Web application security scanner
 |
This article may require cleanup to meet Wikipedia's quality standards. (Consider using more specific cleanup instructions.) Please help improve this article if you can. The talk page may contain suggestions. (August 2008) |
A web application security scanner is program which communicates with a web application through the web front-end in order to identify potential security vulnerabilities in the web application and architectural weaknesses.[1] It performs a black-box test. Unlike source code scanners, web application scanners don't have access to the source code and therefore detect vulnerabilities by actually performing attacks.
Contents |
[edit] Overview
A web application security scanner can facilitate the automated review of a web application with the expressed purpose of discovering security vulnerabilities, and are required to comply with various regulatory requirements. Web application scanners can look for a wide variety of vulnerabilities, including:
- Input/Output validation: (Cross-site scripting, SQL Injection, etc.)
- Specific application problems
- Server configuration mistakes/errors/version
[edit] Strengths and weaknesses
As with all testing tools, web application security scanners are not perfect, and have strengths and weaknesses.
[edit] Weaknesses and limitations
- Because the tool is implementing a dynamic testing method, it cannot cover 100% of the source code of the application and then, the application itself. The penetration tester should look at the coverage of the web application or of its attack surface to know if the tool was configured correctly or was able to understand the web application.
- It is really hard for a tool to find logical flaws such as the use of weak cryptographic functions, information leakage, etc. .......
- Even for technical flaws, if the web application doesn't give enough clue, the tool cannot catch them
- The tool cannot implement all variants of attacks for a given vulnerability. So the tools generally have a predefined list of attacks and do not generate the attack payloads depending on the tested web application.
- The tools are usually limited in their understanding of the behavior of applications with dynamic content such as JavaScript, Flash, etc.
[edit] Strengths
- The tool can detect vulnerabilities of the finalized release candidate before shipping
- It simulates a malicious user by attacking and probing, and seeing what results are not part of the expected result set
- As a dynamic testing tool, it is not language dependent. A web application scanner is able to scan JAVA/JSP, PHP or any other engine driven web application.
[edit] Notes
- ^ [page not found? http://sites.google.com/site/wassec/technical-draft Technicaldraft - WASC - WASSEC]
[edit] External links
- Web Application Security Scanner Evaluation Criteria from the Web Application Security Consortium (WASC)
- Web Application Vulnerability Scanners, a wiki operated by the NIST
- Challenges faced by automated web application security assessment from Robert Auger
- The WASC security scanner list
- List of Web-based Application Scanners, Mosaic Security Research
- Identifying Web Applications from Fabian Mihailowitsch
