Vulnerability analyzers offer Web scanning as an option

Web scanning is different from vulnerability scanning because it looks for bugs in the Web apps themselves, rather than the software installed on the Web server. For example, all of the vulnerability scanners told us about an old embedded system on our network vulnerable to a cross-site scripting attack because of an old version of PHP. That's just normal vulnerability scanning, and depending on your Web applications and Web server settings may turn out a lot of false positives. But actually finding an exploitable script on a Web site requires a more intense search, coming in from the outside, and a more specialized type of scanner.

Web scanning is different from vulnerability scanning because it looks for bugs in the Web apps themselves, rather than in the software installed on the Web server. For example, all of the vulnerability scanners told us about an old embedded system on our network vulnerable to a cross-site scripting attack because of an old version of PHP. 

That's just normal vulnerability scanning, and depending on your Web applications and Web server settings a scanner may turn out a lot of false positives. But actually finding an exploitable script on a website requires a more intense search, coming in from the outside, and a more specialized type of scanner.

Do you know where your security holes are?

Typically, Web scanning includes some type of data loss prevention features (looking for identity information on Web pages), information disclosure scans (looking for entire directories that are available), cross-site scripting and SQL injection detection, and, of course, known vulnerability scanning in common Web applications.

FusionVM, McAfee MVM and QualysGuard VM all include Web scanning as an option (sometimes separately licensed) in their existing scanners, while eEye offers a separate product, Retina Web, focused on Web application scanning.

As we evaluated the different vulnerability analyzers, we kept looking for IPv6 support. Most of them don't even mention it, with SAINT being the lone exception. SAINT doesn't support IPv6 everywhere yet, but it's the closest product to being IPv6-ready in the set we tested.

Insider Tip: 12 easy ways to tune your Wi-Fi network
Join the discussion
Be the first to comment on this article. Our Commenting Policies