 From:  Peter (BOUGHTONP)   
 To:  99% of gargoyles look like (MR_BASTARD)     
35948.3 In reply to 35948.2 
More that I want to verify if the third-party software* I'm integrating with has any holes, such as SQL injection and similar.

(*obviously, the code I write myself is flawless)
 From:  Radio  
 To:  Peter (BOUGHTONP)      
35948.4 In reply to 35948.3 
 From:  Radio  
 To:  Peter (BOUGHTONP)      
35948.5 In reply to 35948.3 

Plus, I'd be very interested to know if any of those are useful. We've just been asked to look into Security Testing, and as functional testers we're a little bit lost at sea ;-)
Those ones seem to be recommended on the testing forums I've looked at, but god knows what it is you actually do with them (as in, Webscarab can be used to intercept and modify requests between client and server, but how you use that functionality to comprehensively test the security is beyond me...)

 From:  Peter (BOUGHTONP)   
 To:  Radio     
35948.6 In reply to 35948.5 
Yeah, WebScarab does seem aimed at people that already know about web security... will have to investigate if there's a set of default scripts that perform appropriate tests.

RayProxy looks like a more useful out-of-the-box tool - or at least it would be if it had a binary download, instead of just C sourcecode. :(

I'll update this thread again, if/when I get anywhere with any of these.
 From:  Rowan  
 To:  Peter (BOUGHTONP)      
35948.7 In reply to 35948.6 
I recently heard of Watcher, which just passively listens in on you as you click about your site (via Fiddler) and comes up with a list of potential vulnerabilities. Apparently it's a bit trigger-happy, so you need to read through to weed out the false positives, but, still, might be of some use to you, maybe.
 From:  Peter (BOUGHTONP)   
 To:  Rowan     
35948.8 In reply to 35948.7 
Thanks, that looks potentially useful. Will try it tomorrowtoday ...bugger! *goes to bed*
 To:  Peter (BOUGHTONP)      
35948.9 In reply to 35948.6 
make is your friend.

Happy now?

