Web Application Security Scanner

From Wikipedia, the free encyclopedia

A web application security scanner is software which communicates with a web application through the web front-end and identifies potential security weaknesses in the web application.^[1]

These tools work as black-box tester; meaning that, unlike source code scanners, they don't access the source code and then, need to detect the vulnerabilities by performing attacks.

Contents 1 Vulnerabilities 2 Strengths and weaknesses 2.1 Weaknesses and limitations 2.2 Strengths 3 List of Web Apps Security Scanners 4 Related projects 5 Notes

[edit] Vulnerabilities

Even if we cannot enumerate all vulnerabilities that the webapps scanners are looking for, they are divided in 4 parts:

• Input/Output validation: XSS, SQL Injection, ...
• Logical flaws: Cross-Site Request Forgery (CSRF), ...
• Specific application problems
• Server configuration mistakes/errors/version

[edit] Strengths and weaknesses

Like every testing tools, the web application security scanner is not a perfect tool, it has strength and weaknesses.

[edit] Weaknesses and limitations

• Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its attack surface in order to know if the scanner was configured correctly or was able to understand the web application.
• It is really hard for a tool to find logical flaws such as the use of weak cryptographic functions, information leakage, etc.
• Even for technical flaws, if the application doesn't give enough clue, the tool cannot catch it
• The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have classical attacks and not the more complicated ones.
• The tools are usually limited in the understanding of the application behavioral with dynamic content such as JavaScript, Flash, etc.

[edit] Strengths

• The tool can detect vulnerabilities of the finalized release candidate before shipping
• It simulates a real attacker by performing attacks and tries to probe what results are not part of the expected result set
• As a dynamic testing tool, it is not language dependent. A web application scanner is able to scan JSP, PHP or any other engine driven web application.

[edit] List of Web Apps Security Scanners

• List of Web Apps Security Scanners

[edit] Related projects

• NIST SAMATE Project: http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners
• Web Application Security Consortium: http://webappsec.org/projects/wassec/

[edit] Notes