Web application security has risen to become a top priority for security professionals striving to control the overall risk profile of an organization. A majority of websites typically have vulnerabilities wherein most attacks specifically target the application layer to exploit weaknesses. Such attacks are often designed to steal critical financial and customer data. Security attacks can lead to a loss in finances, productivity and reputation of an organization.
One method often used for securing a network simply involves launching a long list of signature-based attacks. Signature based vulnerability scanning only functions within a known script without regard for the structure of the underlying application which resulting in poor coverage and inaccurate results.
Signature based vulnerability scanning major flaw is its inability to test unknowns. When signature based scanners encounter something new or unexpected, the scanner fails to adequately test it. Unknown or expected vulnerabilities thrive in the web application space. Many companies develop and maintain web applications written by them for their company. This means that signature based scanning cannot consistently catch web application vulnerabilities in custom web applications.
In answer to the short coming of signature based vulnerability scanning, the web application scanner was developed. Web application scanners are computer programs which communicate with web applications through the web front-end in order to identify potential security vulnerabilities in the web application. Web application scanners are automated tools checking a website's applications for common security problems such as cross site scripting and remote command execution vulnerabilities. These web application security scanners crawl through a website and parse the “url” to identify vulnerabilities in the website by injecting various attack vectors while maintaining the session state.
While current web application scanners are an improvement over signature based scanners, such web application scanners have significant shortcomings. One significant shortcoming is the time it takes the scanner to complete its assessment. Web application scanners typically take between a few hours to a few days to complete their assessment. Additionally, scanners primarily run only in a Windows environment and lack the ability to run multiple scans simultaneously. Furthermore, the scanner may be destructive to the web application being scanned and are typically expensive.
Thus, what is needed is a web application scanner which both effective and relatively quick in completing its assessment.