OWASP Pantera Web Assessment Project
aaron posted in Uncategorized on October 31st, 2006
This looks like a promising new project for doing web app assessments. I haven’t tried it yet, but it sounds like they’ve been working on it for a while. It’s based on SPIKE proxy which means that they at least started off from a good place, :). What I’d really like to see implemented is some infrastructure for dealing with some of the difficulties that arise from using and assessing AJAX. I haven’t seen these addressed well in even the commercial scanners that I’ve tested. There was a very good talk at Toorcon on Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0 which covered lots of problems with some of the common AJAX frameworks, and also showed that not all of them are easy to fix (or assess).
ps. Speaking of new tools, nessus released 3.0.4 today.