Versions Compared

Old Version 236

changes.mady.by.user Marco Security

Saved on

compared with

New Version Current

changes.mady.by.user Marco Security

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

With Dynamic Reviewer Safe-PenTest module, you can inspect your Web Application, REST API, SOAP Services, App Engines and Micro-Services during running, directly using your Browser, in non-invasive way.

...

You can import third-party results from Security Scanners, Host Scanners and Proof-of-Exploits tools. Their results will be correlated automatically and a unified Enterprise Report is generated.

Dynamic Reviewer DAST provides a robust and stable framework for Web Application Security Testing, suitable for all Security Analysts, QA and Developers with False Positives and False Negatives support, offering an easy-to-use Web GUI, Advanced Scan and Enterprise Reporting capabilities.

...

  • Black Box mode. It is placed in the role of the average hacker, with no internal knowledge of the target system. Testers using Dynamic Reviewer are not provided with any architecture diagrams or source code that is not publicly available. Dynamic Reviewer determines the vulnerabilities in a system that are exploitable from outside the network.
    This means that Black-Box penetration testing relies on dynamic analysis of currently running programs and systems within the target network.
    Dynamic Reviewer follows the OWASP Web Security Testing Guide, chapter 4. Web Application Security Testing.
    Further, Dynamic Reviewer analyzes in deep the client-side code (Ajax, DOM, JavaScript, TypeScript, etc.) discovering the largest number of client-side vulnerabilities in the market.

  • White Box mode. [Cloud only] It performs Authentication before starting the scan. It provides the following Login modes:

    • Form-Based Authentication: login with User and Password as Web form, You can configure more than one user, they will be tested all.

    • JSON-Based Authentication: submit a JSON object with credentials

    • Tokern-Based Authentication: You can modify the request headers for inserting tokens

    • Script-Based Authentication: upload and execute a custom script used to login. This method is useful for websites / webapps where the authentication is a more complex one and some custom scripts that handle the authentication process are beneficial.

...

Connection Modes

Both on premises and Cloud installations can connect to the target Web Application in different modes:

...

  • SSH Tunnelling. A temporary SSH key will be automatically generated for the current Scan. The User can download it and execute the commands shown in the screen. It will create a SSH Tunnel to reach the target Web Application.

...

Findings

Once Scan is terminated, you have a list of Findings. You can:

  • Suppress a Finding Category (example: all Blind SQL Injection issues)

  • Suppress one or more Findings inside a Category

  • Add Comments to the entire scan, to a Finding Category, to a single Finding

  • Modify, Delete, change Severity tag, Merge Findings

  • Import Results from third-party tools

  • Export Combined Results in PDF, HTML, JSON, CSV, Excel and Word format

  • Add Evidences to the Findings

...

You can drill-down to each Finding category:

...

Each Category groups a bunch of vulnerablities found in the virtual Attacks:

...

We call such Attacks ‘virtual’ because Dynamic Reviewer does not really execute the Attack/Exploit, but simulate it only.

Further, instead of declaring hundreds or even thousands of vulnerabilities you can focus of their categories, for a smarter Vulnerability Management.

Powered By

Dynamic Reviewer is Powered By the following open source tools:

All vulnerabilities resulting from the above OSS tools, will be collected and correlated and included in the Dynamic Reviewer results.

...