Evaluating a web vulnerability scanner is not the easiest of tasks. With a multitude of open source and commercial products to choose from, all promising to provide the best of breed scanning functionality, choosing the right web vulnerability scanner is a tough, albeit important decision. In this article, we provide a checklist of things that you should consider when choosing your web vulnerability scanner.
Ease of Use
Web vulnerability scanning is already a difficult topic. While most (hopefully) understand the basics, such as SQL Injection and XSS, not all are experts in operating a web vulnerability scanner. Ideally, most of your time should be spent fixing the vulnerabilities identified by the scanner, rather than figuring out how to operate the scanner.
Broad set of security tests
The web vulnerability scanner should be able to identify more than a few web vulnerabilities. While most scanners are able to identify the basic and most common, the scanner of your choice should be able to identify vulnerabilities that are less widespread too.
Apart from being able to identify a wide range of vulnerabilities, a good vulnerability scanner should be able to check for and report on all the variations of the vulnerabilities detected. Take a Cross Site Scripting (XSS) vulnerability as an example, a web developer might fix the simple version of the vulnerability, but might fail to address the vulnerability when the XSS payload is encoded.
Coverage of Web Technologies
Keeping in mind that a web vulnerability scanner can only scan the pages and elements that are identified at the crawl stage, you should choose a web vulnerability scanner that is able to understand the web technologies used in your web applications, and that the scanner is updated frequently to be able to crawl new technologies moving forward.
The checks done by various web vulnerability scanners can be defined as isolated, meaning that the scanner will run each check against the web application in isolation from the other checks. Ideally, the results of one check are used as input for other checks.
To give a simple example, a web vulnerability scan might identify email addresses during the scan. Ideally, these email addresses are used during the scan, such as in the login forms of the web application. To give another example, if the web application scanner identifies a developer application, such as a Version Control directory (e.g. GIT or SVN), the web application will try to parse the contents of this application too, as these usually contain confidential information.
Coverage of Content Management Systems
Most organisations use Content Management Systems (CMS) to create content on the site as frequently as needed. Common content management systems include WordPress, Joomla, and Drupal, all of which include their own set of vulnerabilities. You are probably using one of these, thus your web vulnerability scanner should check these for configuration errors and vulnerabilities in these systems too.
Support for Mobile Friendly Web Apps
Most web applications implement a mobile friendly version which is loaded automatically on smartphones and tablets. These often provide the same functionality as the main site, and therefore might be just as vulnerable. Ensure that your web vulnerability scanner is able to scan your mobile friendly site too.
Grey box testing
Most web vulnerability scanners provide black box testing, since they can scan a web site without getting access to the code on the web server. Grey box testing is the ability to install an agent in the web application which interacts with the main scanner during the scan.
Grey box testing enhances the scan results by ensuring complete coverage of the web application and allows the scanner to detect more vulnerabilities, decreases false positives by providing additional validation on the vulnerabilities detected and enhances scan results by providing more information on the vulnerabilities detected, such as the line in the back-end source code where the vulnerabilities lies, or the SQL statement in an SQL Injection vulnerability.
Manual testing tools
A web vulnerability scan does not stop when the automated scan is done. In most situations, you will then need to verify some of the vulnerabilities detected by the scanner. Ideally a web vulnerability scanner provides tools that are integrated in the product, and allows you to easily reuse vulnerability details in the manual testing tools provided.
Beware of empty claims
While most web vulnerability scanners are genuine, and work very well in the right hands, you need to be vigilant on scanners making empty claims. A common misconception is that a web vulnerability scanner should produce zero false positives. While a web vulnerability scan which includes many false positives is useless, the fact is that some web vulnerabilities cannot be detected with 100% certainty. So a web vulnerability scanner claiming 0 false positives is either not showing that more testing is needed on such vulnerabilities, or not showing them at all.
Acunetix Web Vulnerability Scanner is celebrating its 10th birthday in 2015, meaning it has been constantly developed and refined for a decade, making it one of the leading web app scanners on the market.