|
This article is the first of a series and is part of NWC's Rolling Review of Web Applications Scanners. Click on that link to go to the Rolling Reviews home page to read all the features and reviews now. |
The product's lack of flexibility in scanning is made up for in part by access to a custom signature-writing language, which will appeal to power users. Additionally, an included log-analyzer utility takes advantage of that large internal database, analyzing Web server logs to detect a variety of malicious attacks. It can even be used to go back in time and find attacks that occurred before the application was scanned.
Of course, it can't distinguish between successful and unsuccessful assaults, so that function may or may not be useful, depending on how commonly the application is attacked.
Sadly, however, like the rest of the application, this function suffers from implementation flaws. When we scanned a site then immediately fed the resulting log into the log analyzer, it brought the analyzer to its knees. Extremely long URLs, part of the standard full pen-test scan on one of the applications tested, caused a huge increase in total processing time. Not only that, but even after all that work on a log chock full of attacks, only 121 requests out of over 30,000 log entries were flagged as suspicious. This is especially odd considering the only traffic in the log came from the scanner.
Of course, the fact that only six detections of XSS (cross-site-scripting) attempts were picked up might explain why the scanner failed to identify a live XSS in the application. To be fair, almost five hundred of the requests were HTTP post requests, so it's impossible to know what attacks might have been sent in those. Still, given the size of this particular application and the number of places to inject data, even if all 500 were XSS checks, the total number of checks was still not nearly enough to properly test the application for even standard XSS variants, let alone more complicated encodings and breakout techniques.
Network automation is gaining momentum. Here's how you can drive this powerful technology to its full potential.
Subsea cable alternatives can provide a level of comfort for those concerned about disruptions. Realistically, they will continue to play a small, but critical role in the short term.
Maintaining existing network infrastructures often incurs huge technical debt before newer technologies are adopted over time.
