BurpSuite Pro vs Other Commercial web app vulnerability scanners [closed]

Why I should choose commercial(Qualys/Rapid7/Acunetix/TenableWebAPP scanner) web app scanner over BurpSuite Pro?

Based on my experience with all four mentioned above BurpSuite is beating all from a detection point of view so why pay over 20K a year?

BurpSuite Pro with BApp store extensions is limitless, it can run automated scans, allows you to record traffic as a proxy, you can run authenticated scans, it can detect EOL web frameworks and detect all of OWASP top 10 the list goes one.

IT-security grade vulnerability scanners for Android?

This is a question for android security pros:
What IT-security grade tools are there for android vulnerability assessment ?

In the old days there was Android-VTS which was opensource, would test known vulnerabilities on the actual device, and report the ones it found with info about the respective CVEs.

This is exactly what I’m looking for, unfortunately Android-VTS isn’t active anymore. Looking for something which will:

  • Test kernel and framework-level vulnerabilities
    (so potential root-level compromise)
  • Work on Android 9 phones.

There are so many security apps now, it’s become hard to find the one which actually work. I’m not interested in catalog-type apps which do not test anything / general public antivirus-type apps / anything that scans apps.

Is what fingerprint scanners in mobiles store a stealable value?

If a fingerprint scanner were a human it would probably be like this:

  1. take a photo of the finger presented for authentication
  2. check it against the original photo to determine if it’s the same.

This would lead to the problem that the process has a copy of the scanned finger and anyone stealing this then owns/pwns a ‘password’ of mine that I can never change. Obviously they may have other challenges in using that password, but they have it nonetheless, so if an opportunity arises they can use it.

I’ve stayed away from using my fingerprint scanner on my phone (FWIW Moto G5s) because I’m not sure whether it’s a risk like the above.

Is the data that real phone fingerprint scanners generate and store for comparison something that can be stolen? Or is it something that’s always going to be unique to that device – e.g. is it salted or such?

And if it is sensitive, do apps that use the scanner have access to it, or would that normally be left to the phone’s OS (Android in this case) and an app just gets back an un/authenticated response?

Asking because I’m trying to answer:

  1. Does my phone have a stealable copy of my unchangeable fingerprint on it (e.g. attacker steals device, could get access to my fingerprint – or access to some data that would be enough to present as my fingerprint)

  2. Does my phone’s OS have a stealable copy? I ask this because I’m wondering whether that means I’m trusting it to Google / Apple etc.

  3. Do my phones’s apps have access to that? (obviously this vastly increases the vulnerability area if so)

I’ve looked online and I understand that scanners don’t usually store a photographic scan, but some key things that can identify unique properties, but if those unique properties are … unique … then they could be stealable?

What WordPress plugins block vulnerability scanners? [on hold]

I’m looking for a WordPress plugin which automatically and permanently blocks IP addresses which attempt to access the URLs of known vulnerabilities. In other words, I want to treat known vulnerability addresses like honeypots.

I get hundreds of 404 errors every day from vulnerability scanners, and it seems trivial for a security plugin to identify them by their 404 access attempts.

Examples of 404s that are obviously the result of vulnerability scanning:

  • /408.shtml
  • /wp-content/uploads/settingsimages/2019/04/http:/www.w3.org/1999/xhtml/jsspwned.php

It would be great if it can automatically populate the list of known vulnerable addresses, but if such a program doesn’t exist, I would be open to hearing about plugins which require manually entering a list of URLs. It wouldn’t be too hard to make myself from my 404 logs.