DefenseCode is developing both static and dynamic application security testing solutions that are fast, easy to use, effective and accurate. DefenseCode delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities using Dynamic Application Security Testing (DAST, BlackBox Testing) and Static Application Security Testing (SAST, WhiteBox Testing) technologies. DefenseCode has in-depth experience of penetration testing, zero-day vulnerability research, security audit and source code security analysis
ThunderScan Application Security
DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan is easy to use, requires almost no user input and can be deployed during or after development. It is an efficient alternative to the demanding and time-consuming procedure of manual code reviews. ThunderScan performs fast and accurate analyses of large and complex source code projects delivering precise results and low false-positive rates.
Application source code analysis is the best and most comprehensive way to assure your application is free of security vulnerabilities (SQL Injections, Cross-Site Scripting Vulnerabilities, File Inclusion, Code Execution, etc.).
DefenseCode ThunderScan is designed to perform a comprehensive security assessment of desktop, web, and mobile application source code and it has repeatedly proven its effectiveness by discovering critical vulnerabilities in popular open-source applications.
Vulnerabilities
SQL Injection: SQL Injection is used to get private information from the Web server's database (dumping the database contents, like passwords or credit card numbers, to the attacker), remote code execution and even total system compromise.
XPATH Injection: XPath injection is an attack targeting websites that create XPath queries from user-supplied data. If an application embeds unprotected data into an XPath query, the query can be altered so that it is no longer parsed in the manner originally intended.
Cross-Site Scripting: Cross-site scripting is an injection vulnerability where the attacker injects a malicious script to some trusted website. Usually, it is a web browser script that gets executed by website's user.
Ease of use, Accuracy, Speed, Low false positive rate, Supports a wide range of programming languages...
Web Security Scanner
DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications (websites). WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would.
DefenseCode WebScanner can be used regardless of the web application development platform. It can be used even when the application source code is no longer available. WebScanner supports major web technologies such as HTML, HTML5, Web 2.0, AJAX/jQuery, JavaScript and Flash. It is designed to execute more than 5000 Common Vulnerabilities and Exposures tests for various web server and web technology vulnerabilities and will discover more than 50 vulnerability types, including OWASP Top 10.
WebScanner is fast, effective, highly accurate, easy to use and requires virtually no user input.
Vulnerabilities
HTTP Response Splitting: HTTP response splitting is a web application vulnerability which allows the attacker to use carriage-return (CR, ASCII 0x0D) line-feed (LF, ASCII 0x0A) sequence to craft one HTTP request which is interpreted as two HTTP responses (instead of one) on the target’s machine, potentially allowing different types of other attacks (cross-site scripting, cross-user attacks, web cache poisoning...).
Server Side Includes: Server-side includes (SSI) are small pieces of dynamic directives that the webserver parses before serving the static HTML page to the user. They are an alternative to CGI programs that are used for simple tasks such as executing system commands (eg. current time), printing web server CGI environment variables, etc..
Backup File: Backup copies of files are sometimes left on the web server by administrators or developers. These files can contain script sources, configuration files or other sensitive information which could allow an attacker to compromise the system.
Key Benefits:
The modern and simple user interface, Comprehensive web crawler, Fast scanning engine