ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Web-app security scanners for web developers and serveradmins (nice review)


In today's "web 2.0" world, web applications become more and more complex, and thus it becomes more and more common for some very nasty security bugs to be implemented.

As a web developer, being able to scan your own software for common things like SQL injection bugs or cross-site scripting vulnerabilities, may be a useful tool in your tool belt.

As a server administrator, being able to scan your server, and your user's sites for these problems is also a handy thing to be able to do.

There is quite a few of these web vulnerability scanners available commercially, and I had always wondered how effective they are. Someone on the penetration testing mailing list wrote up a very very nice review (PDF) of major vendors of this type of software.

Since it would be of interest of users of web-applications as well as developers and fellow server admins, I figured I'd share this here.

From the report it seems that these things are pretty good at detecting common stuff like sql-injection (report shows that all sql-injection vulnerabilities were detected by all the tested software), but you can definitively not rely on them solely for security testing. (Which makes sense imo, since it's a very complex problem which seems hard to implement generic heuristic scanners for.)


[0] Message Index

Go to full version