Service allows you to identify more vulnerabilities than other Web Application Scanners, whilst generating less false positives. It indicates exactly where in your code the vulnerability is and reports additional debug information which is handy.
Advantages of using our service technology
- Ability to provide more information about the vulnerability, such as source code line number, stack trace, affected SQL query.
- Allows you to locate and fix the vulnerability faster because of the ability to provide more information about the vulnerability, such as source code line number, stack trace, affected SQL query, etc.
- Significantly reduces false positives when scanning a website because it understands the behavior of the web application better.
- Alerts you of web application configuration problems which can result in a vulnerable application or expose sensitive information. E.g. If ‘custom errors’ are enabled in .NET, this could expose sensitive application details to a malicious user.
- Advises you how to better secure your web server settings, e.g. if write access is enabled on the web server.
- Detects more SQL injection vulnerabilities. Previously SQL injection vulnerabilities could only be found if database errors were reported, whereas now the source code can be analyzed for improve detection
- Ability to detect SQL Injection vulnerabilities in all SQL statements, including in SQL INSERT statements. Using a black box scanner such SQL injection vulnerabilities cannot be found.
- Discovers all the files present and accessible through the web server. If an attacker gains access to the website and creates a backdoor file in the application directory, the file is found and you will be alerted.
- No need to write URL rewrite rules when scanning web applications which use search engine friendly URL’s! Our service can rewrite SEO URL’s on the fly.
- Ability to test for arbitrary file creation and deletion vulnerabilities. E.g. Through a vulnerable script a malicious user can create a file in the web application directory and execute it to have privileged access, or delete sensitive web application files.
- Ability to test for email injection. E.g. A malicious user may append additional information such as a list or recipients or additional information to the message body to a vulnerable web form, to spam a large number of recipients anonymously.