Information Technology Security at UVa
Web Application Vulnerability Scanner
The Process of Web Application Vulnerability Scanning
A web application vulnerability scanner is server based software that runs security tests against web applications. Since web applications are constantly facing the Internet, they are common targets for attacks. The detailed reports from the scanner will give you mitigation techniques and fixes that you can implement in a timely manner. Given the address of a web application, the scanner will create a report of the vulnerabilities found in the application. The bigger and more complex the web app, the more likely the scanner will find vulnerabilities. While the vulnerabilities vary in degree of importance, the report will allow you to concentrate on those vulnerabilities that cause the most concern in your computing environment.
Here is a sample of some information you might find in a report:
| Severity | High |
|---|---|
| Type | Application level test |
| Classification | Command Execution: SQL Injection |
| Security Risk | It is possible to view, modify or delete database entries and tables |
| Fix Recommendation | Sanitize user input |
| Severity | Low |
|---|---|
| Type | Infrastructure |
| Classification | Information Disclosure: Information Leakage |
| Security Risk | Disclosing the directory structure |
| Fix Recommendation | Issue a "404 - Not Found" response instead of "403 -Forbidden" response |
Web applications are best scanned in a development environment. If a development environment is not available, then scheduling the scan to avoid service disruption is recommended. The size of the web application determines the time it takes to scan.
If you would like to request a web application vulnerability scan, please contact ISPRO using our online form. Please note that requests for scans must be approved by the owning department's management.
Page Updated: 2011-06-30
