On 04/20/2011 02:38 PM, Houcem HACHICHA wrote: > Hi everyone, great discussion! I see /arachni/ was mentioned for XSS, so > let me add /sqlmap/ as another great open source tool for SQLi (three > types).
SQLmap is quite awesome, especially if you track svn. The developers are by far the most responsive I've ever seen, if a problem is posted to the mailing list the fix is almost always in SVN within an hour. One of my favorite tools ever. > I always hear that w3af does not support AJAX and Flash. Anyone knows of > an open source tool that can help with these two? Many tools partially support AJAX(of limited complexity). For more complete testing, manual poking about is the order of the day. As for flash, first of all we need to break it down to tools supporting flash crawling and tools for auditing flash files themselves for flaws. Flash crawling is available somewhat in Appscan. Auditing flash files for security problems is somewhat in WebInspect. There are also two public tools for auditing flash for security flaws, one is Open Source, the other is free. swfinturder is the open source one. It is a "grey box" scanner, and is the most useful tool for verifying flaws. It requires an old version of firefox, and old flash version, and a web server setup. It is far and away the best flash security testing tool on the market. There are some caviots to usage and it is hard to set up.. Hmm.. I guess I should do a blog post or video on that sometime, as nobody seems to be testing for flash well (we find a LOT of flash flaws in sites others test before us, and a good amount of them have a major security impact). SWFscan is the free version of the the flash auditing in WebInspect. It is a static analysis product, and does absolutely no flow analysis, so if a flaw has a sink and a source on the same line, it finds it. If they are not(IE there are some variable and logic in the middle), it misses it. Not so useful IMHO, but it is an easy to use disassembler and sometimes does find a flaw despite being almost totally brain-dead ;-) I run all flash files we find on a website through these two tools, and as mentioned above, we find a decent amount of serious problems. Here's the OWASP page, unfortunately it's full of lots of incomplete and out of date resources. :-) Adding up to date info here is on my todo list, but that list is long. https://www.owasp.org/index.php/Category:OWASP_Flash_Security_Project -- | Steven Pinkham, Security Consultant | | http://www.mavensecurity.com | | GPG public key ID CD31CAFB |
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
