Skip to content

The Most Comprehensive Web Application Vulnerability Scanner Benchmark Out There

Posted: March 6th, 2014 | Filed under: Web and Application Security | Tags: , , , , , , , ,

Many of customers come to us asking how they can test their web applications for vulnerabilities. For an automated approach, there a numerous web application vulnerability scanners  out there that can help detect vulnerabilities. With so many options, picking the appropriate scanner can be a little bit tricky. Which is most accurate? Which is the most thorough? The answer is rarely clear.

Lucky for us, the folks over at Security Tools Benchmarking recently assembled their yearly list of web scanners, aptly named “The Web Application Vulnerability Scanners Benchmark”. The list is very comprehensive and puts both open source and commercial scanners through a gamut of tests. The assessment looks at twelve different aspects of each tool to assist individuals and organizations in their evaluation of vulnerability scanners.

In total, 63 different web application vulnerability scanners were test (we’d say that’s pretty thorough), with 49 of those being free or open-source projects, and 14 of them being commercial.

The following features were assessed during the evaluation:

  • The ability to detect Reflected XSS and/or SQL Injection and/or Path Traversal/Local File Inclusion/Remote File Inclusion vulnerabilities.
  • The ability to scan multiple URLs at once (using either a crawler/spider feature, URL/Log file parsing feature or a built-in proxy).
  • The ability to control and limit the scan to internal or external host (domain/IP).

You can organize the scanners by commercial or open source and see a quick comparison of each scanner’s features. From there you can dive into a detailed report for individual scanners.

View the full commercial comparison.

View the full open source comparison.

If you’re looking for a scanner, we encourage you to take a look at the comple report and evaluation criteria over at the Security Tool Addict blog. If you have questions about remediating or securing vulnerabilities after your scan, you can always contact Port80 Software for advice.

 

No Comments »

Sochi: A Five-Ring Circus of Web Security Nightmares, or Just Another Day on the Wi-Fi

Posted: February 12th, 2014 | Filed under: IIS & HTTP

 

A lot of people are talking about the web security concerns in Sochi. Have you heard the story about that guy immediately being hacked when booting up a laptop, or how everyone at Sochi will definitely be hacked because of the unsafe the Wi-Fi networks there?

These incidents are not exclusive to Sochi: they are concerns for all open Wi-Fi networks. In fact, you may not be much safer on your local cafe’s public Wi-Fi. That guy sitting in the back corner sipping his latte isn’t working, he’s running WireShark (or another sniffer tool) to steal information about your online banking session. You don’t even need much technical capability to do what he’s doing, just the willingness to perform an illegal activity.

Read the rest of this entry »

No Comments »

Preventing Cross Site Request Forgery Attacks

Posted: February 4th, 2014 | Filed under: IIS & HTTP

What is a Cross Site Request Forgery Attack?

Cross-site request forgery (CSRF or XSRF) is an attack that has been in the OWASP Top 10 since its inception, but is not nearly as talked about as other OWASP lifers like XSS or SQL injection. We’ve decided to give CSRF some needed attention and discuss some ways to mitigate it.

Also known as a “one click attack” or “session riding,” CSRF an exploit very similar to an XSS attack. Rather than an attacker injecting unauthorized code into a website, a cross-site request forgery attack only transmits unauthorized commands from a user that the website or application considers to be authenticated.

Certain websites and applications are at risk: those that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action. These attacks are characteristic vulnerabilities of Ajax-based applications that make use of the XMLHttpRequest (XHR) API. A user that is authenticated by a cookie saved in his Web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action (for instance, withdrawing funds from a bank account).

Read the rest of this entry »

No Comments »

Privilege Escalation Vulnerabilities Headline Modest January Security Bulletin

Posted: January 15th, 2014 | Filed under: Web and Application Security | Tags: , , , ,

Microsoft is kicking off 2014 with a modest security bulletin, which includes several vulnerabilities for Windows XP and Windows Server 2003. Luckily, none of this week’s batch contain any critical vulnerabilities. We are graced with ‘Important’-level vulnerabilities across the board.

Nevertheless, as with any security update, we recommend downloading and applying as soon as possible.

Apply all the Patches

MS14-001: Microsoft Office, SharePoint Server, Office Web Apps

Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2916605)

Attention Microsoft Office users with admin privileges: this update is intended for you. It fixes an issue in Microsoft Office that primarily affects 2010 and 2013 versions. If a specifically-crafted malicious file is opened using a vulnerable version of Word or other Office software, remote code can be executed. Microsoft says that a successful attack could allow the hacker gain the same user rights as the current user.

See affected versions and download patches

Read the rest of this entry »

No Comments »

PCI DSS Version 3.0: New and Important Requirements

Posted: November 27th, 2013 | Filed under: IIS & HTTP

PCI DSS is a set of standards developed by major credit card companies to keep credit card information secure and reduce fraud. The standards apply to any organization that processes, stores, or transmits credit card data. Occasionally, the PCI Security Standards Council will announce updates to the standards, which may require approved companies to make changes to their security hardware, software, and practices. The latest updates (PCI DSS Standards 3.0) were introduced a few months back, but recent documentation has shed a bit more light on you need to do to start preparing for compliance once the new rules come into effect on January 1, 2014.

Read the rest of this entry »

No Comments »