Filed under: Web and Application Security
Tags: information security, infosec, sql injection vulnerabilities, vulnerability scanner, web app scanner, web application security, web application vulnerability scanner, web security, xss vulnerabilities
Many of customers come to us asking how they can test their web applications for vulnerabilities. For an automated approach, there a numerous web application vulnerability scanners out there that can help detect vulnerabilities. With so many options, picking the appropriate scanner can be a little bit tricky. Which is most accurate? Which is the most thorough? The answer is rarely clear.
Lucky for us, the folks over at Security Tools Benchmarking recently assembled their yearly list of web scanners, aptly named “The Web Application Vulnerability Scanners Benchmark”. The list is very comprehensive and puts both open source and commercial scanners through a gamut of tests. The assessment looks at twelve different aspects of each tool to assist individuals and organizations in their evaluation of vulnerability scanners.
In total, 63 different web application vulnerability scanners were test (we’d say that’s pretty thorough), with 49 of those being free or open-source projects, and 14 of them being commercial.
The following features were assessed during the evaluation:
- The ability to detect Reflected XSS and/or SQL Injection and/or Path Traversal/Local File Inclusion/Remote File Inclusion vulnerabilities.
- The ability to scan multiple URLs at once (using either a crawler/spider feature, URL/Log file parsing feature or a built-in proxy).
- The ability to control and limit the scan to internal or external host (domain/IP).
You can organize the scanners by commercial or open source and see a quick comparison of each scanner’s features. From there you can dive into a detailed report for individual scanners.
If you’re looking for a scanner, we encourage you to take a look at the comple report and evaluation criteria over at the Security Tool Addict blog. If you have questions about remediating or securing vulnerabilities after your scan, you can always contact Port80 Software for advice.
No Comments »