ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Other Software > Developer's Corner

Web-app security scanners for web developers and serveradmins (nice review)

(1/1)

Gothi[c]:
In today's "web 2.0" world, web applications become more and more complex, and thus it becomes more and more common for some very nasty security bugs to be implemented.

As a web developer, being able to scan your own software for common things like SQL injection bugs or cross-site scripting vulnerabilities, may be a useful tool in your tool belt.

As a server administrator, being able to scan your server, and your user's sites for these problems is also a handy thing to be able to do.

There is quite a few of these web vulnerability scanners available commercially, and I had always wondered how effective they are. Someone on the penetration testing mailing list wrote up a very very nice review (PDF) of major vendors of this type of software.

Since it would be of interest of users of web-applications as well as developers and fellow server admins, I figured I'd share this here.

http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html

From the report it seems that these things are pretty good at detecting common stuff like sql-injection (report shows that all sql-injection vulnerabilities were detected by all the tested software), but you can definitively not rely on them solely for security testing. (Which makes sense imo, since it's a very complex problem which seems hard to implement generic heuristic scanners for.)

Navigation

[0] Message Index

Go to full version