
Wapiti - Web application security auditor - tzury
http://wapiti.sourceforge.net/
======
chair6
Automated web app security tools are helpful to a point and should be a part
of your security assessment toolkit, but not the only part. Every web
application is different, business logic testing is hard to generically
automate, and AJAX just makes things more complicated. From my experience,
tools will often miss issues that a somewhat skilled tester can pickup with
minimal manual effort.

Be careful with Skipfish, it can generate a significant volume of traffic
that'll peg a production server pretty quickly.

Also worth a look:

<http://dirb.sourceforge.net/> (you'd be amazed how many high-risk vulns this
simple dictionary-based content discovery tool will help find)

<http://www.cirt.net/nikto2>

<http://www.websecurify.com/>

<http://o2platform.com/>

[http://www.owasp.org/index.php/Category:OWASP_WebScarab_Proj...](http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project)

<http://portswigger.net/scanner/>

[http://www.owasp.org/index.php/Category:OWASP_Testing_Projec...](http://www.owasp.org/index.php/Category:OWASP_Testing_Project)

------
elbenshira
I think Google released something similar a while back ago. Anyone remember
the name and link?

~~~
tzury
There are SkipFish and RatProxy

<http://code.google.com/p/skipfish/>

<http://code.google.com/p/ratproxy/>

