Open Source Web Application Scanner Poll
I am trying to find out from the community which open source web application scanners they use and why. Please take the poll, once, and answer honestly. Thank you! ;)
http://spreadsheets.google.com/viewform?formkey=dFNpQmNfUWx4UEFicW0wQXlZTFQyV0E6MA
Netsparker – The next gen web app scanner
I was lucky enough to get my greasy hands on a copy of ‘Netsparker Final BETA’ from Mavituna Security’s project leader Ferruh Mavituna.
Netsparker can crawl, attack and identify vulnerabilities in all custom web applications regardless of the platform and the technology it’s built on, just like an actual attacker. It can identify web application vulnerabilities like SQL Injection, Cross-site Scripting (XSS), Remote Code Execution and many more.
I tested Netsparker v0.9.9.9935 (FINAL BETA) against DVWA v1.0.6. Setting up a new scan was as easy as putting in the DVWA URL, adding the security/PHPSESSID cookies and then selecting the different vulnerabilities to scan for. Netsparker picked up on almost all of DVWA’s vulnerabilities, even the SQL Injection vulnerability which a lot of web application scanners have problems picking up for some reason. The vulnerabilities that it did not pick up on I sent in an email to Ferruh, he has already added scans for some of these and will implement others in future.
DVWA v1.0.5 coming soon…
DVWA v1.0.5 will be released in the near future sporting many changes including more vulnerabilities and features.
Since version 1.0.4 we have a bigger open source community which have pushed DVWA to a whole new level, with out them the project couldn’t be what it is today.
DVWA v1.0.5 change log:
Complete re-code.
Complete re-design.
CSRF vulnerability.
Stored XSS vulnerability.
Full Path Disclosure vulnerability.
Login page.
Sessions.
Many bug fixes.
PHPIDS implementation.
+ much more
dvwa video presentation at SuperMondays
Here is the video from my presentation on dvwa at the SuperMondays event in Newcastle Upon Tyne.
I think I must hold the record for the amount of “ammm…” ‘s in a 16 minute period! My first public talk so much room for improvement.
dvwa v1.0.4 released
After a month of coding Damn Vulnerable Web App (dvwa) v1.0.4 is ready for download.
dvwa v1.0.4 has many changes from the 1.0.3 version. Mostly bug fixes and better design changes.
1.0.4 Change log:
Added acunetix scan report. 24/06/2009
All links use http://hiderefer.com to hide referrer header. 23/06/2009
Updated/added ‘more info’ links. 23/06/2009
Moved change log info to CHANGELOG.txt. 22/06/2009
Fixed the exec.php UTF-8 output. 16/06/2009
Moved Help/View source buttons to footer. 12/06/2009
Fixed phpInfo bug. 12/06/2009
Made dvwa IE friendly. 11/06/2009
Fixed html bugs. 11/06/2009
Added more info to about page. 03/06/2009
Added pictures for the users. 03/06/2009
Fixed typos on the welcome page. 03/06/2009
Improved README.txt and fixed typos. 03/06/2009
Made SQL injection possible in sqli_med.php. Thanks to Teodor Lupan. 03/06/2009
Any suggestions/feedback/contributions welcome!
Download: http://sourceforge.net/projects/dvwa
