Hi Amos, That isn't a bad list, I tend to direct people to http://sectools.org/vuln-scanners.html even though it is a little dated, and doesn't mention OpenVAS (Nessus forked and OpenVAS is truly OSS), I also use Webscarab, Xenu (just a link checker but gives you a good list of the site), W3af, as it is open source and does some nice fuzzing through its proxy, Nikto/Wikto and Nmap if it is more than just web. These are all just auto tests, they won't find everything and there are some false finds too, so you also have to have a look at techniques like sql injection (you can get sql injection tools like the Acuntix, but it is not cheap), and imho you are better learning the techniques yourself, cause if you know how a tool works you are so much better off.
Regards On 10/16/08, Amos Shapira <[EMAIL PROTECTED]> wrote: > Hello, > > I need to find tools to run penetration testing on our external web > interfaces (a web application and an HTTP-based data interface). > > The idea is to be able to run automatic tests on new releases before > deployment. Stress is on "automatic". > > Has anyone here got good experience with such tools? I'm digging through > the net and found lots of lists (e.g. > http://www.samurainet.org/blog/2008/05/12/web-application-penetration-testing-my-tools-of-the-trade/) > but if someone can give some input from their personal experience on what's > worth pursuing and what's a waste of time it'll, well..., might save us some > time. > > Thanks, > > --Amos > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Regards Morgan Storey,A+, MCSE:Security. Senior Network and Security Consultant. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
