-
Some developers and I wandered across a pretty interesting situation recently: it seems there is an ambiguous corner case concerning how to resolve a relative URI containing only query parameters (a link such as "?foo=bar"). We were finding that certain programming languages were resolving the URIs differently than expected(!), which was causing
-
The release of WebInspect 7.7.113.3 (the Nov/2007 hotfix release) brought along a significant feature: a new-and-improved audit engine for finding local file reading/inclusion vulnerabilities. This article will introduce you to this new engine, how it works, and explain how to tune the associated check inputs in order to tailor the engine to your specific
-
IBM/Watchfire released their analysis of Larry Suto's web scanner comparative review , which was released in October. If you recall, we wrote one as well . IBM/Watchfire questioned Suto's methodology just like we did; they also found discrepancies between their own testing and the scan files Suto provided them (yes, that's right--Suto's
-
The dashboard displays the number of URLs encountered while crawling. The site pane shows the URLs encountered while crawling, and any additional fabricated URLs (i.e. fabricated for an attack) that proved to be found as vulnerable. During this process, WebInspect sends many requests for things that may not exist (e.g. directory enumeration, etc.);
-
The reasons for the scan failing to initialize should be in the scan logs. You can browse the logs by choosing Tools -> Log Viewer; however, the contents of the logs are geared more towards customer service reps. You should contact your rep and send him the logs, so we can further look into why you are receiving an initialization failure.
-
This is the third part in my three-part series on check tuning. Part one addressed the basic concepts of check inputs and tuning checks , while part two addressed some basic network topology concepts . This part will utilize the previously discussed concepts to tune three specific network-related checks. The three target checks are: · 10274
-
I just wanted to post a note saying that I haven't forgotten about part III of my WebInspect check tuning article series. I am working on some rewrites to how the checks destined to be featured in part III operate; thus I want to finish the checks so that I can talk in part III how the new changes (and the associated new check inputs) work. It makes
-
[ Update: PDF attachment download is working now] In October 2007, Larry Suto released a case study entitled “Analyzing the Effectiveness and Coverage of Web Application Security Scanners,” available for reading at http://www.stratdat.com/webscan.pdf . The study compared the results of three commercial web application security scanners,
-
Launching a web scan is conceptually pretty easy: you just pop in a target URL and click 'Go'. You don't have to necessarily worry about routing tables, firewalls, and all that other network architecture stuff that magically lets the scanning system talk to the target web site. That is, you don't have to worry about it unless you're
-
This is the first article in a three part series that focuses on tuning the checks included with WebInspect (and sister products, DevInspect and QAInspect), with the goal of increasing accuracy and usefulness. By default, the current version of WebInspect ships with thousands of checks. A 'check' is a generic term used to describe a unit of