Another tool that has proven very useful during the assessment of web applications is WebInspect from SPI Dynamics. While WebInspect is a huge tool that supports automatic discovery, toolkits, reporting, and pre-made testing, it remains usable and easy to learn. WebInspect is more of a global web vulnerability assessment tool rather than a pure fuzzer.
One drawback of WebInspect occurs if the WebSpider is not able to discover the whole web application; in that case, WebInspect will only report on minimal problems due to insufficient testing. However, during corporate web application vulnerability assessment, WebInspect has proven itself as being one of the best tools of the trade. Figure 22-5 shows the WebInspect GUI interface to give you an idea of how the product reports information.
When using WebInspect, I've discovered it's not wise to run the tests on a live server. Rebuilding an exact replica of your web application and database in a lab environment is much safer. In some cases, either the load generated by WebInspect is just too high or some settings must be changed on the target system to help WebInspect during the tests. Try removing the SSL layer to lower the load on both systems, allowing the listing of file and sub path, or placing a marker when the user gets logged off so that WebInspect knows when to log in again.
A general rule when using WebInspect is to make a little opening available that you know how to safely close afterward, so that the testing/discovery part can be as thorough as possible. While WebInspect is very good, sometimes it just needs a little help to safely get started.
Those little open doors could be:
