naxsi

Classical benchmark : Web Vuln Scanner vs WAF

Here we will present the results of (IBM) AppScan vs naxsi.

Why AppScan ? Because, it’s one of the less worse commercial scanner available, because they offer a target/demo (read : highly vulnerable) website, and, unlike Acunetix, you can run full tests on the target website.

Overall Results

As you will see bellow, AppScan is not able to find any vulnerabilities that it can exploit. The only vulnerabilities detected are probed with extremely simple patterns (read : nearly full ascii) that are not (and will not) be blocked by naxsi (to avoid false positives).

Raw results

When running AppScan against demo.testfire.net with naxsi (set-up as forward proxy for this purpose), the following vulnerabilities will appear:

appscanfull

I won’t make an exhaustive diff list between naxsi and raw results since, as you can expect, original scan results have a LOT of vulnerabilities, as this website is designed to show all the vulnerabilities AppScan can detect/exploit.

Let’s go through all the “remaining” bugs :

Blind SQL Injections

The scan result shows at least 2 Blind SQL Injection remaining. Actually, the attack pattern used by AppScan is the following :

details 1 details 2

The first test pattern listAccounts=0%2B0%2B0%2B1001160141 is decoded to listAccounts=0+0+0+1001160141, and the seconde one, before=1234+and+7659%3D7659 to before=1234 and 7659=7659. Appscan is able to detect the vulnerability, but it will not be able to exploit it.

Database Error Pattern

During the scan, AppScan was able to detect several “Database Error Pattern” (read : MSSQL/MySQL/… error messages in webpage)

details 3

The test pattern used by AppScan is 100116014WFXSSProbe, it’s a generic one to trace back injected data into a webpage. Here, the scanner is able to trigger the bug by entering a non-numeric value in a numeric field, making the page yield a SQL error message. Obviously, you cannot do anything here except blocking the scanner’s pattern, which would be dumb and inefficient. Obviously, the injected characters won’t allow any kind of exploitation of the vulnerability, only a probe.

Other vulnerabilities

The other vulnerabilities reported by AppScan :