One or more embodiments disclosed within this specification relate to Web Security Scanners.
Web application security scanners are software tools that automatically test the security posture of web applications. These scanners attempt to locate security issues within web applications, such as structured query language (SQL) injection, cross-site scripting, command injection, and other security vulnerabilities. To use such a scanner, a user typically configures the scope and limits of the scan, and provides login information. The user then manually or automatically crawls the web application to allow the scanner to collect information about the web application's structure, uniform resource locators (URLs) associated with the web application, cookies and directories. The objective of crawling is to collect resources from the web application in order to automate vulnerability detection on each of these resources. The information obtained during crawling of the web application then is manipulated and submitted to the web application to perform testing on the web application, and validation is performed on the responses received from the web application.