Web application vulnerability scanner

Forum Moderators: open

Message Too Old, No Replies

Web application vulnerability scanner

The_Hat

4:16 pm on Jun 10, 2009 (gmt 0)

So, I've been doing this stuff (php/mysql) for a little while now and I'm to the place where I am ready to really build some stuff and I'm concerned about security. Here at work it looks like the IT dept. uses HP WebInspect and it looks like it tries a lot of different potential attacks.. Anyboody know how much that program costs?.. Anybody else have another program that they could recomend?

Mods: not sure where this should go.. not really just databases.. I figured sql injection is a primary concern. Please move if there is a better fit.

wmhelp

3:23 am on Jun 12, 2009 (gmt 0)

I have not used WebInspect. But I have similar interest in the topic: SQL injection attacks.

If your primary interest is SQL injection, how are your sql queries in the application? Many injection attacks can be prevented by using parametrized queries. I see several php applications using concatenation to build queries.
Another benefit of using parameters instead of building the queries by concatenation is that you get some performance boost if the queries are executed repeatedly.

salnajjar

7:31 pm on Jun 15, 2009 (gmt 0)

For basic vulnerability scans, including SQL injection attacks and common code attacks, have a look at:
metasploit
nessus

They're both tool suites, but you can deselect everything except what's relevant to the system you're coding.

Seri