Related link: http://oedipus.rubyforge.org
The Oedipus Web Application Scanner project (that I am involved in some of the development) has just released it’s first beta release - version 1.8.1. Oedipus is a penetration testing focused tool, designed for penetration testers, and for technical security or web development folks to test their applications for web application security issues. It deviates from many of the commercial tools in that:
- Oedipus does not claim to be a one stop testing tool that will find every type of hole in your applications. It is, however, pretty good at finding the low hanging fruit so you can spend your time finding the really nasty problems manually
- Oedipus has some exploitation functionality built in, especially for SQL injection at this point, for generating working exploits for web application vulnerabilities. After all, the best way to show the business impact of an issue is to show it is exploitable
- It’s free, open source, and pretty easy to extend through the use of it’s plugin architecture
From the blurb - "Oedipus is an open source web application security analysis and testing suite written in Ruby by Pentration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities"