WebInspect Detects Site Defects

Scanning Options

WebInspect lets you run a safe scan, a full scan or an assault scan. The safe scan checks for database errors and other nonthreatening problems, and performs attacks that aren't likely to cause your server to crash. The full scan includes some attacks that may cause a crash. The assault scan shoots off attacks that can cause a DoS (denial of service) failure--not a good idea if you can't afford the downtime. You can customize the tests and view every test being performed for each scan. Or you can write your own attacks.

I installed WebInspect on a Microsoft Windows 2000 workstation--no agents or additional software needed. I ran a full scan against five production Web servers that are part of our Syracuse University Real-World Labs®, four running Microsoft IIS and one running Apache. I also ran an assault scan on a test machine.

No matter which scan you run, the software crawls through the site first, indexing every page and directory. I scanned relatively small sites and each scan took at least an hour. WebInspect then examined each directory, looking for problematic files, such as email_list.txt, old versions of applications and backup files.

With an attack scan, WebInspect does a combination of Web server testing and client-side script inspection. In my tests, it discovered the test systems all had unpatched buffer-overflow vulnerabilities. It also found bugs in several Web applications, including Microsoft FrontPage. The software tests parameter manipulation, cross-site scripting and pages or parameters that produce database error messages. It does not check or inspect any code or scripts on the server that aren't accessible by a Web user.