I would like to integrate vulnerability scanner as part of our build process. Are there any open source tools worth looking at?
A:
Perhaps your first step should be: Nikto
Incidentally this is probably better directed to ServerFault than here at SO ... it's more relevant to sysadmin than programming.
Jim Dennis
2010-06-08 06:26:46
also, nessus and metasploit might be helpful?
Kimvais
2010-06-08 06:31:20
Nessus is not open source (it was though), what you looking for is OpenVAS. Also none of them are really web app scanners they are focused on network security.
dr. evil
2010-06-08 07:15:43
@dr. evil: Nikto is, specifically, a web server security auditing tool. That's why I referred to it so specifically. From their web site:"Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6100 potentially dangerous files/CGIs, checks for outdated versions of over 950 servers, and version specific problems on over 260 servers."
Jim Dennis
2010-06-08 09:22:41
Jim not to you, I was referring Kimwais's answer, otherwise Nikto is a definitely a web / cgi scanner
dr. evil
2010-06-08 21:15:12
A:
The best open source scanner for web applications is Wapiti. You will get a low false positive rate and good site coverage.
There is also w3af which is tests for more types of vulnerabilities than wapiti, however its more error prone and the "WebSpider" discovery modules isn't very good.
If your site is ajax heavy you'll have to go with a commercial product like Acunetix or NTOSpider.
Make sure that error reporting is enabled during testing and disabled during production.
Rook
2010-06-08 07:13:26
+1
A:
Take a look at this list:
WASC - Web application security scanner list
There are plenty of open source and free web app scanners in there.
Also not open source but free:
- Acunetix Free : http://www.acunetix.com/cross-site-scripting/scanner.htm
- Netsparker Community Edition : http://www.mavitunasecurity.com/communityedition/
dr. evil
2010-06-08 07:18:30