WebStrike DAST
DefenseCode WebStrike is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). Formerly known as WebScanner before version 2.0.1. WebStrike will test a website’s security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would.
DefenseCode WebStrike can be used regardless of the web application development platform. It can be used even when application source code is no longer available. WebStrike supports major web technologies such as HTML, HTML5, Web 2.0, AJAX/jQuery, JavaScript and Flash. It is designed to execute more than 5000 Common Vulnerabilities and Exposures tests for various web server and web technology vulnerabilities. WebStrike is capable of discovering more than 60 different vulnerability types (SQL Injection, Cross Site Scripting, Path Traversal, etc.), including OWASP Top 10.
DefenseCode WebStrike is able to scan classic web applications (HTML, HTML5, Web2.0, AJAX, Javascript) along with API endpoints as Web Services, SOAP and JSON. WebStrike is capable of scanning web applications without any prior configuration but also post-authentication when the credentials are required.
WebStrike’s login sequence recorder and HTTP Proxy, allows an efficient method to scan websites and web applications that use CAPTCHA, OTP (One Time Password) or Two Factor Authentication (2FA).
WebStrike is fast, effective, highly accurate, easy to use and requires virtually no user input.
Vulnerabilities coverage
WebStrike can discover over 60 different classes of web application security vulnerabilities (including OWASP Top 10) and more than 5,000 CVE vulnerabilities.
-
HIGH$
per - SQL Injection
- Blind SQL Injection
- Timing Based SQL Injection
- File Disclosure
- Page Inclusion
- Command Execution
- Timing Based Command Execution
- PHP Code Injection
- ASP Code Injection
- PHP File Inclusion
- Source Code Disclosure
- LDAP Injection
- XPath Injection
- PUT File Upload
- Server Side Includes
- Stored Cross Site Scripting
- Stored Cross Site Scripting Other Page
- High Risk Server Side Vulnerabilities
- External Entity Injection (XXE)
- SSLv2.0 Supported
- SSLv3.0 Supported
-
MEDIUM$
per - Cross Site Scripting
- HTTP Response Splitting
- Backup File
- Directory Listing Allowed
- Form File Upload
- PHP Error Message
- Phpinfo Information Disclosure
- ASP Error Message
- Cross Site Request Forgery
- Open Redirection
- ViewState Not Encrypted
- Insecure CrossDomain Policy File
- Medium Risk Server Side Vulnerabilities
- DOM Cross Site Scripting
- Java Error Message
- Weak TLS Cipher Suites Supported
- TLS 1.2 Is Not Supported
- Certificate Name Mismatch
- SSL Expired Certificate
- Certificate Signed Using Weak Algorithm
-
LOW$
per - Buffer Overflow
- Common File Name
- Information Leak
- Form Input Autocomplete Enabled
- IP Address Leak
- E-Mail Address
- Path Disclosure
- User Credentials Are Transmitted In Clear Text
- Session Cookie not set to HTTPOnly
- Internal Server Error
- Software Version Disclosure
- HTTP Server Disclosure
- HTTP File Upload Form Detected
- TRACE HTTP Method Allowed
- CC Info Leak
- SSN Info Leak
- Robots File
- X-XSS-Protection Header Set To OFF
- X-Frame-Options Header Not Set
- OPTIONS HTTP method allowed
- PUT HTTP method allowed
- Low Risk Server Side Vulnerabilities
- Web Application Firewall Detected
- Open_Basedir Restrictions
- Sitemap.xml Discovered
Key Benefits
- Automated web application vulnerability testing (on-premise)
- Modern and simple user interface/Client-Server architecture/Powerful REST API
- Comprehensive web crawler (HTML, HTML5, AJAX, Web 2.0, Flash)
- Fast scanning engine
- JavaScript and Flash support
- API security scanning (WebServices, SOAP, JSON and XML)
- Post-Authentication web application scanning (2FA, OTP, CAPTCHA)
- Additional security audit tools for web security assessment
- Identification of over 60 different vulnerability types and more than 5,000 CVE vulnerabilities
# DefenseCode WebStrike version 3.0.1 CHANGELOG
## Added
[14/02/2021] Vulnerability suppression comments
[15/02/2021] Scan templates feature
[19/02/2021] Vulnerability type coverage added to reports
## Fixed
[27/01/2021] Login wrong password errors UI visibility issue
[10/02/2021] Vulnerability counts issue with false positives
[15/02/2021] UI User editing groups removal issue
[15/02/2021] Form Authentication fields capture issues
## Changed
[08/02/2021] Wkhtmltopdf replaced with Chromium for PDF report generation
[18/02/2021] Redesigned HTML/PDF reports
E-SPIN Value Proposition
E-SPIN have actively in promoting DefenseCode full range of products and technologies since 2018 as part of the company Vulnerability Management (VM) and Application Security Testing (AST) solution portfolio. E-SPIN is active in provide consulting, supply, training and maintaining DefenseCode products for the enterprise, government and military customers (or distribute and resell as part of the complete solution package) on the region E-SPIN do business. The enterprise range from university, corporate, government agencies to IT security professionals / analysts on the web application security or cyber security / cyber warfare /military defense applications or secure development or DevSecOps, CI/CD systems with static application security testing (SAST) and dynamic application security testing (DAST).
Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.