at the webserver logs, you can see what they were checking for, and it looks serious.
>They try 13 different XSS attacks, 3 sql injections, cookie rewriter, all kinds of dir traversal, and 
>trace/track/connect http request issues.
>I still dont think im going to dish out 3 something K for the full version, but at least from their brief report you can check the logs for their requests, and see your server's response, and try it yourself.
>Pretty educational overall actually.
>
>
>On Sat, Apr 15, 2006 at 01:09:38PM -0500, Max Gribov wrote:
>  
>
>>Hello all,
>>does anyone know of any opensource/free web app security scanner?
>>Basically, I just want something (else besides me) to go through all the
>>GET's and POST's on my PHP site and see if XSS/sql injection/etc is
>>possible.
>>I certainly did an audit of my own code, but another pair of eyes,
>>especially automated, would never hurt.
>>Something down the lines of Nessuss only for web apps basically.
>>I've seen this: www.acunetix.com, and signed up for a trial audit, but
>>am wondering if there is something I can actually download.
>>I havent seen anything on freshmeat or even google, most things are
>>either tutorials or non-free.
>>
>>thanks!
>>
>>max
>>_______________
>>




More information about the talk mailing list