Apache Security - Ivan Ristic [208]
Up-to-date signature database
Having an up-to-data database of signatures, which covers web server vulnerabilities and vulnerabilities in dozens of publicly available software packages, is a big plus if you need to perform black-box assessment quickly.
Reporting
With a good commercial tool, it is easy to create a comprehensive and good-looking report. If your time is limited and you need to please the customer (or the boss), a commercial tool is practically the only way to go.
One significant disadvantage is the cost. The area of web application security is still very young, so it is natural that tools are expensive. From looking at the benefits above, employees of larger companies and web security consultants are the most likely to buy commercial tools. Members of these groups are faced with the unknown, have limited time available, and must present themselves well. An expensive commercial tool often increases a consultant's credibility in the eyes of a client.
Here are some of the well-known commercial tools:
SPI Dynamics WebInspect (http://www.spidynamics.com)
WatchFire AppScan (http://www.watchfire.com)
Kavado ScanDo (http://www.kavado.com)
N-Stalker's N-Stealth (http://www.nstalker.com)
Syhunt TS Security Scanner (http://www.syhunt.com)
HTTP Programming Libraries
When all else fails, you may have to resort to programming to perform a request or a series of requests that would be impossible otherwise. If you are familiar with shell scripting, then the combination of expect (a tool that can control interactive programs programmatically), netcat, curl, and stunnel may work well for you. (If you do not already have expect installed, download it from http://expect.nist.gov.)
For those of you who are more programming-oriented, turning to one of the available HTTP programming libraries will allow you to do what you need fast:
libwww-perl (http://lwp.linpro.no/lwp/)
A collection of Perl modules that provide the functionality needed to programmatically generate HTTP traffic.
libcurl (http://curl.haxx.se/libcurl/)
The core library used to implement curl. Bindings for 23 languages are available.
libwhisker (http://www.wiretrip.net/rfp/lw.asp)
A Perl library that automates many HTTP-related tasks. It even supports some IDS evasion techniques transparently. A SecurityFocus article on libwhisker, "Using Libwhisker" by Neil Desai (http://www.securityfocus.com/infocus/1798), provides useful information on the subject.
Jakarta Commons HttpClient (http://jakarta.apache.org/commons/httpclient/)
If you are a Java fan, you will want to go pure Java, and you can with HttpClient. Feature-wise, the library is very complete. Unfortunately, every release comes with an incompatible programming interface.
Index
* * *
A note on the digital index
A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.
* * *
Symbols
3DES (Triple-DES) encryption, Symmetric Encryption
, Security Definitions A access control, Overview, Overview, Overview, Authentication Methods, Basic Authentication, Digest Authentication, Form-Based Authentication, Basic Authentication Using Plaintext Files, Basic Authentication Using Plaintext Files, Working with groups, Basic Authentication Using DBM Files, Basic Authentication Using DBM Files, Digest Authentication, Digest Authentication, Digest Authentication, Certificate-Based Access Control, Network Access Control, Using environment variables, Proxy
AcceptMutex directive, Apache 2