Rolling Review: N-Stalker Web App Scanner - InformationWeek
06:30 PM
Jordan Wiens
Jordan Wiens

Rolling Review: N-Stalker Web App Scanner

Third installment of our Ajax Rolling Review shows not all scanners are created equal


There were a few brief, shining moments where this product stood out, or at least broke even. As previously mentioned, it sports a large internal database of attack signatures for stock applications and would excel when primarily used to scan Web servers for known vulnerabilities. The reporting interface is flexible enough, and reports are attractive, though we would like to see XML output for further processing.

The product's lack of scanning flexibility is partially offset by a custom signature-writing language that will appeal to power users. In addition, an included log-analyzer utility takes advantage of that large internal database, analyzing Web server logs to detect a variety of malicious attacks. It can even be used to go back in time and find attacks that occurred before the application was scanned.

Of course, it can't distinguish between successful and unsuccessful assaults, so that function may or may not be useful, depending on how commonly the application is attacked.

Sadly, however, like the rest of the application, this function suffers from implementation flaws. When we scanned a site and then immediately fed the resulting log into the log analyzer, it brought the analyzer to its knees. Extremely long URLs, part of the standard full penetration-test scan on one of the applications tested, caused a huge increase in total processing time. Not only that, but even after all that work on a log chock-full of attacks, only 121 requests out of more than 30,000 log entries were flagged as suspicious. This is especially odd considering the only traffic in the log came from the scanner.

Of course, the fact that only six detections of XSS (cross-site-scripting) attempts were picked up might explain why the scanner failed to identify a live XSS in the application. To be fair, almost 500 of the requests were HTTP post requests, so it's impossible to know what attacks might have been sent in those. Still, given the size of this particular application and the number of places to inject data, even if all 500 were XSS checks, the total number of checks was still not nearly enough to properly test the application for even standard XSS variants, let alone more complicated encodings and breakout techniques.

Don't get us wrong--N-Stalker's idea has potential. If the log analyzer were integrated into the rest of the application and able to learn from the server profiling that the scanner already is doing, the data it produces could be potentially much more accurate and useful.

Also, it's inexpensive--$2,899 plus 20% maintenance per year. At that price, if you need log-scanner or infrastructure scanning using a large database of static vulnerabilities, and the bugs and quirks can be worked out of the system, this product might be a nice complement to another scanner better suited to finding unknown vulnerabilities.

As it is though, despite being called the Enterprise Edition, N-Stalker has its work cut out for it before we can recommend this scanner for enterprise use.

N-Stalker's Web Application Security Scanner 2006 Enterprise Edition. An eight-IP version of N-Stalker Enterprise Edition is priced at $2,899 plus 20% maintenance per year.
About This Rolling Review
Ajax-capable application scanners are being tested at our Real-World Labs at the University of Florida. We're assessing general reliability; advanced features; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false-positives, as well as ease in manual adjustments or product updates to address them; prevalence of false-negatives; and price. Software-as-a-service offerings also will be evaluated, though not on ease of use and advanced features.
Next Up
IBM's (formerly Watchfire's) AppScan
Past Reviews
SPI Dynamics WebInspect, Cenzic Hailstorm
Other Vendors Invited
Acunetix, Syhunt Technology, WhiteHat Security. Contact the author at for consideration.

InformationWeek Labs' Rolling Reviews present a comprehensive look at a hot tech category, from a market analysis to a synopsis of our findings. See our kickoff to this Ajax-capable application scanner series

2 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll