Jordan Wiens returns with a third installment of his rolling review of web application scanners.
Damn.
He takes N-Stalker (the victim du jour) and makes the call like his sees it. And, it’s not pretty.
Unfortunately, the newest entry in this Rolling Review, N-Stalker’s Web Application Security Scanner 2006 Enterprise Edition (say that five times fast), doesn’t measure up to the previously tested scanners, despite its hefty built-in database of vulnerabilities in known Web servers and Web applications.
OK but, why?
In our evaluation, N-Stalker’s scanner failed to find a number of vulnerabilities that all of the other products were able to identify. Additionally, the engine was too easily caught in unintentional scanning loops on one site that generated recursive links. Without recognizing the subsequent URLs as having repeated identical variables, the product was tripped up.
From a usability standpoint, N-Stalker’s scanner not only fails to hit the bar set by WebInspect, it doesn’t even compare well to the weaker interface found in Cenzic Hailstorm. Adding credentials for an application was a trivial matter with both WebInspect and Hailstorm, for example, but not only did N-Stalker fail to include any kind of automated log-in detection, even using the manual process was tedious, requiring at least twice the number of mouse clicks and keystrokes as rival products. Numerous other usability flaws and outright bugs abound: Multiple application windows that randomly failed to display in the Windows taskbar. Buttons silently failing to work. Having to guess a right-click is the next necessary step, non-resizable windows hiding necessary data, and more. N-Stalker says it is addressing at least some of these usability issues in its 2007 Edition release, due in October.
Ouch. That stings. Sorry about your luck N-Stalker.
[tags]Web Security, Web Application Security, OWASP, OASIS, XSS, N-Stalker[/tags]
