What are the current scanners?
The Crashtest Security Suite can perform scans in two variants:
- Quick Scan: runs only non-invasive tests for "live" production versions of your code.
- Full Scan: runs all Crashtest Security Suite scanners.
Only recommended for Test or Dev systems, as security scanners can decrease performance or impact live data for productive systems.
Security vulnerabilities that Crashtest Security Suite can detect
- Server Version Fingerprinting
- Web Application Version Fingerprinting
- CVE Comparison of found issues
SSL / TLS Security Vulnerabilities
- Heartbleed
- ROBOT
- BREACH
- BEAST
- Old SSL/TLS Version
- SSL/TLS Cipher Order
- SSL/TLS Perfect Forward Secrecy
- SSL/TLS Session Resumption
- SSL/TLS secure algorithm
- SSL/TLS key size
- SSL/TLS trust chain
- SSL/TLS expiration date
- SSL/TLS revocation (CRL, OCSP)
- SSL/TLS OCSP stapling
- Security Headers
- Content-Security-Policy headers
The "Full Scan" provides the full power of the Crashtest Security Suite, including the following security tests:
All "Quick Scan" - Scanners (see above)
- Boolean-based blind SQL Injection
- Time-based blind SQL Injection
- Error-based SQL Injection
- UNION query-based SQL Injection
- Stacked queries SQL Injection
- Out-of-band SQL Injection
- Command Injection
XML External Entity (XXE) Processing
- Reflected Cross-site scripting (XSS)
- Stored Cross-site scripting (XSS)
Cross-Site Request Forgery (CSRF)
- Directory Fuzzer
- File Fuzzer