From: Benny Tsai (benny.tsai@gmail.com)
Date: Fri Apr 13 2007 - 09:58:49 EDT
One of my colleagues swears by SPIKE Proxy:
http://www.immunitysec.com/resources-freesoftware.shtml
I haven't played with it myself, so I honestly don't know how well it
suits your needs. But if you have time, it might be worth checking
out. Anyone else have experience with this tool?
-Benny
On 4/11/07, Paul Sebastian Ziegler <psz@observed.de> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Hi all,
>
> I stumbled across Paros quite a while ago.
> It has been really nice to work with, providing an easy "click and run"
> interface. However there are some limitations to it that are becoming
> more and more obvious.
>
> 1) It has not been updated for half a year. (Ok, this is probably the
> least significant problem.)
>
> 2) Java is great for platform independence and stuff - but its just
> slow. You don't even have to scan across an intranet to find this out.
> Even if you scan through a custom 2000/200 kbps line the limiting factor
> will be your processor and not your bandwidth. (2Ghz Pentium M - results
> may vary)
>
> 3) It lacks deep configurations. Of course you can set all your basic
> stuff, but you have no access to the routines called afterwards unless
> you hack up the source yourself. Now again this is normal for a click
> and run tool.
>
> 4) The logs it creates are _huge_. 2GB and more are not seldom at all.
> This sometimes raises startup and resume times to 30+ minutes.
>
> 5) some more. This is not a flame. I actually like Paros. Just wanted to
> sketch what troubled my mind.
>
> This is why I started searching for alternatives.
> Now - as you might expect - asking google for "paros alternatives"
> mostly turns up Greek villages. That's not really what I'm after.
>
> I found a few good programs but they all lack some key features.
> For example:
>
> I) WebScarab
> (http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)
> Really nice for packet-manipulation and manual fuzzing of webapps.
> However it lacks standardized tests and automation.
>
> II) Nikto (http://www.cirt.net/code/nikto.shtml)
> Mostly pattern matching without strong generic tests for XSS, CRLF or
> SQL-Injection
>
> III) Burpsuite (http://portswigger.net/suite/)
> Another really nice tool. Here you get all the options.
> However automation is missing up until now.
>
>
> So this is my question:
> Does anybody (know|use|develop) a (tool|script|app) that carries out
> partially or completely automated tests on webapplications, runs on
> linux or bsd, is open source and copes with some of the points given above?
>
> If so, please let me know.
>
> Thanks in advance
>
> Many Greetings
> Paul
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGHWfyaHrXRd80sY8RCojjAJ0Qen53VyzyCATvWfqNYKYKT7lZ8QCfbIfd
> GAACIut+KZRoAQ2vBZtGoz0=
> =8zee
> -----END PGP SIGNATURE-----
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Are you using SPI, Watchfire or WhiteHat?
> Consider getting clear vision with Cenzic
> See HOW Now with our 20/20 program!
>
> http://www.cenzic.com/c/2020
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!
http://www.cenzic.com/c/2020
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:43 EDT