Feature
News
8/30/2007
06:30 PM
Jordan Wiens
Jordan Wiens
Features
50%
50%

Rolling Review: N-Stalker Web App Scanner

Third installment of our Ajax Rolling Review shows not all scanners are created equal

A FEW BRIGHT SPOTS

There were a few brief, shining moments where this product stood out, or at least broke even. As previously mentioned, it sports a large internal database of attack signatures for stock applications and would excel when primarily used to scan Web servers for known vulnerabilities. The reporting interface is flexible enough, and reports are attractive, though we would like to see XML output for further processing.

The product's lack of scanning flexibility is partially offset by a custom signature-writing language that will appeal to power users. In addition, an included log-analyzer utility takes advantage of that large internal database, analyzing Web server logs to detect a variety of malicious attacks. It can even be used to go back in time and find attacks that occurred before the application was scanned.

Of course, it can't distinguish between successful and unsuccessful assaults, so that function may or may not be useful, depending on how commonly the application is attacked.

Sadly, however, like the rest of the application, this function suffers from implementation flaws. When we scanned a site and then immediately fed the resulting log into the log analyzer, it brought the analyzer to its knees. Extremely long URLs, part of the standard full penetration-test scan on one of the applications tested, caused a huge increase in total processing time. Not only that, but even after all that work on a log chock-full of attacks, only 121 requests out of more than 30,000 log entries were flagged as suspicious. This is especially odd considering the only traffic in the log came from the scanner.

Of course, the fact that only six detections of XSS (cross-site-scripting) attempts were picked up might explain why the scanner failed to identify a live XSS in the application. To be fair, almost 500 of the requests were HTTP post requests, so it's impossible to know what attacks might have been sent in those. Still, given the size of this particular application and the number of places to inject data, even if all 500 were XSS checks, the total number of checks was still not nearly enough to properly test the application for even standard XSS variants, let alone more complicated encodings and breakout techniques.

Don't get us wrong--N-Stalker's idea has potential. If the log analyzer were integrated into the rest of the application and able to learn from the server profiling that the scanner already is doing, the data it produces could be potentially much more accurate and useful.

Also, it's inexpensive--$2,899 plus 20% maintenance per year. At that price, if you need log-scanner or infrastructure scanning using a large database of static vulnerabilities, and the bugs and quirks can be worked out of the system, this product might be a nice complement to another scanner better suited to finding unknown vulnerabilities.

As it is though, despite being called the Enterprise Edition, N-Stalker has its work cut out for it before we can recommend this scanner for enterprise use.

THE BASICS
FEATURED PRODUCT
N-Stalker's Web Application Security Scanner 2006 Enterprise Edition. An eight-IP version of N-Stalker Enterprise Edition is priced at $2,899 plus 20% maintenance per year. www.nstalker.com
About This Rolling Review
Ajax-capable application scanners are being tested at our Real-World Labs at the University of Florida. We're assessing general reliability; advanced features; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false-positives, as well as ease in manual adjustments or product updates to address them; prevalence of false-negatives; and price. Software-as-a-service offerings also will be evaluated, though not on ease of use and advanced features.
Next Up
IBM's (formerly Watchfire's) AppScan
Past Reviews
SPI Dynamics WebInspect, Cenzic Hailstorm
Other Vendors Invited
Acunetix, Syhunt Technology, WhiteHat Security. Contact the author at jwiens@nwc.com for consideration.

THE PREMISE
InformationWeek Labs' Rolling Reviews present a comprehensive look at a hot tech category, from a market analysis to a synopsis of our findings. See our kickoff to this Ajax-capable application scanner series

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.