With Dynamic Reviewer Safe-PenTest module, you can inspect your Web Application, REST API, SOAP Services, App Engines and Micro-Services during running, directly using your Browser, in non-invasive way.
...
Web App. You can install it at your premises, installable in any host OS supporting Docker.
Team Reviewer Plugin. BlackBox DAST plugin. Team Reviewer pre-installed is required.
Cloud App. Like a local installed app, it provides various Usage Modes and Connection Modes.
...
You can import third-party results from Security Scanners, Host Scanners and Proof-of-Exploits tools. Their results will be correlated automatically and a unified Enterprise Report is generated.
Dynamic Reviewer DAST provides a robust and stable framework for Web Application Security Testing, suitable for all Security Analysts, QA and Developers with False Positives and False Negatives support, offering an easy-to-use Web GUI, Advanced Scan and Enterprise Reporting capabilities.
...
Black Box mode. It is placed in the role of the average hacker, with no internal knowledge of the target system. Testers using Dynamic Reviewer are not provided with any architecture diagrams or source code that is not publicly available. Dynamic Reviewer determines the vulnerabilities in a system that are exploitable from outside the network.
This means that Black-Box penetration testing relies on dynamic analysis of currently running programs and systems within the target network.
Dynamic Reviewer follows the OWASP Web Security Testing Guide, chapter 4. Web Application Security Testing.
Further, Dynamic Reviewer analyzes in deep the client-side code (Ajax, DOM, JavaScript, TypeScript, etc.) discovering the largest number of client-side vulnerabilities in the market.White Box mode. [Cloud only] It performs Authentication before starting the scan. It provides the following Login modes:
Form-Based Authentication: login with User and Password as Web form, You can configure more than one user, they will be tested all.
JSON-Based Authentication: submit a JSON object with credentials
Tokern-Based Authentication: You can modify the request headers for inserting tokens
Script-Based Authentication: upload and execute a custom script used to login. This method is useful for websites / webapps where the authentication is a more complex one and some custom scripts that handle the authentication process are beneficial.
...
Connection Modes
Both on premises and Cloud installations can connect to the target Web Application in different modes:
...
SSH Tunnelling. A temporary SSH key will be automatically generated for the current Scan. The User can download it and execute the commands shown in the screen. It will create a SSH Tunnel to reach the target Web Application.
...
Findings
Once Scan is terminated, you have a list of Findings. You can:
Suppress a Finding Category (example: all Blind SQL Injection issues)
Suppress one or more Findings inside a Category
Add Comments to the entire scan, to a Finding Category, to a single Finding
Modify, Delete, change Severity tag, Merge Findings
Import Results from third-party tools
Export Combined Results in PDF, HTML, JSON, CSV, Excel and Word format
Add Evidences to the Findings
...
Export Combined Results in PDF, HTML, JSON, CSV, Excel and Word format
Add Evidences to the Findings
...
You can drill-down to each Finding category:
...
Each Category groups a bunch of vulnerablities found in the virtual Attacks:
...
We call such Attacks ‘virtual’ because Dynamic Reviewer does not really execute the Attack/Exploit, but simulate it only.
Further, instead of declaring hundreds or even thousands of vulnerabilities you can focus of their categories, for a smarter Vulnerability Management.
Powered By
Dynamic Reviewer is Powered By the following open source tools:
OWASP ZAP (Proxy)
CycloneDX (SBOM)
p0f, DataSploit (Fingerprinting)
pWeb, Enlightn, Magescan, Droopescan, Joomscan, Typo3scan(Wordpress, Laravel, Magento, Drupal, Joomla, TYPO3, and other PHP CMS Discovery)
wXf, SearchSploit (Ready-to-use Web Exploits)
OSVDB, NVD, GHSA, RUSTSEC, PYUP, ALPINE, Exploit-DB (Vulnerability Databases)
retireJS (Outdated and vulnerable JavaScript and TypeScript 3rd-party libraries detection)
0d1n (Login brute-force)
John The Ripper (Password recovery and cracking)
Wfuzz, WebFormFuzzer, SQLInjectionFuzzer, FuzzAPI (Web Application and REST API Fuzzers)
SQLMap (SQL Injection and DB takeover)
Selenium (WebDrivers for Crawling)
Postman (API support)
All vulnerabilities resulting from the above OSS tools, will be collected and correlated and included in the Dynamic Reviewer results.
...
The list of DOM Security Issues found by Dynamic Reviewer are:
# | Issue | Type | Category |
1 | Code Injection - Client Side | Error | Code Execution |
2 | Code Injection - PHP input wrapper | Error | Code Execution |
3 | Code injection - Timing | Error | Code Execution |
4 | File Inclusion - Client Side | Error | Code Execution |
5 | OS Command Injection - Client Side | Error | Code Execution |
6 | OS Command Injection - Timing | Error | Code Execution |
7 | Remote File Inclusion Client Side | Error | Code Execution |
8 | Session Fixation | Error | Code Execution |
9 | XSS - DOM | Error | Code Execution |
10 | XSS - DOM - Script Context | Error | Code Execution |
11 | XSS - Event | Error | Code Execution |
12 | Data from attacker controllable navigation based DOM properties is executed as HTML | Error | Code Execution |
13 | Data from attacker controllable navigation based DOM properties is executed as JavaScript | Error | Code Execution |
14 | Data from attacker controllable URL based DOM properties is executed as HTML | Error | Code Execution |
15 | Data from attacker controllable URL based DOM properties is executed as JavaScript | Error | Code Execution |
16 | Non-HTML format Data from DOM storage is executed as HTML | Warning | Code Execution |
17 | Non-JavaScript format Data from DOM storage is executed as JavaScript | Warning | Code Execution |
18 | HTML format Data from DOM storage is executed as HTML | Info | Code Execution |
19 | JavaScript format Data from DOM storage is executed as JavaScript | Info | Code Execution |
20 | Data from user input is executed as HTML | Warning | Code Execution |
21 | Data from user input is executed as JavaScript | Warning | Code Execution |
22 | Non-HTML format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Error | Code Execution |
23 | Non-JavaScript format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Error | Code Execution |
24 | HTML format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution |
25 | JavaScript format Data taken from external site(s) (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution |
26 | Non-HTML format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution |
27 | Non-JavaScript format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution |
28 | HTML format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Info | Code Execution |
29 | JavaScript format Data taken from across sub-domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Info | Code Execution |
30 | Non-HTML format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Warning | Code Execution |
31 | Non-JavaScript format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Warning | Code Execution |
32 | HTML format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as HTML | Info | Code Execution |
33 | JavaScript format Data taken from same domain (via Ajax, WebSocket or Cross-Window Messages) is executed as JavaScript | Info | Code Execution |
34 | Weak Hashing algorithms are used | Error | Cryptography |
35 | Weak Encryption algorithms are used | Error | Cryptography |
36 | Weak Decryption algorithms are used | Error | Cryptography |
37 | Cryptographic Hashing Operations were made | Info | Cryptography |
38 | Encryption operations were made | Info | Cryptography |
39 | Decryption operations were made | Info | Cryptography |
40 | Potentially Sensitive Data is leaked (via HTTP, Ajax, WebSocket or Cross-Window Messages) | Error | Data Leakage |
41 | Potentially Sensitive Data is leaked through Referrer Headers | Error | Data Leakage |
42 | Data is leaked through HTTP | Warning | Data Leakage |
43 | Data is leaked through WebSocket | Warning | Data Leakage |
44 | Data is leaked through Cross-Window Messages | Warning | Data Leakage |
45 | Data is leaked through Referrer Headers | Warning | Data Leakage |
46 | Potentially Sensitive Data is stored on Client-side Storage (in LocalStorage, SessionStorage, Cookies or IndexedDB) | Warning | Data Storage |
47 | Data is stored on Client-side Storage (in LocalStorage, SessionStorage, Cookies or IndexedDB) | Info | Data Storage |
48 | Cross-window Messages are sent insecurely | Error | Communication |
49 | Cross-site communications are made | Warning | Communication |
50 | Communications across sub-domains are made | Warning | Communication |
51 | Same Origin communications are made | Info | Communication |
52 | JavaScript code is loaded from Cross-site Sources | Warning | JS Code |
53 | JavaScript code is loaded from across sub-domains | Info | JS Code |
54 | JavaScript code is loaded from Same Origin | Info | JS Code |
Configuration options include:
...
Dynamic Reviewer provides the following HTTP passive and active scan rules which find specific vulnerabilities. Dynamic Reviewer can discover the following OWASP ZAP Web Security Issues:
Id | Ossue | Risk | Type |
|---|---|---|---|
Medium | Active | ||
Low | Passive | ||
Medium | Passive | ||
High | Active | ||
High | Active | ||
High | Active | ||
Medium | Active | ||
High | Active | ||
High | Passive | ||
High | Passive | ||
Low | Passive | ||
Low | Passive | ||
Informational | Passive | ||
High | Passive | ||
Low | Passive | ||
Informational | Passive | ||
High | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Low | Passive | ||
Low | Passive | ||
Informational | Passive | ||
Information Disclosure - Sensitive Information in HTTP Referrer Header | Informational | Passive | |
High | Passive | ||
Informational | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Low | Passive | ||
High | Passive | ||
High | Passive | ||
Informational | Passive | ||
High | Passive | ||
High | Passive | ||
High | Passive | ||
High | Passive | ||
Server Leaks Information via 'X-Powered-By' HTTP Response Header Field(s) | Low | Passive | |
High | Passive | ||
High | Passive | ||
High | Passive | ||
High | Passive | ||
High | Passive | ||
High | Passive | ||
Big Redirect Detected (Potential Sensitive Information Leak) | High | Passive | |
High | Active | ||
Medium | Passive | ||
Low | Active | ||
High | Active | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Active | ||
Medium | Passive | ||
Medium | Active | ||
Low | Passive | ||
Medium | Passive | ||
Low | Passive | ||
Informational | Passive | ||
Informational | Active | ||
Low | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Active | ||
Low | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
High | Passive | ||
Informational | Passive | ||
Informational | Active | ||
High | Passive | ||
Medium | Active | ||
High | Active | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Passive | ||
Medium | Active | ||
Informational | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
Medium | Active | ||
Medium | Active | ||
Medium | Active | ||
Medium | Active | ||
Medium | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
Informational | Active | ||
Informational | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
Informational | Active | ||
High | Active | ||
Medium | Active | ||
High | Active | ||
High | Active | ||
Medium | Active | ||
Medium | Active | ||
High | Active | ||
Medium | Active | ||
High | Active | ||
Medium | Active | ||
Medium | Active | ||
Medium | Active | ||
Medium | Active | ||
Medium | Active | ||
Informational | Active | ||
Informational | Active | ||
Medium | Active | ||
High | Active | ||
Medium | Active | ||
Medium | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
Medium | Active | ||
High | Active | ||
Medium | Passive | ||
Medium | Passive | ||
High | Passive | ||
High | Passive | ||
Low | Passive | ||
Low | Passive | ||
Low | Passive | ||
Informational | Passive | ||
Medium | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
Medium | Passive | ||
High | Active | ||
High | Active | ||
High | Active | ||
High | Active | ||
Informational | Active | ||
Medium | Active | ||
High | Active | ||
Informational | Passive | ||
Informational | Passive | ||
High | Active | ||
High | Active | ||
High | Active | ||
Medium | WebSocket Passive | ||
Informational | WebSocket Passive | ||
Low | WebSocket Passive | ||
Informational | WebSocket Passive | ||
High | WebSocket Passive | ||
Low | WebSocket Passive | ||
Informational | WebSocket Passive | ||
Information Disclosure - Suspicious Comments in XML via WebSocket | Informational | WebSocket Passive |
Note that these are examples of the alerts raised - many rules include different details depending on the exact problem encountered. For example, it covers also: Text4Shell (CVE-2022-42889), Insufficient Site Isolation Against Spectre Vulnerability
...
Dynamic Reviewer is integrated with the following third-party Host Scanning tools:
...
Tenable Nessus (Commercial)
Rapid7 Nexpose (Commercial)
...
Talk is cheap though, so let’s look as some numbers under Linux:
Duration | RAM | HTTP requests | HTTP requests/second | Browser jobs | Seconds per browser job | |
|---|---|---|---|---|---|---|
Dynamic Reviewer | 00:02:14 | 150MB | 14,504 | 113.756 | 211 | 1.784 |
Best Competitor | 00:06:33 | 210MB | 34,109 | 101.851 | 524 | 3.88 |
Large real production site (cannot disclose) | ||||||
|---|---|---|---|---|---|---|
Duration | RAM | HTTP requests | HTTP requests/second | Browser jobs | Seconds per browser job | |
Dynamic Reviewer | 00:45:31 | 617MB | 60,024 | 47.415 | 9404 | 2.354 |
Best Competitor | 12:27:12 | 1,621MB | 123,399 | 59.516 | 9180 | 48.337 |
As you can see, the impact of the Performances' improvements becomes more substantial as the target’s complexity and size increases, especially when it comes to scan duration and RAM usage — and for the production site the new engine consistently yielded better coverage, which is why it performed more browser jobs.
...