Monday, November 20, 2006

Correction - Comparison between Appscan and Webinspect

In my last posting, i discussed about some of the difference between appscan and webinspect. Ory Segal from watchfire pointed out a few areas which could have been interpreted wrongly as well. I have made changes to the original post and i am posting it separately for those who have already read it or if it is stored in cache somewhere.

  • View the actual attack during a scan session: Webinspect displays the actual attack string on the status bar during the scan and also if a vulnerability was found whereas in Appscan you can only view if there was a vulnerability found.

  • Vulnerabilities: Appscan found more vulnerabilities with more variants in a scan as compared to Webinspect. One other difference between the two products in terms of vulnerabilities is if there are 200 pages with same vulnerabilities, Appscan will display 1 vulnerability but can drill down to all the 200 pages whereas Webinspect will display as 1. Having said that, Appscan still detects more types of vulnerabilities then Webinspect.

  • What if webapp stops responding during scan: If your webapp stops responding during the scan, Webinspect displays an error and pauses the scan, so you can fix the problem and resume the scan later. Though appscan does the same but since the pause button is not on the toolbar and is as a dropdown it get a little confusing.

For comments and feedback, please email me at


John Terrill said...

I am a little confused on your statement about WebInspect not displaying all the vulnerabilities if it finds more than one. The only way that would be possible is if WebInspect detected multiple of the same vulnerabilities on the same page. Note that a page is determined by a file name and not a parameter so if different parameters on the same page are vulnerable, it still shows up as one vulnerable page. I believe that is being changed.

Anurag Agarwal said...

What i am trying to communicate here is that assuming there is a cross site scripting vulnerability in path in approx 200 different web pages (different urls and not parameters). Appscan displays a vulnerability XSS in path (200) and when you click on it, it will display all the 200 different URLs. whereas webinspect just displays XSS(1)

Anurag Agrawal said...

good work Anurag
Nice to read your blog.