Rolling Review: N-Stalker Web App Scanner

Third installment of our Ajax Rolling Review shows not all scanners are created equal

Jordan Wiens, Contributor

August 31, 2007

4 Min Read
InformationWeek logo in a gray background | InformationWeek

A FEW BRIGHT SPOTS

There were a few brief, shining moments where this product stood out, or at least broke even. As previously mentioned, it sports a large internal database of attack signatures for stock applications and would excel when primarily used to scan Web servers for known vulnerabilities. The reporting interface is flexible enough, and reports are attractive, though we would like to see XML output for further processing.

The product's lack of scanning flexibility is partially offset by a custom signature-writing language that will appeal to power users. In addition, an included log-analyzer utility takes advantage of that large internal database, analyzing Web server logs to detect a variety of malicious attacks. It can even be used to go back in time and find attacks that occurred before the application was scanned.

Of course, it can't distinguish between successful and unsuccessful assaults, so that function may or may not be useful, depending on how commonly the application is attacked.

Sadly, however, like the rest of the application, this function suffers from implementation flaws. When we scanned a site and then immediately fed the resulting log into the log analyzer, it brought the analyzer to its knees. Extremely long URLs, part of the standard full penetration-test scan on one of the applications tested, caused a huge increase in total processing time. Not only that, but even after all that work on a log chock-full of attacks, only 121 requests out of more than 30,000 log entries were flagged as suspicious. This is especially odd considering the only traffic in the log came from the scanner.

Of course, the fact that only six detections of XSS (cross-site-scripting) attempts were picked up might explain why the scanner failed to identify a live XSS in the application. To be fair, almost 500 of the requests were HTTP post requests, so it's impossible to know what attacks might have been sent in those. Still, given the size of this particular application and the number of places to inject data, even if all 500 were XSS checks, the total number of checks was still not nearly enough to properly test the application for even standard XSS variants, let alone more complicated encodings and breakout techniques.

Don't get us wrong--N-Stalker's idea has potential. If the log analyzer were integrated into the rest of the application and able to learn from the server profiling that the scanner already is doing, the data it produces could be potentially much more accurate and useful.

Also, it's inexpensive--$2,899 plus 20% maintenance per year. At that price, if you need log-scanner or infrastructure scanning using a large database of static vulnerabilities, and the bugs and quirks can be worked out of the system, this product might be a nice complement to another scanner better suited to finding unknown vulnerabilities.

As it is though, despite being called the Enterprise Edition, N-Stalker has its work cut out for it before we can recommend this scanner for enterprise use.

THE BASICS

FEATURED PRODUCT

N-Stalker's Web Application Security Scanner 2006 Enterprise Edition. An eight-IP version of N-Stalker Enterprise Edition is priced at $2,899 plus 20% maintenance per year. www.nstalker.com

About This Rolling Review

Ajax-capable application scanners are being tested at our Real-World Labs at the University of Florida. We're assessing general reliability; advanced features; ease of use for nonsecurity personnel; ability to map and scan Ajax functionality; prevalence of false-positives, as well as ease in manual adjustments or product updates to address them; prevalence of false-negatives; and price. Software-as-a-service offerings also will be evaluated, though not on ease of use and advanced features.

Next Up

IBM's (formerly Watchfire's) AppScan

Past Reviews

SPI Dynamics WebInspect, Cenzic Hailstorm

Other Vendors Invited

Acunetix, Syhunt Technology, WhiteHat Security. Contact the author at [email protected] for consideration.

THE PREMISE

InformationWeek Labs' Rolling Reviews present a comprehensive look at a hot tech category, from a market analysis to a synopsis of our findings. See our kickoff to this Ajax-capable application scanner series

Read more about:

20072007

About the Author

Jordan Wiens

Jordan Wiens

Contributor

See more from Jordan Wiens
Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
SIGN-UP

You May Also Like

More Insights
Webinars
More Webinars
Reports
More Reports

Editor's Choice

IT Leadership
SolarWinds CEO on Building Trust After Breach, Unifying IT and C-Suite, and GenAI Future
SolarWinds CEO on Building Trust After Breach, Unifying IT and C-Suite, and GenAI Future

Nov 26, 2024

Tech war between China and the USA. Flag of USA and China on a microprocessor
Machine Learning & AI
The New Cold War: US Urged to Form ‘Manhattan Project’ for AGI
The New Cold War: US Urged to Form ‘Manhattan Project’ for AGI

Nov 21, 2024

cloud computing background
IT Infrastructure
6 Cloud Trends to Watch in 2025
6 Cloud Trends to Watch in 2025

Nov 18, 2024

Young businessman working on a virtual screen of the future and sees the inscription: Now hiring
IT Leadership
Help Wanted: IT Hiring Trends in 2025
Help Wanted: IT Hiring Trends in 2025

Nov 20, 2024

Calculator displaying the text "SALARY" on top of $100 bills.
IT Leadership
2024 InformationWeek US IT Salary Report: Profits, Layoffs, and the Continued Rise of AI
2024 InformationWeek US IT Salary Report

Jun 4, 2024

Webinars
More Webinars
White Papers
More White Papers
Reports
More Reports