avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • November 17, 2018, 06:32 PM
  • Proudly celebrating 13 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Web-app security scanners for web developers and serveradmins (nice review)  (Read 2529 times)


  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 861
    • View Profile
    • linkerror
    • Donate to Member
In today's "web 2.0" world, web applications become more and more complex, and thus it becomes more and more common for some very nasty security bugs to be implemented.

As a web developer, being able to scan your own software for common things like SQL injection bugs or cross-site scripting vulnerabilities, may be a useful tool in your tool belt.

As a server administrator, being able to scan your server, and your user's sites for these problems is also a handy thing to be able to do.

There is quite a few of these web vulnerability scanners available commercially, and I had always wondered how effective they are. Someone on the penetration testing mailing list wrote up a very very nice review (PDF) of major vendors of this type of software.

Since it would be of interest of users of web-applications as well as developers and fellow server admins, I figured I'd share this here.


From the report it seems that these things are pretty good at detecting common stuff like sql-injection (report shows that all sql-injection vulnerabilities were detected by all the tested software), but you can definitively not rely on them solely for security testing. (Which makes sense imo, since it's a very complex problem which seems hard to implement generic heuristic scanners for.)