Site icon Liquidmatrix Security Digest

Web Application Scanners

It’s time to do some shopping. I have started out to review some of the offerings that are on the market for web application testing. So, naturally one of my first stops after reading RSnake’s blog was to check out Jeremiah Grossman’s. Timing is everything sometimes. This morning he has posted a link to a review series by Jordan Weins over on Network Computing.

First up on the chopping block is SPI Dynamics. It becomes very clear in the article that Weins has no intention of playing nice with the vendors. That being said I think he approaches the article with an even hand. The vendors that he has invited to participate are SPI, Cenzic, Acunetix, N-Stalker, Syhunt Technology, Watchfire and WhiteHat Security.

So how did our first entry in this Rolling Review handle the complexity of scanning an application heavily dependent on JavaScript? Unfortunately, not very well. Not only did the automated scanner have trouble finding all the functionality, but even when we used a manual walkthrough to show it how to interact with the app, WebInspect had trouble handling JavaScript links. Problem is, if you can’t even find all an app’s functionality, you certainly won’t find all its potential vulnerabilities.

This helps to illustrate that you really do have to have the where with all to test applications by hand. Far too often I see companies that want to perform pentests for me that rely almost exclusively on automated testing tools and fail to verify their findings. Needless to say these guy don’t get the job.

WebInspect’s real value is in the hands of a security tester. We especially liked its built-in modules, each focused on a different aspect of manual penetration testing. In fact, while writing this review, we used the SQL Injector tool to help crack one of the challenges from the Shmoocon “Hack It” Contest (appliedsec.com/ conferences. html). Sure, it was overkill for that task, but it made the power of the tool obvious: We input a single vulnerable URL, and the SQL Injector extracted all data from the back-end database–a compelling demonstration for any recalcitrant developer who needs motivation to fix SQL injection flaws. Other modules include Policy and Compliance managers; Regex, SOAP, HTTP and Web Form editors; SPI Proxy; SPI Fuzzer; and a Cookie Cruncher.

Automated tools are great to leverage but, do not rely on these exclusively. You would do so at your own peril. The “B Team” pentesters could run over a host of problems in your web application and never see them and you would be left holding the (expensive) bag.

Article Link

[tags]Web Applcation Testing, OWASP, SPI Dynamics, Watchfire, Cenzic, WhiteHat Security, N-Stalker[/tags]

Exit mobile version