HTTP App Scanner in Perl?

[Chris]

Well, from the lack of Google results I'm receiving, I'd say this does
not exist. But since I've done some searching on my own and come up
with nothing, it can't hurt to ask...

Does anyone know of a web app scanner that basically hits web
applications and does "ethical hacking" -- like this product:

http://www.watchfire.com/products/security/appscan-audit.aspx

Tries Forceful URLs, SQL Injection, Cookie Poisoning, etc. to check for
and report vunerabilities. I'd really rather have a tool that supports
plugins we write (like Nessus) and having it in Perl would be even
better.

I realize recommending something like this is a bit of a two-edged
sword -- how does anyone know it will be used ethically? I guess
that's the same risk the Nessus project is taking. If someone seems
overly concerned, all I can say is that I'm a IT security engineer for
a large US corporation and we intend to use this to scan and secure our
network, so...

Any leads would be appreciated. We actually already license the
AppScan product referred to by the URL above. I just want something I
can create site specific tests for.

-ceo

 

[Brian Wakem]

Well, from the lack of Google results I'm receiving, I'd say this does
not exist. But since I've done some searching on my own and come up
with nothing, it can't hurt to ask...

Does anyone know of a web app scanner that basically hits web
applications and does "ethical hacking" -- like this product:

http://www.watchfire.com/products/security/appscan-audit.aspx

Tries Forceful URLs, SQL Injection, Cookie Poisoning, etc. to check for
and report vunerabilities. I'd really rather have a tool that supports
plugins we write (like Nessus) and having it in Perl would be even
better.

I realize recommending something like this is a bit of a two-edged
sword -- how does anyone know it will be used ethically? I guess
that's the same risk the Nessus project is taking. If someone seems
overly concerned, all I can say is that I'm a IT security engineer for
a large US corporation and we intend to use this to scan and secure our
network, so...

Any leads would be appreciated. We actually already license the
AppScan product referred to by the URL above. I just want something I
can create site specific tests for.

-ceo

Netcraft do it http://audited.netcraft.com/web-application but it ain't
cheap.

 

[Chris]

Netcraft do it http://audited.netcraft.com/web-application but it ain't
cheap.

Why is it that 10 minutes after submitting a question to c.l.p.m, I
find what I am searching for? After spending much time searching
before asking the question...!!!!???

Anyway, this is probably going to do the trick:

Nikto: http://www.cirt.net/code/nikto.shtml

Thanks all!
-ceo