website vulnerability scanner

[roelof]

Hello,

I am developing a website with Symphony CMS. But I wonder which software I best can use to test if the website does not have SQl/XSS problems.

Roelof.

 

[gkontos]

security/nikto is available in the ports. That should get you started.

There are other products available, Nessus for example is a very good tool for that matter. But you will need to run it in Linux, Mac or Windows.

 

[DutchDaemon]

security/nessus works just fine ..

 

[roelof]

Thanks,

I'm going to find out how I can use Nessus for my problem.

Roelof

 

[SirDice]

Both Nessus and Nikto will only find simple and easily found known bugs. If you build something yourself it's quite likely they won't find any problems even if it's written completely insecure.

While they are good for a quick scan don't rely on them too much. If both applications can't find anything it could still mean your web application has bugs.

 

[roelof]

Oke,

Then I have to find another solution.

Roelof

 

[tingo]

There is also OWASP, they have published some good information.

 

[gkontos]

There is also OWASP, they have published some good information.

They are also providing core ruleset signatures for www/mod_security

 

[DanielWozniak]

I am co-founder of Orvant. We have a product which allows you to OpenVas, Nikto and W3aF (both external and internal) through our portal. W3af is going to be the best bet of those three as it's not just working of a database of know threats but actually tries to determine the the inputs on the page runs different attack vectors on them. We also support some non-open commercial tools which may be usefull. You can check us out at http://www.orvant.com

Having said that, if you're a developer you still should follow the recommendations found here:

https://www.owasp.org/index.php/Main_Page

And here

http://code.google.com/p/doctype-mirror/wiki/ArticlesXSS