Your e-Business Quality Partner eValid™ -- Automated Web Quality Solution
Browser-Based, Client-Side, Functional Testing & Validation,
Load & Performance Tuning, Page Timing, Website Analysis,
and Rich Internet Application Monitoring.

eValid -- Web Security Analysis: General Summary
eValid Home
Evaluation Copy

The eValid test engine is the base for a wide range of web security analysis and cyberthreat discovery activities. Using built-in resources, possibly combined with free-standing static analysis systems, a web security analyst can identify exposures and vulnerabilities, search entire websites for potential threats or possible weaknesses, and identify problems early.

Architecture
eValid web security analysis uses a powerful functional test engine combined with a powerful page scanner to pinpoint vulnerabilities. Built into a browser that can imitate any type of device, the eValid engine provides full access to browsed pages, including those which change dynamically during AJAX application operation. There is full DOM access (both input and output), a complete execution environment with environment variables and parameterizable scripts, plus combinatoric and random test input generation capability.

Application Scenarios
Here are some of the kinds of web security analysis scenarios that are possible with eValid technology applied to search for web application vulnerabilities using cloud computing resources. The common thread in each of these scenarios is systematic automated programmatic use of a full-featured test enabled web browser that is instrumented to drive a web application in any way a browser can, and to fully and completely analyze every response, including AJAX interactions, that arrive from the server stack supporting that web application.

  • Penetration Testing: Combinatoric attack on login or other authentication step.
  • XSS Vulnerability Testing: For randomly selected applications from a known list of possible targets, analyze for existence of XSS vulnerability by reading pages' DOM contents.
  • SQL Injection: Verify correct treatment of SQL usage statements in HTML or JavaScript (or other context).
  • Query-tag Spoofing: Combinatoric variations of query-strings on URLs will reveal fault sequences.
  • Systematic Single Website Scanning: Fixed-depth scans of a website for a threat patterns.
  • Multiple Website Scanning: Variable-depth scan of a website will yield patterns of page contents.
  • Server Loading/Overloading: For critical websites, determine "knee of curve" point, then overload by 50%.
  • Key Website RIA Monitoring & Regression Testing: For critical websites, confirm continued operation with pre-established performance parameters.
  • Multiple-Device Checking/Testing: Run standard tests against a website that is supposed to support multiple devices, to know support levels.
  • AJAX Application Vulnerability: For AJAX application, detect errant GETs to the client or server.
  • Timing Anomaly Detection: Detect when components for an download significantly longer, indicating modification.
  • Hidden Action Detection: Analyze the entire HTML and DOM contents for input modes that are NOT part of the visible material.
  • Phishing Threat Analysis: Examining the links in the delivered document to detect anomalies.
   
Key Benefits
Here are the main advantages of eValid Site Analysis
•  Scans are 100% client-side.
•  Server-side permissions handled.
•  Analyzes any website.
•  Imitates ANY device.
•  Full dynamic DOM access.
•  AJAX apps work normally.
•  Dynamic HTML outputs.
•  Spidering with "regular expression" searching.
•  Batch mode interface.
•  Scan can proceed after automated login.
•  Your PC becomes a CyberThreat analysis engine.