Tuesday, September 04, 2007

Rolling Reviews: N-Stalker

Jordan Wiens of Network Computing released his review of N-Stalker and OUCH! Normally reviews contrasts a products strong points against the weaker ones, but this one was basically all bad. Good for Jordan in telling it like it is. He did highlight an interesting feature though, scanning integrated with log analysis. If the product had found a vuln the theory is you could see if someone had been trying to exploit it. Nice.

Next up is the last major scan Watchfire's AppScan. I'll be watching close on how well they handle Ajax since no one has faired well at all. It might be time to call BS on the "we support Ajax claims". Personally, I don't think the use of Ajax causes a website to be any more or less secure, but I do think it makes it harder to find vulnerabilities. The reviews are proving that much.

Of course, WhiteHat Security will have to take its turn under Jordan's firing squad in due time.


Anonymous said...

Funny I tried N-Stalker last week, it did found more then Acunetix, but I got way too much False Positives, about 500+ which where very annoying. I only tested the free edition.



Bob Rich said...

The one redeeming value of N-Stalker is it's very broad database of known issues. It is really quite bad about dealing with false positives, and if you have a site that responds with friendly file not found errors (including HTTP 200 OK responses), it's next to worthless. But for standard sites that happen to be running some obscure application that has a vulnerability, N-Stalker (and it's estranged sister Syhunt SandCat) are better than any other commercial app I've used at finding them.

Jeremiah Grossman said...

Good to know, thanks Bob.

Anonymous said...

N-Stalker didn't actually do ANY fault injection testing last time I looked.

SandCat did, and had some potential. I loved the log analyzer built in too. Why didn't more of the desktop scanners do this? Neat feature, cheap to built, useful for trending analysis and forensics.

Rick (kingthorin) said...

I had a quick look at their Evaluation product a month or two back and they really need(ed) to hire a User Interface Specialist.

I only got to run it against a VERY small web app but it returned all kinds of false positives. It didn't even correctly finger print the server (the server still had banners enabled).