SPOS—App
Web app vulnerability scanning cloud platform


Web app vulnerability scanning cloud platform


blob.png


Introduction

The Yunscanner web application security vulnerability scanning system ("Yunscanner WVS"), as a research result of Dayu Lab of ABT defense lab, is the professional-level vulnerability detection system designed specifically for the safety of Web application itself. On the basis of absorbing the leading security detection technology and experience abroad, the thorough analysis and research have been carried out to the key technology and technical difficulty of Web application vulnerability scanning, and a series of breakthrough results have been made. In the support of the types of loopholes, crawlers’ crawl capability, automatic identification capabilities of login form, rate of missing report and rate of wrong report and other key indicators, "Yunscanner WVS" has an absolute competitive advantage in the country and even internationally compared with the industry similar products.

"Yunscanner WVS" can be widely used in various types of browser-based Web applications, such as various sites, forums, e-mail, e-government affairs, online trading platform and online banking. It’s not only suitable for the operating enterprises of these systems, but also suitable for the development enterprises and acceptance party of these systems.


Core technologies


Innovative crawler technology

The self-developed crawler based on the latest browser engine technology goes beyond the crawl capability of such existing crawler tools as the basic guarantee to ensure the low false positive rate.


Highest cross-site script detection rate in the industry

According to the accurate detection algorithm for XWASP's second XSS vulnerability, it not only supports conventional XSS vulnerability detection, but also provides strong support for storage XSS and DOM XSS. With zero false positive rates, it completely goes beyond the detection capability of such tools to detect XSS vulnerabilities.


Linux applicability

Based on the Linux platform system, it is free from Windows copyright and performance constraints with inherent advantages of Linux platform in performance.


Powerful cloud deployment capability

At the beginning of the product architecture design, the "Yunscanner WVS" considering the support for cloud computing not only has strong cloud deployment capabilities, but also provides a very convenient interface, and has strong scalability.


Functions

  • It fully supports OWASP TOP10, and has very low false positive rate and missing report rate;

  • According to the WASC standard classification, it can support the most complete types of Web application vulnerabilities and the division granularity is the smallest;

  • Based on the latest browser engine technology crawler, it can process multiple dynamic contents and provides the most comprehensive and most powerful analytical capabilities;

  • For each detected loophole, it can provide vulnerability evidence to the user through the snapshot;

  • For each detected loophole, it can provide vulnerability authentication interface convenient for users to verify the vulnerability;

  • Scan log, it’s convenient for the user to view the scan results and scan progress;

  • It can support the results of the snapshot, the user can understand the true results of authentication based on the contents of the snapshot;

  • It can support the production of site directory tree for all pages scanned;

  • It can support authentication scan, and supports multiple authentication methods;

  • For session-based authentication scan, it can automatically capture session function

  • It can support HTTP and HTTPS scanning;

  • It can support agent scanning;

  • It can support single-user concurrent scanning and multi-user concurrent scanning;

  • For a single scan task, it can support multi-threaded scanning;

  • It can provide scan configuration template management functionsconvenient for users to conduct batch scan configuration;

  • It can support scan path settings, and avoid unnecessary or dangerous scanning content;

  • It can support scanning blacklist settings, and avoids scanning unnecessary or dangerous contents;

  • It provides a series of scan acceleration options for professional security practitioners, the user can make a choice based on the actual situation in the scanning time and scanning accuracy;

  • The scanning configuration provides a header injection option to meet the security requirements of a particular site;

  • Scan the summary to make it easier for users to understand the basic situation of scanning, vulnerability and vulnerability distribution;

  • Scan the summary to make it easier for users to understand the basic situation of scanning, vulnerability and vulnerability distribution;


Typical application scenarios

The "Yunscanner WVS",through flexible and simpledeployment, only needs to realize "network reachable" to the target site, then the Web application vulnerability scanning analysis can be conducted. However, because the scan time is affected by the speed of network access, it is recommended that the "Yunscanner WVS" be deployed to the internal network where the Web server is being evaluated in order to get the best scan performance, and the scan operator only needs to be able to remotely visit the "Yunscanner WVS" through browser.