Kevin Beaver's Security Blog

A quick review of WebInspect 9 shows HP’s still got it

It’s been a long time coming but it’s finally here: HP’s WebInspect version 9. I’ve been using WebInspect for nearly 10 years now and I believe this new version of WebInspect is one of the most significant upgrades they’ve put out. They’ve essentially taken what was already one of the best Web vulnerability scanners and have made it better, especially when it comes to workflow and streamlined usability.

A few things I think you’ll like about WebInspect 9 include:

1. A Review Vulnerability feature which allows you to retest specific vulnerabilities without having to run a full scan again. Nice.
2. A Steps feature which shows the pages/steps the scanner took to reach the vulnerability. Good for reproducing the flaw to exploit it manually and good for developers/QA pros to see how the scanner did what it did.
3. Streamlined macro recorder. It may take some getting used to but I think it’s better overall.
4. A tab feature to Close All, Close This, Close All But This when you have multiple scans open. I know it sounds a bit trite but little things like this matter a lot over time.

Speaking of usability, the scanner seems faster too. Maybe it’s just that I’ve finally realized the horsepower and torque needed to run such tools.

In addition, I’ve found that WebInspect 9 has gotten better at finding – and confirming – cross-site request forgery (CSRF) vulnerabilities. In fact when running WebInspect 9 it found some legitimate CSRF flaws that WebInspect 8 wasn’t able to uncover running a scan with the same parameters. You don’t want to rely on a scanner alone to find all CSRF-related flaws and you’ll want to validate such findings through manual analysis and/or a tool like CSRFTester (which is something you should check out if you haven’t already). That said it is nice to see that Web vulnerability scanners are getting better at ferreting out session-related flaws.

Also, SWFScan (HP’s standalone Flash vulnerability scanner) is now integrated into WebInspect along with the traditional tools. As with HTTP Editor and SQL Injector, just right-click on a specific Flash vulnerability, select SWFScan and off it goes.

My least favorite thing about WebInspect 9 is that it marks yet another milestone representing the loss of even more former SPI Dynamics employees at HP…my long-time colleagues and friends. Working with such a vast group of development, QA and product management professionals who are so on top of their game gives me hope in software security and shows that software can be made top notch when the right resources are put forth. It also shows that software vendors ARE listening to what people say so don’t hesitate to provide any feedback you may have. It’ll make a better product for all of us.

Keeping in mind all the things I’ve said about vulnerability scanners, WebInspect 9 is definitely worth checking out.