Good free SQLi/XSS scanner?

biko · 05-03-2012 01:21PM #1

Looking at http://sectools.org/tag/web-scanners/ that's pretty old.

I'm interested in if anyone is using a good free (or cheap) scanner?
I want fire and forget, Windows GUI and something that compiles a report after a scan of 1000s of pages.

h57xiucj2z946q · 05-03-2012 03:23PM

You could look at wikto maybe?

h57xiucj2z946q · 05-03-2012 03:36PM

Actually looks like wikto is pretty outdated also but Nikto (original) apparently runs on windows now anyway: http://cirt.net/nikto2

You can use with GIU:
http://sourceforge.net/projects/niktofe/

08-03-2012 12:31AM

darkd0rk3r-0.6.py
http://dl.packetstormsecurity.net/UNIX/scanners/darkd0rk3r-0.6.py.txt

ACOi.py
http://rafale.org/~mattoufoutu/darkc0de.com/others/ACOi.py

There are other scanners and tools on site.
http://rafale.org/~mattoufoutu/darkc0de.com/

infodox · 26-03-2012 10:10PM

You are looking for something like w3af - check w3af.sourceforge.net or google it, it is fairly well mantained.

As for the GUI thing, just get used to command line args. Takes maybe 10 mins to learn to use Sqlmap or Xsser, though both now have GUI's (well, sqlmap gui is a third party addon by some russian blackhats that I am cleaning up and working on). A VM aint too hard to setup either.

Netsparker (google it, I dont have a link) is meant to be good too, just grab a free trial. Or hire me :P I'm in Galway too y'know...

If you do get to grips with CLI wapiti is good, and if you have setup time arachni is good + has web interface.

syklops · 27-03-2012 10:28AM

Had this discussion in work yesterday. Sqlmap seems to be the most popular among my team. Despite the cooler name, sqlninja was not highly regarded. Also worthy of looking at are wapiti, w3af, tachyon, burp and fuzzdb.

infodox · 27-03-2012 05:12PM

SQLninja is not a scanner per se, it is a targetted exploitation tool.

Say you have found a *MSSQL* injection vulnerability, and KNOW the backend database is Microsoft SQL Server. You edit sqlninja's config file and then proceed to use it to inject a reverse shell via several techniques - mainly relying on xp_cmdshell (or re-enabling it) and debug.exe.

Metasploit has these techniques built in BTW, and also can use the Powershell injection trick for Windows Server 2008 targets.

SQLMap, on the other hand, is a far more general purpose SQL injection tool.

Wapiti can be a bit iffy at times - it has an unusual tendancy to crash randomly for some reason I cannot quite discern.

BURP + Sqlmap plugin is probably the best of the lot, but it is NOT fire/forget. If you want Fire and Forget capabilities, get yourself a copy of WebSecurify. It misses a lot (The community edition) but catches the obvious flaws.

27-03-2012 05:55PM

http://www.acunetix.com/vulnerability-scanner/

Can scan multiple sites but i the free edition has limited testing modules.

biko · 17-01-2014 11:02AM

Thought I'd update this old thread.

Following suggestions in this thread I compared NTObjectives Spider, Acunetix and Netsparker I decided to go with Netsparker.
Spider is very good and Netsparker is a good contender, and cheaper. Acunetix was good but fell a on a few smaller hurdles and just didn't stand up to Spider and NS in ways that matter to me.

Combining Netsparker with Burp Pro and a few smaller tools for XSS/SQLi I think I have it covered for now.

syklops · 17-01-2014 11:09AM

biko wrote: »

Thought I'd update this old thread.

Following suggestions in this thread I compared NTObjectives Spider, Acunetix and Netsparker I decided to go with Netsparker.
Spider is very good and Netsparker is a good contender, and cheaper. Acunetix was good but fell a on a few smaller hurdles and just didn't stand up to Spider and NS.

Combining Netsparker with Burp Pro and a few smaller tools for XSS/SQLi I think I have it covered for now.

Did you look at ZAP at all?

biko · 17-01-2014 11:15AM

Zed Attack Proxy?
Nope but I'll check it out thanks.

syklops · 17-01-2014 12:53PM

biko wrote: »

Zed Attack Proxy?
Nope but I'll check it out thanks.

I really like it and in the past it has found things that burp has missed.

Khannie · 17-01-2014 01:11PM

How does its active scanner compare to the burp pro one do you know?

syklops · 17-01-2014 02:25PM

Khannie wrote: »

How does its active scanner compare to the burp pro one do you know?

I usually use both.

I prefer the interface on ZAP tbh.

biko · 17-01-2014 09:38PM

Khannie wrote: »

How does its active scanner compare to the burp pro one do you know?

You mean Netsparker scanner? I compared on several online sites (mainly checking for SQLi and XSS) and also my own sites.
I do have a result sheet which I won't share

However you can find online comparisons between most of these tools.

Tbh both caught things the other did not (isn't that always the case..) but I hope that together they'll catch most of the big risks.
Burp stands up well against more expensive ones, again crushing the myth that more expensive tools are "better".

timmywex · 18-01-2014 10:32AM

Burp is a must have tool I think - particularly for the 249 a year, its a bargain to have as an extra scanner. Never played around took much with netsparker to be honest - the idea that it is false positive free always scares me a bit - scares me to think its a ridiculous claim really!

ZAP is good, i've used Burp more than it as im used to it but essentially carry out many the same tasks anyway - ZAP does seem to be rated very highly online and in various reviews, but this may have something to do with it being completely free as well, not sure.

Good free SQLi/XSS scanner?

Comments