This project is read-only.

Several other web application penetration testing tools are available on the market but none of them meet the requirements of project Hardanger. The most popular ones are Burp Suite, Web Scarab and Spike Proxy. On this page, we will be covering each of them in details.

The first related work is named Burp Suite and is a product from a company named PortSwigger. Burp Suite is a very solid product but unfortunately, it is written in Java and does not deliver a seamless user experience to most Windows users. Since the tool is Java based, it requires the user to have Java installed on their machine in order to be able to use it. The graphical user interface also uses widgets that are not standard in Microsoft Windows operating systems. As far as features and functionality however, Burp Suite is state of the art and will set the bar by which Hardanger is measured. The tool includes an intercepting proxy, a spider, a scanner, an intruder tool, a repeater tool and a sequencer tool. According to the PortSwigger web site, Burp Suite is a very inexpensive product, which can be acquired for only $299 per user per year. The tool is not open source and cannot be modified. It is currently well maintained and updated by its authors.

The next related work is WebScarab by OWASP. WebScarab is one of many projects by the Open Web Application Security Project (OWASP), which is a not-for-profit foundation that fosters “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted” (OWASP,2012). WebScarab is also a Java application and therefore present a sub-optimal user experience on the Microsoft Windows platform. WebScarab is similar to Burp Suite with also an extensive list of features but admits to not catering to average users. Their project page states that: “There is no shiny red button on WebScarab, it is a tool primarily designed to be used by people who can write code themselves, or at least have a pretty good understanding of the HTTP protocol” (OWASP, 2012). WebScarab is free and open source and could be modified. WebScarab is in the process of being replaced by a new and more user friendly version named WebScarab-NG.

 Spike Proxy by Immunity is one of the earliest web application security testing tools. It was written in python and is available free from the vendor’s web site. Very little documentation is available on the vendor’s web site and elsewhere on this tool. The download has a very small README file to direct knowledgeable users on the software’s operation. It has not been updated since 2003 and has been made obsolete by new modernized tools from other vendors. The source code to Spike Proxy is available and the software is distributed under a GPL license.

 Each of these tools provides value but does not align itself with the goals behind project Hardanger. The information depicted in Figure 1 demonstrates how each of the related work compares to each other as well as how it compares with Hardanger.

 

Burp Suite

WebScarab

Spike Proxy

Hardanger

Vendor

PortSwigger

OWASP

Immunity

SecurityWire

Cost

$

Free

Free

Free

Open Source

No

Yes

Yes

Yes

User Friendly

Yes

No

No

Yes

Native Windows Feel

No

No

No

Yes

Language

Java

Java

Python        

C#

License

Commercial

GPL

GPL

Ms-RL

Maintained

Yes

Yes

No

Yes

Figure 1. Current State of web application penetration testing tools

Last edited Feb 2, 2012 at 1:18 AM by mercjr, version 1

Comments

No comments yet.