The number of cyber attacks is increasing every year, they are becoming more widespread and are causing increasing losses. Cybercriminals are targeting not only corporate networks and computers but also websites, which can be very vulnerable to this kind of threat. In order to protect your website from attacks, you need to take a whole range of measures. One of them is early detection of vulnerabilities in web applications. This analysis is performed with the help of a Web Application Security Scanner, which we will discuss later. At the end of this review, you will find a convenient tool which will help you select the right product for you.
Why do hackers attack websites? There are a number of reasons, but the main motive is, of course, profit. By taking advantage of vulnerabilities in a web application, hackers can overwhelm the system, or in other words, gain control of the website. To restore its performance, you will have to either pay the hackers or spend money on restoring the system utilizing your own resources. Another scenario is using an infected site for phishing or interception of customer payment card data. Furthermore, a hacked resource can also serve as a botnet cell. In summary, there are a host of scenarios. But the main thing is that in most cases cyber intrusion occurs in an automated regime of indiscriminate attacks. Malicious scripts massively scan websites for vulnerabilities and when these are identified they start hacking the system. This means that coming off clear with the thought “who would need our corporate website, there is nothing to take there” will not work.
How can web application scanners help combat such threats? In simple terms, they are looking for vulnerabilities that can be detected by hackers and report them. And this goes on during various stages: during the coding, implementation, customization stages, as well as during the operation of the website. Vulnerabilities can be identified before the application starts. During the coding stage, vulnerabilities related to the processing of incoming and outgoing data can be detected. During the implementation phase, vulnerabilities related to incorrect settings of the web application environment are analysed. During the operation phase, such seemingly trivial things as obsolete software, weak passwords, etc. are checked. At the end of the scan, detailed reports are generated with recommendations for eliminating the identified weaknesses.
The number of web application security scanners is quite large. There are a number of free alternatives, but they are significantly inferior in functionality and usability as compared to paid versions. We have picked a number of the most advanced and productive services available. They have a high rating on Gartner, many often fall into the group of leading and promising products of their company’s “magic quadrant”. We will discuss these products in greater detail.
Rapid7 Appspider
Defect Tracking Integration: included
IAST Module Hybrid Analysis: not included
SAST Module Hybrid Analysis: not included
Flash Scanner: included
CGI Scanner: not included
Enterprise Console Management Features: partially included
Demo: included
The product developed by Rapid7 is a highly functional tool for testing web and mobile applications. In addition to detecting vulnerabilities, Appspider provides specific recommendations on how to fix them and prioritize them. You must agree that it is useful to find out which vulnerability you need to address first and which one you should focus on after eliminating a given problem. In can handle 95 types of attacks and can be tested for resistance to all common modern threats. In addition, there is an option to launch some of the attacks separately, to check the effectiveness of protection against them. The tool is wonderfully consistent with all modern technologies. It supports Ajax, JSON, GWT and other standards, a variety of formats and protocols used in modern web applications and browsers. There is also a check for compliance with modern cybersecurity standards.
Rapid7 can generate interactive reports that are submitted as web pages. Their key usability feature is the option to analyze a specific vulnerability and to single out its smallest details in order to solve a problem. The tool can integrate with existing security tools (for example, Web Application Firewall), which significantly saves time and resources. You can try the tool for free for a limited period of time.
Portswigger burp suite
Defect Tracking Integration: partially included
IAST Module Hybrid Analysis: included
SAST Module Hybrid Analysis: not included
Flash Scanner: included
CGI Scanner: included
Enterprise Console Management Features: partially included
Demo: included
This tool allows you to test the security of web applications in both manual and automatic mode. But the main focus is on manual checks. To perform these, Burp Suite offers a number of tools. For example, Intruder allows you to identify vulnerabilities with unusual character and Repeater is used to manipulate and resubmit individual requests. The interface of Burp Suite is intuitive, it is not hard to quickly gain insight into the program, even for those who have never worked with it before, or have just been introduced to this type of product.
One of the tool’s features is the availability of many third-party plug-ins and add-ons, which significantly extend its basic functionality. Many of them have been developed specifically by programmers who previously worked with Burp Suite and knew exactly what the original product lacked. A reasonably good addition to the basic version. And if you were unable to find the required plug-in, it can be created and added to the functionality. By the way, there is a free version of Burp Suite. Its functionality, of course, is significantly curtailed in comparison to the paid version, but it can be suitable for a basic check. The professional and corporate version can also be tried for free for a limited time.
Fortify WebInspect
Defect Tracking Integration: included
IAST Module Hybrid Analysis: included
SAST Module Hybrid Analysis: included
Flash Scanner: included
CGI Scanner: included
Enterprise Console Management Features: included
Demo: included
In our review Fortify WebInspect in is one of the most functional tools. Fortify WebInspect can be supplied as licensed software or it can be used under the SaaS model (software as a service), or as a demo version.
The tool can simulate real attacks and hacking techniques that are most often used by cybercriminals. The scanner supports all modern technologies, which makes it possible to work with applications without regard to their architecture. Among the most popular are Adobe Flash and JavaScript/Ajax, which today are very often used to create web applications.
The advantages of this product also include ease of installation, configuration and scalability. At the end of the tests Fortify WebInspect generates detailed reports that are insightful and useful to both company management and developers. They show statistics on vulnerabilities identified, their priority (what areas need to be focused on), showing detailed information about each problem. The program is equipped with a set of report templates, but you can also create your own.
IBM Security AppScan
Defect Tracking Integration: included
IAST Module Hybrid Analysis: included
SAST Module Hybrid Analysis: included
Flash Scanner: included
CGI Scanner: included
Enterprise Console Management Features: included
Demo: included
Another powerful tool from the well-known prominent company. Security AppScan has a variety of tools for conducting static and dynamic tests, as well as testing of open source components. The program supports most modern protocols, standards and architectures, including JavaScript/Ajax and Adobe Flash. While focus in IBM Security AppScan is on automatic checks, manual tests can also be performed. Verification algorithms for maximum similarity with real attacks use adaptive procedures that mimic human behavior.
Detected problems are presented in the form of user-friendly reports. The application database contains more than 40 templates based on various reporting standards: ISO 27001, ISO 27002, Basel II, etc. For each identified weakness a detailed explanation and recommendations are provided for prompt resolution of the problem. These recommendations use prepared work steps, including code samples and a list of priority tasks. The product is provided in a couple of versions, before you purchase it you can tryout the free version.
Acunetix Vulnerability Scanner
Defect Tracking Integration: included
IAST Module Hybrid Analysis: included
SAST Module Hybrid Analysis: not included
Flash Scanner: not included
CGI Scanner: included
Enterprise Console Management Features: included
Demo: included
Acunetix security products are popular among prominent customers such as Visa or American Express. These products include the Acunetix Vulnerability Scanner web application security scanner. This tool features a large set of functions to ensure automatic control of application security. It detects all common types of vulnerabilities, including SQL injections, execution of malicious scripts and codes. For example, this product can detect up to 1200 known vulnerabilities in the popular WordPress platform. At the same time, it can work in multi-threaded mode, which allows you to check thousands of objects of various platforms without interruption.
All identified problems are displayed in user-friendly reports. They are suitable both for professionals who directly solve problems and for managers who have to be aware of what is happening and understand the big picture. Summary reports can be arranged in a common file. These results can then be compared to similar data from former checks to determine which vulnerabilities have been fixed and which are still open. A trial version of the program (with some limitations) is available for 14 days. The service also includes a cloud scanner, which provides a number of free checks.
Netsparker Web Application Security Scanner
Defect Tracking Integration: included
IAST Module Hybrid Analysis: not included
SAST Module Hybrid Analysis: not included
Flash Scanner: not included
CGI Scanner: included
Enterprise Console Management Features: included
Demo: included
This fully automatic scanner features a high level of detection of vulnerabilities and produces a minimal number of false positives. This result is achieved with the help of an in-house developed tool, Proof-Based Scanning, which not only signals the threat, but immediately provides evidence that this is not a false positive. This saves a lot of time and resources, because the identified threats do not need to be re-checked manually and you can immediately start eliminating them.
Netsparker Web Application Security Scanner can analyze web applications and services on all common platforms, including Java Script, HTML 5, .NET and many other. Checks are performed for all common types of attacks. The tool can operate simultaneously with hundreds and thousands of resources and easily integrates into existing security systems. The product is delivered in desktop, corporate and cloud versions. A trial version is also available.
Janusec WebCruiser
Defect Tracking Integration: not included
IAST Module Hybrid Analysis: not included
SAST Module Hybrid Analysis: not included
Flash Scanner: not included
CGI Scanner: included
Enterprise Console Management Features: not included
Demo: free software
As we mentioned at the start of this review, apart from paid products, quite a few free application security scanners are available. They are, indeed, significantly inferior in functionality to their paid counterparts, but they have some basic tools, so they can also be used as a free alternative. One of these tools is the Janusec WebCruiser Web Vulnerability Scanner (it also has a paid corporate version). It focuses on performing SQL injections on various platforms, for example, SQL Server, Oracle and Access. It also features tools for working with cookies, cross-site crypting, PHP-injections and other common threats.
In Summary
Web applications are increasingly used by companies which means that risks associated with their use are growing. Hence, web application security scanners are a very useful product in high demand. It can help you protect from cyber attacks as early as at the stages of development and implementation. These scanners perform checks based on a variety of parameters, detect the most inconspicuous vulnerabilities and help you eliminate them.
In our comparison table you will find all the necessary information about the functionality of the products presented in this review and choose the one that suits you best.
By Vladyslav Myronovych, for ROI4CIO