Hackers have shifted their strategy in recent years from attacking operating systems to attacking applications. After 10 years of attacking open ports and unprotected services, system administrators are doing a pretty decent job of “locking down” servers and firewalls so that only essential services are visible. Increasingly, those visible services are also patched so as to be invulnerable to attacks. Operating systems are no longer the “soft targets” that they used to be. Unable to penetrate servers through holes in exposed services, hackers have turned to attacking the applications running on those servers.
This article discusses common vulnerabilities present in Web applications, and two leading scanning tools, AppScan from Watchfire and WebInspect from SPI Dynamics, that can effectively identify these vulnerabilities.
Link to entire article here: