Are there any free tools similar to AppScan

Are there any free tools similar to AppScan?
sunilramuAsked:
Who is Participating?
 
tnapolitanoConnect With a Mentor Commented:

Check out Oedipus (http://oedipus.rubyforge.org/).

"Oedipus is an open source web application security analysis and testing suite developed by Penetration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying several security vulnerabilities. Using the analyzed information, Oedipus can then dynamically test web sites for application and web server vulnerabilities.

"Oedipus can be broken down into 4 main components: Analyzer - Capable of parsing several different types of log files, such as Burp, Paros, etc, identifying potential security vulnerabilities using pattern matching - An Oedipus input file is also produced. Scanner - Parsers the Oedipus or IEnterceptor file, feeding each request to a dynamically loaded predefined security plug-in on the fly. Reporter - Using the results from the Analyzer and the Scanner, Oedipus produces several well formatted reports designed for the Penetration Tester. The Scanner report can be interactively used to verify the results of the potential vulnerabilities discovered. Tools - Using the above identified security vulnerabilities, a number of tools will be provided to analyze and potentially exploit the vulnerability."
0
 
DCreatureCommented:
You can't go past Microsoft's very own Microsoft Baseline Security Analyzer (MBSA) 2.0:

http://support.microsoft.com/?scid=kb;en-us;895660
0
 
Rich RumbleSecurity SamuraiCommented:
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
ahoffmannCommented:
additional to the above:
http://www.acunetix.com/
http://www.securityinnovation.com/security-report/vulnScanners1.htm

there're some more open source (but it sems that you're looking for comercial ones:)

Keep in mind that they all have their pros and cons, and none of them is realy good (compaired to humans), except for detecting know vulnerabilities.
0
 
ahoffmannCommented:
oops, missed to read the title proper: free tools

http://www.foundstone.com/ FoundScan

but most of them are far, far away from the quality of AppScan, ScanDo, WebInspect, etc. ...
0
 
tnapolitanoCommented:

Paros (http://www.parosproxy.org/index.shtml) is another Web Application scanner I've used in the past.

You might also want to look at Nikto (http://www.cirt.net/code/nikto.shtml), an Open Source web server scanner.

0
 
kevinf40Commented:
Hi sunilramu

If you want to try a wide variety of tools try one of the Linux live distros that run from a CD such as backtrack (http://www.remote-exploit.org/index.php/BackTrack) of knoppix etc - these provide an easy ready to go way of trying a variety of open source tools such as the above mentioned Nikto, Wikto, metaspliot, nessus, nmap, etc etc without actually having to install anything.

Not free (in fact fairly expensive...) but I have tested core impact and it is a very impressive product.

If you have any specific applications (e.g. web sites, DB servers etc) you want to test against it may be worth adding this detail so the replies to your question can be more specific - obviously this isn't relevant if you are looking for general tools to test a variety of systems.

cheers

Kevin
0
 
sunilramuAuthor Commented:
Hi all,
Tried Paros and Burp, works well couldnt get Oedipus to work it says cannot create ouput folder ...when i tried to run the analyzer. My question is what can AppScan or Oedipus  do which Burp and Paros cannot.

thanks for all your responses.
sunil
0
 
sunilramuAuthor Commented:
One thing i forgot to mention i am testing in windows environment.
0
 
kevinf40Commented:
Hi Sunilramu

The Linux based tools can all be used to scan windows based apps / websites - I would definitely recommend you try a live CD such as backtrack - you can boot into this on a desktop, when you are finished remove the CD, re-boot and your windows desktop will be untouched...

With regards to the applications you specifically mention these two links may be useful:

brief overview of several tools:
http://caffeinatedsecurity.com/blog/archives/2006/03/08/web-application-security-testing-tools/

more detailed examination of the tools you highlight and some others:
http://www.owasp.org/images/d/d2/OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10.ppt

cheers

Kevin
0
 
ahoffmannCommented:
Burp and Paros are mainly proxies, well some fuzzing facilities added.
AppScan is a full featured scanner with a huge (most complete) database for known vulnerabilities and a huge list of files and directories to check. It also can analyze the website after crawling before it start testing. AppScan also tries to detect the web server and the OS, so it can check for related flaws only.

Disclaimer: I'm not related to Sanctum/Watchfire anyhow ;-)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.