When creating and maintaining a web application, it is so hard to fully make a manual security test as there are lots of things to check for. And, many different methods exist for exploiting apps.

Netsparker is a professional yet user-friendly web application security scanner (runs on Windows OS) which makes it easy for developers of all levels to search and find any flaws in apps.

The application has a simple and intuitive user interface where you can start scanning a web app almost instantly.

But, this simplicity doesn't mean that the application is simple. Rather, it hosts an advanced pack of scanning technologies which analyses the apps deeply. It has full JavaScript/Ajax support, can successfully keep working when authentication is needed (once the auth info is supplied).

Best of all, Netsparker is false-positive free. If it tells that there is a vulnerability than there really is one.

In case you are planning to use it regularly and integrate it into your development environment, it has a command-line interface for easily automating and scheduling tasks.

It is a pretty flexible tool as you can choose what pages/parts of a web app to scan and/or go non-automated but manually. Also, we can customize and/or enable/disable the attacking methods used.

Once a scan is completed, Netsparker produces a report which includes a summary of all the detected vulnerabilities, together with links to additional actionable detail, such as the impact and the remedy of the vulnerability. These reports can also be customized using the Reports API provided.

How to join the giveaway?

In order to get a chance to win the Pro Edition License, just tweet with the #wrdnetsparker hashtag and link back to this post (click to tweet easily).

The winner will be selected randomly from the tweeters 1 week later (9 October 2012).

Good luck to all.

The winner

Here is the winner of Netsparker Pro Edition License: 

• @themergency

Congratulations and thanks to everyone for joining.

Websites are getting more and more complex everyday and there are almost no static websites being built.

Today, the simplest website has at least a contact or newsletter form and many are built with CMS systems or it may be using 3rd party plugins, services, etc. that we don't have an exact control over.

Even if the website is 100% hand-coded, we trust what we created and think that it is safe, it is still possible that a special character is not sanitized or we are not aware of a new attacking technique.

So, it is really hard to say "my website is safe" without running tests over it. The good part is there are powerful and free web application security testing tools which can help you to identify any possible holes.

Before presenting them, let's remind the classic: "something can be secure as only as its weakest link" (which also tells us that it is not always the application and can still be the server it is hosted or that easy to remember FTP password).

Netsparker Community Edition (Windows)

This is the free-community edition of the powerful Netsparker which still comes with a bunch of features and also false-positive-free.

The application can detect SQL Injection + cross-site scripting issues.

Once a scan is complete, it displays the solutions besides the issues and enables you to see the browser view and HTTP request/response.

Websecurify (Windows, Linux, Mac OS X)

Websecurify is a very easy-to-use and open source tool which automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.

It can create simple reports (that can be exported into multiple formats) once ran.

The tool is also multilingual and extensible with the add-on support.

Read the rest of this entry »