AppSec USA 2017 has ended
Thursday, September 21 • 10:30am - 11:15am
An Investigation into the Differences Between Web Application Scanning Tools when Scanning for XSS and SQLi

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Web Application Vulnerability Scanners are becoming increasingly automated and are facing more difficulties as web technologies change and evolve.


As is evident from the October 2015 “Talk-Talk hack”, where a 16-Year-old boy performed an easily exploitable SQL Injection attack which resulted in TalkTalk losing £60 million and where 157,000 customers had their detailsstolen, The effects of having insecure Web Applications can be utterly disastrous.

Web Application Scanning tools are used by Penetration Testers and Security folk alike in order to help identify vulnerabilities in a given web app. They come in many different forms and some cost a significant sum.

Scanners attempt to identify dangerous vulnerabilities like Cross Site Scripting (XSS) and SQL Injection among many others and these tools must be constantly improved and enhanced in order to keep up with the latest maliciou sattacker techniques but also contemporary development frameworks.


For example, architectural changes and improvements issues such as Anti-CSRF tokens, recursive links and JS dynamically generated URLS have a massive impact on a scanners ability to effectively identify, crawl, scan and analyse a target web application for vulnerabilities.  


This presentation addresses the problems that current web application scanners face in dealing with both traditional and contemporary web architectures and technologies. It suggests improvements and identifies pitfalls of using automation without applying intelligence and a contextual view of the target being assessed.

avatar for Robert Feeney

Robert Feeney

SecOps Lead, Edgescan
Robert is currently the Operations Lead for the edgescan™ managed service. His main responsibility is ensuring the high technical quality of the service and managing a team of security analysts from a technical excellence standpoint. Rob is an experienced security consultant... Read More →

Thursday September 21, 2017 10:30am - 11:15am EDT
Coronado L