This page gives an overview over the security vulnerability scanners that currently exist in the Crashtest Security Suite.
The Crashtest Security Suite can test in two variants:
- "Production" - Scan:
Runs only non-invasive tests for "live" production versions of your code.
- "Test" - Scan:
Runs all Crashtest Security Suite scanners.
Only recommended to be used for Test or Dev systems, as security scanners can decrease performance for productive systems.
Below is an overview over the scanners that are used for the two different versions.
The links in the text go to our Wikipedia for remediation support of these vulnerabilities.
Our "Production" - Scan tests your software against the following security vulnerabilities:
- Server Version Fingerprinting
- Web Application Version Fingerprinting
- CVE Comparison of found issues
- SSL / TLS Security Vulnerabilities
- Old SSL/TLS Version
- SSL/TLS Cipher Order
- SSL/TLS Perfect Forward Secrecy
- SSL/TLS Session Resumption
- SSL/TLS secure algorithm
- SSL/TLS key size
- SSL/TLS trust chain
- SSL/TLS expiration date
- SSL/TLS revocation (CRL, OCSP)
- SSL/TLS OCSP stapling
- Security Headers
- Content-Security-Policy headers
The "Test" - Scan provides the full power of the Crashtest Security Suite, including the following security tests:
- All "Production" - Scanners (see above)
- Injection Attacks:
- Boolean-based blind SQL Injection
- Time-based blind SQL Injection
- Error-based SQL Injection
- UNION query-based SQL Injection
- Stacked queries SQL Injection
- Out-of-band SQL Injection
- File Inclusion
- Command Injection
- XML External Entity (XXE) Processing
- Cross-site Scripting (XSS)
- Reﬂected Cross-site scripting (XSS)
- Stored Cross-site scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Directory Fuzzer
- File Fuzzer