Third installment of our Ajax Rolling Review shows not all scanners are created equal
A FEW BRIGHT SPOTS
There were a few brief, shining moments where this product stood out, or at least broke even. As previously mentioned, it sports a large internal database of attack signatures for stock applications and would excel when primarily used to scan Web servers for known vulnerabilities. The reporting interface is flexible enough, and reports are attractive, though we would like to see XML output for further processing.
The product's lack of scanning flexibility is partially offset by a custom signature-writing language that will appeal to power users. In addition, an included log-analyzer utility takes advantage of that large internal database, analyzing Web server logs to detect a variety of malicious attacks. It can even be used to go back in time and find attacks that occurred before the application was scanned.
Of course, it can't distinguish between successful and unsuccessful assaults, so that function may or may not be useful, depending on how commonly the application is attacked.
Sadly, however, like the rest of the application, this function suffers from implementation flaws. When we scanned a site and then immediately fed the resulting log into the log analyzer, it brought the analyzer to its knees. Extremely long URLs, part of the standard full penetration-test scan on one of the applications tested, caused a huge increase in total processing time. Not only that, but even after all that work on a log chock-full of attacks, only 121 requests out of more than 30,000 log entries were flagged as suspicious. This is especially odd considering the only traffic in the log came from the scanner.
Of course, the fact that only six detections of XSS (cross-site-scripting) attempts were picked up might explain why the scanner failed to identify a live XSS in the application. To be fair, almost 500 of the requests were HTTP post requests, so it's impossible to know what attacks might have been sent in those. Still, given the size of this particular application and the number of places to inject data, even if all 500 were XSS checks, the total number of checks was still not nearly enough to properly test the application for even standard XSS variants, let alone more complicated encodings and breakout techniques.
Don't get us wrong--N-Stalker's idea has potential. If the log analyzer were integrated into the rest of the application and able to learn from the server profiling that the scanner already is doing, the data it produces could be potentially much more accurate and useful.
Also, it's inexpensive--$2,899 plus 20% maintenance per year. At that price, if you need log-scanner or infrastructure scanning using a large database of static vulnerabilities, and the bugs and quirks can be worked out of the system, this product might be a nice complement to another scanner better suited to finding unknown vulnerabilities.
As it is though, despite being called the Enterprise Edition, N-Stalker has its work cut out for it before we can recommend this scanner for enterprise use.
N-Stalker's Web Application Security Scanner 2006 Enterprise Edition. An eight-IP version of N-Stalker Enterprise Edition is priced at $2,899 plus 20% maintenance per year. www.nstalker.com
About This Rolling Review
Ajax-capable application scanners are being tested at our Real-World Labs at the University of Florida. We're assessing general reliability; advanced features; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false-positives, as well as ease in manual adjustments or product updates to address them; prevalence of false-negatives; and price. Software-as-a-service offerings also will be evaluated, though not on ease of use and advanced features.
IBM's (formerly Watchfire's) AppScan
SPI Dynamics WebInspect, Cenzic Hailstorm
Other Vendors Invited
Acunetix, Syhunt Technology, WhiteHat Security. Contact the author at firstname.lastname@example.org for consideration.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.