WebScanner Application Security

WebScanner

Dynamic Application Security Testing (DAST)

DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). WebScanner will test a website’s security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would.

DefenseCode WebScanner can be used regardless of the web application development platform. It can be used even when application source code is no longer available. WebScanner supports major web technologies such as HTML, HTML5, Web 2.0, AJAX/jQuery, JavaScript and Flash. It is designed to execute more than 5000 Common Vulnerabilities and Exposures tests for various web server and web technology vulnerabilities. WebScanner is capable of discovering more than 60 different vulnerability types (SQL Injection, Cross Site Scripting, Path Traversal, etc.), including OWASP Top 10.

DefenseCode WebScanner is able to scan classic web applications (HTML, HTML5, Web2.0, AJAX, Javascript) along with API endpoints as Web Services, SOAP and JSON. WebScanner is capable of scanning web applications without any prior configuration but also post-authentication when the credentials are required.

WebScanner’s login sequence recorder and HTTP Proxy, allows an efficient method to scan websites and web applications that use CAPTCHA, OTP (One Time Password) or Two Factor Authentication (2FA).

WebScanner is fast, effective, highly accurate, easy to use and requires virtually no user input.

Vulnerabilities

Web Security Scanner can discover over 60 different classes of web application security vulnerabilities (including OWASP Top 10) and more than 5,000 CVE vulnerabilities.

HIGH

  • SQL Injection
  • Blind SQL Injection
  • Timing Based SQL Injection
  • File Disclosure
  • Page Inclusion
  • Command Execution
  • Timing Based Command Execution
  • PHP Code Injection
  • ASP Code Injection
  • PHP File Inclusion
  • Source Code Disclosure
  • LDAP Injection
  • XPath Injection
  • PUT File Upload
  • Server Side Includes
  • Stored Cross Site Scripting
  • Stored Cross Site Scripting Other Page
  • High Risk Server Side Vulnerabilities
  • External Entity Injection (XXE)
  • SSLv2.0 Supported
  • SSLv3.0 Supported

MEDIUM

  • Cross Site Scripting
  • HTTP Response Splitting
  • Backup File
  • Directory Listing Allowed
  • Form File Upload
  • PHP Error Message
  • Phpinfo Information Disclosure
  • ASP Error Message
  • Cross Site Request Forgery
  • Open Redirection
  • ViewState Not Encrypted
  • Insecure CrossDomain Policy File
  • Medium Risk Server Side Vulnerabilities
  • DOM Cross Site Scripting
  • Java Error Message
  • Weak TLS Cipher Suites Supported
  • TLS 1.2 Is Not Supported
  • Certificate Name Mismatch
  • SSL Expired Certificate
  • Certificate Signed Using Weak Algorithm

LOW

  • Buffer Overflow
  • Common File Name
  • Information Leak
  • Form Input Autocomplete Enabled
  • IP Address Leak
  • E-Mail Address
  • Path Disclosure
  • User Credentials Are Transmitted In Clear Text
  • Session Cookie not set to HTTPOnly
  • Internal Server Error
  • Software Version Disclosure
  • HTTP Server Disclosure
  • HTTP File Upload Form Detected
  • TRACE HTTP Method Allowed
  • CC Info Leak
  • SSN Info Leak
  • Robots File
  • X-XSS-Protection Header Set To OFF
  • X-Frame-Options Header Not Set
  • OPTIONS HTTP method allowed
  • PUT HTTP method allowed
  • Low Risk Server Side Vulnerabilities
  • Web Application Firewall Detected
  • Open_Basedir Restrictions
  • Sitemap.xml Discovered

Key Benefits

  • Automated web application vulnerability testing (on-premise)
  • Modern and simple user interface
  • Comprehensive web crawler (HTML, HTML5, AJAX, Web 2.0, Flash)
  • Fast scanning engine
  • JavaScript and Flash support
  • API security scanning (WebServices, SOAP, JSON and XML)
  • Post-Authentication web application scanning (2FA, OTP, CAPTCHA)
  • Additional security audit tools for web security assessment
  • Identification of over 60 different vulnerability types and more than 5,000 CVE vulnerabilities
icon