WebStrike DAST
DefenseCode WebStrike is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). Formerly known as WebScanner before version 2.0.1. WebStrike will test a website’s security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would.
DefenseCode WebStrike can be used regardless of the web application development platform. It can be used even when application source code is no longer available. WebStrike supports major web technologies such as HTML, HTML5, Web 2.0, AJAX/jQuery, JavaScript and Flash. It is designed to execute more than 5000 Common Vulnerabilities and Exposures tests for various web server and web technology vulnerabilities. WebStrike is capable of discovering more than 60 different vulnerability types (SQL Injection, Cross Site Scripting, Path Traversal, etc.), including OWASP Top 10.
DefenseCode WebStrike is able to scan classic web applications (HTML, HTML5, Web2.0, AJAX, Javascript) along with API endpoints as Web Services, SOAP and JSON. WebStrike is capable of scanning web applications without any prior configuration but also post-authentication when the credentials are required.
WebStrike’s login sequence recorder and HTTP Proxy, allows an efficient method to scan websites and web applications that use CAPTCHA, OTP (One Time Password) or Two Factor Authentication (2FA).
WebStrike is fast, effective, highly accurate, easy to use and requires virtually no user input.
Vulnerabilities coverage
WebStrike can discover over 60 different classes of web application security vulnerabilities (including OWASP Top 10) and more than 5,000 CVE vulnerabilities.
-
HIGH$
per - SQL Injection
- Blind SQL Injection
- Timing Based SQL Injection
- File Disclosure
- Page Inclusion
- Command Execution
- Timing Based Command Execution
- PHP Code Injection
- ASP Code Injection
- PHP File Inclusion
- Source Code Disclosure
- LDAP Injection
- XPath Injection
- PUT File Upload
- Server Side Includes
- Stored Cross Site Scripting
- Stored Cross Site Scripting Other Page
- High Risk Server Side Vulnerabilities
- External Entity Injection (XXE)
- SSLv2.0 Supported
- SSLv3.0 Supported
-
MEDIUM$
per - Cross Site Scripting
- HTTP Response Splitting
- Backup File
- Directory Listing Allowed
- Form File Upload
- PHP Error Message
- Phpinfo Information Disclosure
- ASP Error Message
- Cross Site Request Forgery
- Open Redirection
- ViewState Not Encrypted
- Insecure CrossDomain Policy File
- Medium Risk Server Side Vulnerabilities
- DOM Cross Site Scripting
- Java Error Message
- Weak TLS Cipher Suites Supported
- TLS 1.2 Is Not Supported
- Certificate Name Mismatch
- SSL Expired Certificate
- Certificate Signed Using Weak Algorithm
-
LOW$
per - Buffer Overflow
- Common File Name
- Information Leak
- Form Input Autocomplete Enabled
- IP Address Leak
- E-Mail Address
- Path Disclosure
- User Credentials Are Transmitted In Clear Text
- Session Cookie not set to HTTPOnly
- Internal Server Error
- Software Version Disclosure
- HTTP Server Disclosure
- HTTP File Upload Form Detected
- TRACE HTTP Method Allowed
- CC Info Leak
- SSN Info Leak
- Robots File
- X-XSS-Protection Header Set To OFF
- X-Frame-Options Header Not Set
- OPTIONS HTTP method allowed
- PUT HTTP method allowed
- Low Risk Server Side Vulnerabilities
- Web Application Firewall Detected
- Open_Basedir Restrictions
- Sitemap.xml Discovered
Key Benefits
- Automated web application vulnerability testing (on-premise)
- Modern and simple user interface/Client-Server architecture/Powerful REST API
- Comprehensive web crawler (HTML, HTML5, AJAX, Web 2.0, Flash)
- Fast scanning engine
- JavaScript and Flash support
- API security scanning (WebServices, SOAP, JSON and XML)
- Post-Authentication web application scanning (2FA, OTP, CAPTCHA)
- Additional security audit tools for web security assessment
- Identification of over 60 different vulnerability types and more than 5,000 CVE vulnerabilities
DefenseCode Webstrike 3.1.0
2021-Oct-4
- Added: Scan scheduling, schedule management
- Added: OpenID Connect Single-Sign-On (SSO) support
- Added: SAML Single-Sign-On (SSO) support
- Added: Group mapping across all authentication mechanisms
- Added: HAR request imports to aid the crawling process
- Added: Scan results filtering by URL or parameters
- Added: Email notifications with report attachments
- Added: Slack notifications
- Added: Scan configuration overview in Config tab
- Changed: Default thread number changed to 12 for optimal performance
- Changed: Enabled LDAP default role mapping configuration
- Changed: Engine speed optimizations
- Fixed: System encoding issues (JIS, Shift-JIS and other)
- Fixed: Various "Extract Session Data" feature fixes related to target application behaviors and frameworks
- Fixed: Various Web User interface issues
# DefenseCode WebStrike version 3.0.1 CHANGELOG
## Added
[14/02/2021] Vulnerability suppression comments
[15/02/2021] Scan templates feature
[19/02/2021] Vulnerability type coverage added to reports
## Fixed
[27/01/2021] Login wrong password errors UI visibility issue
[10/02/2021] Vulnerability counts issue with false positives
[15/02/2021] UI User editing groups removal issue
[15/02/2021] Form Authentication fields capture issues
## Changed
[08/02/2021] Wkhtmltopdf replaced with Chromium for PDF report generation
[18/02/2021] Redesigned HTML/PDF reports
E-SPIN Value Proposition
E-SPIN have actively in promoting DefenseCode full range of products and technologies since 2018 as part of the company Vulnerability Management (VM) and Application Security Testing (AST) solution portfolio. E-SPIN is active in provide consulting, supply, training and maintaining DefenseCode products for the enterprise, government and military customers (or distribute and resell as part of the complete solution package) on the region E-SPIN do business. The enterprise range from university, corporate, government agencies to IT security professionals / analysts on the web application security or cyber security / cyber warfare /military defense applications or secure development or DevSecOps, CI/CD systems with static application security testing (SAST) and dynamic application security testing (DAST).
Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.
ThunderScan Static Application Security Testing (SAST)
Wednesday, 06 October 2021
DefenseCode ThunderScan Static Application Security Testing (SAST) is solution for performing comprehensive security inquiry of application source code. ThunderScan is accessible to use, requires almost no user input and can be expand during or after development. It is an efficient alternative to the demanding and time-consuming procedure of manual code reviews. ThunderScan performs fast and
- Published in DefenseCode, Product
WebStrike Dynamic Application Security Testing (DAST)
Wednesday, 06 October 2021
DefenseCode Webstrike Dynamic Application Security Testing (DAST) Scanner, formerly known as WebScanner before v2.0.1, is a solution for complete security audits of active web applications (websites). Active web applications (websites) are constantly exposed to malicious attacks. The best practice is to regularly use DefenseCode WebStrike solution for performing security audits of your websites. DefenseCode WebStrike
- Published in DefenseCode, Product
2 Hours Workshop Shifting left with SAST, use DefenseCode Thunderscan onboard SAST into SDLC
Monday, 16 August 2021
It’s time for the E-SPIN 16th anniversary celebration to begin. As per our earlier celebration opening statements, it is time for E-SPIN to giveaways for the customers in this period of time. For all the customers and business partners, please participate in this fully sponsored by E-SPIN and DefenseCode event, you are welcome to share
- Published in DefenseCode
ThunderScan integrated into CircleCI CI/CD pipeline
Wednesday, 11 August 2021
The world is moving toward DevSec/DevSecOps integration and automation, to speed up the workflow and speed to handle all the DevOps/DevSecOps change requests to ongoing automated triggers for application scanning, from dynamic to static. In fact, more and more large volume enterprise use cases involved setup of the DevOps/DevSecOps for continuous integration and continuous delivery
- Published in DefenseCode
DefenseCode for DevSecOps
Monday, 28 June 2021
DefenseCode for DevSecOps, this is a special event E-SPIN organize for business partner and end customer how DefenseCode ThunderScan SAST and WebStrike DAST can be deploy together to gain triple productive for the customer who have the two products, and how to use it accelerate your DevSecOps, secure DevOps or agile development lifecycle you are
- Published in Brand, DefenseCode, Product, Solution
DefenseCode uncovered Umbraco CMS High Risk Security Vulnerabilities
Friday, 26 March 2021
Umbraco is an open-source content management system (CMS) platform for publishing content on the World Wide Web and intranets. It is written in C# and deployed on Microsoft based infrastructure. It as one of the leading .NET-based open source CMS systems. Technology wise, Umbraco is primarily written in C#, stores data in a relational database (commonly Microsoft SQL Server) and works on Microsoft IIS. Umbraco’s front-end is built upon Microsoft’s .NET
- Published in DefenseCode
DefenseCode Webstrike DAST and Thunderscan SAST Technology Update Training
Wednesday, 03 March 2021
Post event video summary, spread into three video Part 1 focus on app security testing market change and challenges, cloud migration and standard, specific controls requirements Part 2 focus on the Thunderscan SAST product update. Part 3 focus on the Webstrike DAST product update. For existing and new customers and partners, it is our pleasure
- Published in Brand, DefenseCode, Product, Webinar Archive
Webinar Static application security testing (SAST) with ThunderScan Desktop & Enterprise
Thursday, 19 November 2020
This is a routine hour long technical overview, highly essential and recommended for customers, who are considering to running Static Application Security Testing (SAST) with ThunderScan Desktop & Enterprise . The best way to ensure that your applications are free from critical vulnerabilities is to perform a comprehensive audit of application source code using ThunderScan.
- Published in DefenseCode, Webinar Archive
DefenseCode ThunderScan Static Application Security Testing (SAST) GitHub Action
Wednesday, 07 October 2020
At the time for this update, DefenseCode have made ThunderScan, one of the industry reputable modern static application security testing (SAST) solutions available as GitHub Action. With this new feature update, ThunderScan SAST is now offering security vulnerability analysis across 30+ languages providing detailed vulnerability reports integrated into GitHub. GitHub is a well known-developer collaboration
- Published in DefenseCode
DefenseCode Corporate Identity Change Notice
Friday, 17 April 2020
Date: 17-Apr-2020 Dear all customer and channel partners across the region and segment, we would want to bring in your awareness that supplier DefenseCode have revamp their new website, together is the change of corporate identity where you will notice for the change in the new company logo together with the two new product line
- Published in Brand, DefenseCode
DefenseCode Product Update
Thursday, 28 March 2019
After the notice of DefenseCode product update being share last week, to make it easy to explain for the new license scheme. Our officer is make the video for it, for those who prefer audio-visual and live presentation, you click on the video link (original hosted at youtube). It should help to explain the matter
- Published in Brand, DefenseCode, Product
DefenseCode Product Price Rise Early Notice
Friday, 22 March 2019
Dear all customer and partner, Please be noted that manufacturer had issue the early notice dated 22-Mar-2019 and to inform all their product line will subject to price rise, effectively from 1st April 2019 onward. The Dynamic Application Security Testing (DAST) product WebScanner will price rise and now remain only single install, unlimited web scan
- Published in Brand, DefenseCode, Product
How To Generate Report Using DefenseCode Web Scanner
Friday, 01 March 2019
This is wide request for guiding how to generate report using DefenseCode Web Scanner. So we prepare this how to post to address those requirement. First you need to download the installer and had the license key in hand. Run the application DefenseCode Web Scanner on computer you installed. 1. After you run the Web
- Published in Brand, DefenseCode, FAQ
How To Generate Report From DefenseCode Thunder Scan
Friday, 01 March 2019
It is very wide request and requirement for guided how to generate report from DefenseCode Thunder Scan. So we prepare this how to post to guide customer on this matter. Download the installer and had the license key in hand. Run the application DefenseCode Thunder Scan on computer you installed. 1.Go to File Manager and
- Published in Brand, DefenseCode, FAQ
DefenseCode WebScanner Web Application Security Scanner (DAST)
Sunday, 02 December 2018
DefenseCode WebScanner Web Application Security Scanner (DAST) is a (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). WebScanner will test a website’s security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. DefenseCode WebScanner can be used
- Published in DefenseCode, Product
E-SPIN and DefenseCode
Saturday, 01 December 2018
DefenseCode DefeseCode founded in 2010, provides a range of consulting and assessment services to help organizations measure their security posture and build a thorough and compliant security program to support their business strategy. Most of our clients come from the e-banking, finance, telecommunications, insurance, legal, IT and retail sectors. DefenseCode delivers products and services designed
- Published in DefenseCode