• Nexpose
  • Overview
  • Features
  • Architecture & Open API
  • Try NeXpose
  • Buy NeXpose
  • System Requirements
  • Vulnerabilities Tested
  • NeXpose Information
• Solutions
  • Web Application VA
  • Database VA
  • Network & OS VA
  • Compliance Scanning
• Services
  • PCI Compliance Testing
  • Penetration Testing
  • Web Application Security Audits
  • Best Practices Consulting
  • Social Engineering
  • NeXpose Training
• Support
  • NeXpose FAQ
  • System Requirements
  • Support Form
  • Vulnerabilities Tested
  • Customer Center Login
• Security Center
  • Advisories
  • Vulnerabilities Tested
  • Compliance
  • White Papers & Articles
  • SSHredder Test Suite
• Company
  • Management
  • Board of Directors
  • Investors
  • Customers
  • Partners
  • Press Room
  • Events
  • Careers
• Customers

What Does NeXpose Scan?

Web Applications

NeXpose helps you secure your Web applications before your systems are compromised. Just like your network devices, operating systems and other enterprise applications, your Web applications need continual scanning to ensure new exposures haven't been introduced through software upgrades. NeXpose is the only web application vulnerability management system that:

• Provides browser-based scanning - Web and Web 2.0 applications take user interaction to a new level, opening up potential weaknesses that could affect the security of your entire networked environment. NeXpose scans the client-side components of the application to ensure your systems are secured.
• Scans Web 2.0 applications - NeXpose is the first vulnerability scanning solution that analyzes JavaScript, AJAX and Flash applications in testing, quality assurance, deployment and ongoing management.
• Secures the complete Web application - NeXpose identifies vulnerabilities throughout the entire application, scanning the browser and server-side components such as databases, shopping carts and other third party applications for exposures that other Web application scanners do not find.
• Detects more vulnerabiities than traditional Web scanners - NeXpose uses Web Application Pass-Through Scanning, its ability to understand how one vulnerability can lead to another, to detect and provide remediation guidance for vulnerabilities that lie deeply under the surface that other scanners miss.

NeXpose - Guidance to Make Your Web Applications Safe

NeXpose has simplified the process of scanning your Web applications for these exposures that can lead to malicious attacks. NeXpose scans Web servers and applications along with networks, operating systems and databases, to identify known and unknown vulnerabilities, evaluate risk and create a prioritized remediation plan according to urgency and severity. With one integrated package, you get accurate, flexible and efficient assessments of your Web servers and applications within the context of your overall IT environment.

Rapid7's Browser Emulation Scanning Technology (BEST) analyzes JavaScript, AJAX and Flash applications in testing, quality assurance, deployment and ongoing management. NeXpose provides optimal web application scanning completely integrated with network vulnerability management.

NeXpose offers the following benefits to organizations:

• Complete Vulnerability Management Solution - NeXpose is a complete scanning solution for deployed web applications, scanning the Web application, network and operating system, database and third party applications that are integral components of the total Web solution.
• Fast scanning for multiple Web applications - NeXpose web spidering and scanning capabilities simultaneously scans multiple web applications for vulnerabilities while completing more than 30,000 checks, saving time for the administrators.
• Web Application Pass-Through Scanning – Other scanners stop scanning any further when they find a vulnerability. NeXpose uses information about the vulnerability it finds to test for other exposures that could exist to scan for deeper vulnerabilities.

Vulnerabilities in Web Applications

NeXpose discovers the following types of vulnerabilities among others, in Web applications:

• Directory Traversal - Directory Traversal describes the manipulation of a URL to extract pages in locations not authorized by the author. NeXpose exercises the web application to understand the site map and attempt to reach up to the root directory in order to locate operating system files. NeXpose has several classes of attack. Running unsafe attacks against the web application will cause invalid parameters manipulated by NeXpose to be sent to the web application in an attempt to corrupt data or crash the application. These types of attack are typically used by web developers testing web applications prior to deployment.
• Authentication Attacks - NeXpose uses a variety of mechanisms to detect the possibility of authentication attacks. In the most basic format, a user logging onto a web application provides a set of credentials. This logon now has several mechanisms of being compromised. Cookies may be saved that record the visit and supply automated credentials, the applications may be cracked using a brute force dictionary attack, or more sophisticated attacks such as Cross Site Request Forgery may be attempted.
• Cross Site Request Forgery - Using the example of a banking application, when a user logs on in a secure manner the browser saves the session ID in the cookie so that the visit remains authenticated for the duration of the session. In a CSRF attack the user browses to an attacking page using another window in the browser. That page can contain Javascript that uses the session ID of the banking application to access the banking site directly. In this example it is a banking application, but almost anything requiring credentials may be subject to this attack, generally without knowledge of the code that was run from the attacking site.

To find out what your applications may contain that could compromise your web server, browse our online Vulnerability Database and then get NeXpose so that you can be confident that your systems are protected from unwanted intruders.

Copyright © 2001 - 2008, Rapid7, LLC. All Rights Reserved.

• Home
• |
• Nexpose
• |
• Solutions
• |
• Services
• |
• Support
• |
• Security Center
• |
• Company
• |
• Contact