That isn't a bad list, I tend to direct people to
http://sectools.org/vuln-scanners.html even though it is a little
dated, and doesn't mention OpenVAS (Nessus forked and OpenVAS is truly
OSS), I also use Webscarab, Xenu (just a link checker but gives you a
good list of the site), W3af, as it is open source and does some nice
fuzzing through its proxy, Nikto/Wikto and Nmap if it is more than
These are all just auto tests, they won't find everything and there
are some false finds too, so you also have to have a look at
techniques like sql injection (you can get sql injection tools like
the Acuntix, but it is not cheap), and imho you are better learning
the techniques yourself, cause if you know how a tool works you are so
much better off.
On 10/16/08, Amos Shapira <amos.shapira@xxxxxxxxx> wrote:
I need to find tools to run penetration testing on our external web
interfaces (a web application and an HTTP-based data interface).
The idea is to be able to run automatic tests on new releases before
deployment. Stress is on "automatic".
Has anyone here got good experience with such tools? I'm digging through
the net and found lots of lists (e.g.
but if someone can give some input from their personal experience on
worth pursuing and what's a waste of time it'll, well..., might save us
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html