Author Topic: Web Application Vulnerablity Scanners:  (Read 1673 times)

0 Members and 1 Guest are viewing this topic.

Offline l0n3r

  • Serf
  • *
  • Posts: 23
  • Cookies: -16
    • View Profile
Web Application Vulnerablity Scanners:
« on: January 29, 2014, 04:35:28 am »
hey guys,

I have been getting deep into webapp pentesting lately, also been using burp suite to do most of my work. But recently I have been looking alot at these automated scanners like nikto, acunetix, arachni, and w3af, and have been wondering if its even worth my time.

I feel like those automated scanners would send too much traffic in pentest, and not even be worth it . Part of me thinks i should just continue to use burp suite and do it "manually" (to an extent).

anyways just wondering if i could get some advice and if any of these are worth looking into.

thanks

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: Web Application Vulnerablity Scanners:
« Reply #1 on: January 29, 2014, 06:51:13 am »
I like acunetix but its defiantly not stealthy by any means
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry

Offline Cr4t3r

  • NULL
  • Posts: 4
  • Cookies: -3
    • View Profile
Re: Web Application Vulnerablity Scanners:
« Reply #2 on: January 29, 2014, 12:17:44 pm »
Try Wapiti

Offline l0n3r

  • Serf
  • *
  • Posts: 23
  • Cookies: -16
    • View Profile
Re: Web Application Vulnerablity Scanners:
« Reply #3 on: January 29, 2014, 05:43:32 pm »
yeah ive used acunetix and really like it. but it literally sends enough traffic to bog down a server and leaves the biggest mess in logs. so ive ruled that one out lol

and I've never heard of Wapiti...gonna have to look into that one.

Offline hppd

  • Knight
  • **
  • Posts: 163
  • Cookies: 7
    • View Profile
Re: Web Application Vulnerablity Scanners:
« Reply #4 on: February 06, 2014, 08:47:59 pm »
Vuln scanners are cool to some extent. (I never use them, but I assume they can come in handy in pentesting)

But I do think that where the scan ends the real pentest begins, you have to get real information that can harm the organization you are pentesting. Cause if you are just going to give them a boring report with the exploits and tell them to fix it, they might not even bother. On the other hand when you get in grab financial information, get trade secrets and own their shit. They are defenetily gonna fix it.. :P

Offline gh05t3d

  • /dev/null
  • *
  • Posts: 11
  • Cookies: -2
  • jabber: gh05t3d@jabb3r.org
    • View Profile
    • My website?
Re: Web Application Vulnerablity Scanners:
« Reply #5 on: March 30, 2014, 09:44:43 pm »

I personally don't like accunetix,because the reasons posted above. You can give it a try to tools like
 inguma (python)
 uniscan (perl)
 nikto (perl)
 golismero (python)
and some other good ones.
  If you install in windows perl,python,ruby you'll find better tools for windows os.

Jabber: gh05t3d@jabb3r.org

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: Web Application Vulnerablity Scanners:
« Reply #6 on: March 31, 2014, 02:49:50 pm »
yeah ive used acunetix and really like it. but it literally sends enough traffic to bog down a server and leaves the biggest mess in logs. so ive ruled that one out lol

and I've never heard of Wapiti...gonna have to look into that one.
And how exactly would that be a problem in a pentest ?
Ẃebservers get scanned , abused and analraped everyday of the year.
Plus the fact that a pentest would suggest it is legal.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage