Web application scanners should be able to imitate the proper behavior of a web browser, such as accepting a request to set a new cookie and following a cookie value refresh instruction.ģ.2.2 HTTP Parameters - Oftentimes, web applications use an HTTP parameter to track a web session. The underlying communication protocol used by web applications is the Hypertext Transfer Protocol (HTTP).ģ.2.1 HTTP Cookies (RFC 2965) - HTTP cookies are probably the most commonly used type of web application session tokens. In order to test web applications, a scanner must support all communication protocols that are commonly used by web applications and intermediary network devices. If you have any questions about the evaluation criteria, please contact Brian Shura at Categories Participation in the Web Application Security Scanner Evaluation Criteria project is open to all.
The following people have contributed their time and expertise to this project: This document is the result of a team effort. NIST Special Publication 500-269, "Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0", contains minimal requirements for mandatory and optional web application scanner features. Instead, this project provides the tools and documentation to enable anyone to evaluate web application security scanners and choose the product that best fits their needs. The aim of this document is not to define a list of requirements that all web application security scanners must provide in order to be considered a "complete" scanner, and evaluating specific products and providing the results of such an evaluation is outside the scope of the WASSEC project. Different users will place varying levels of importance on each feature, and the WASSEC provides the user with the flexibility to take this comprehensive list of potential scanner features, narrow it down to a shorter list of features that are important to the user, assign weights to each feature, and conduct a formal evaluation to determine which scanning solution best meets the user's needs. This document provides a comprehensive list of features that should be considered when conducting a web application security scanner evaluation. The goal of the WASSEC is to create a vendor-neutral document to help guide web application security professionals during web application scanner evaluations. It covers areas such as crawling, parsing, session handling, testing, and reporting. The Web Application Security Scanner Evaluation Criteria (WASSEC) is a set of guidelines to evaluate web application scanners on their ability to effectively test web applications and identify vulnerabilities. Effective use of these tools is an important part of a thorough web application security assessment, and regular security scans are required to comply with security requirements such as section 6.6 of the Payment Card Industry Data Security Standard (PCI-DSS). These tools crawl a web application and locate application layer vulnerabilities and weaknesses, either by manipulating HTTP messages or by inspecting them for suspicious attributes.Ī large number of web application scanning tools are available, both commercial and open source. Web Application Security Scanners are automated tools to test web applications for common security problems such as Cross-Site Scripting, SQL Injection, Directory Traversal, insecure configurations, and remote command execution vulnerabilities.
Advice for Conducting a Scanner Evaluation