Input Vector Support - Web Application Scanners:

The current information is based on the results of the *2011* benchmark (excpet for entries marked as updated or new )

Note: The content in this page is *incomplete* since the research is still in progress - the various scanners might support additional vectors.

Last updated: 27/08/2012
Sorted in a descending order according to the scanner's number of supported input vectors and the scanner name .
Hint: hover over the marks and titles to get additional information on the various features.
Note: the information refers to the ability of the scanners to scan the input vector, not simply to interpret it.
Glossary
Unified List   Commercial Scanners   Free / Open Source Scanners

#

Logo

Vulnerability Scanner

C O U N T

G E T

P O S T

C O O K I E

H E A D E R

S E C R E T

P N a m e

X M L

X m l A T T

X m l T A G

J S O N

. N e t E N C

A M F

J a v a S E R

. N e t S E R

W C F

W C F - B i n

W e b S o c k

D W R

C u s t o m

1

IBM AppScan

13

2

WebInspect

13

3

Burp Suite Professional

11

4

Acunetix WVS (Commercial Edition)

7

5

Ammonite

7

6

Nessus

5

7

NTOSpider (Obsolete Version / Results)

5

8

QualysGuard WAS

5

9

Netsparker (Commercial Edition)

4

10

JSky (Commercial Edition)

3

#

Logo

Vulnerability Scanner

C O U N T

G E T

P O S T

C O O K I E

H E A D E R

S E C R E T

P N a m e

X M L

X m l A T T

X m l T A G

J S O N

. N e t E N C

A M F

J a v a S E R

. N e t S E R

W C F

W C F - B i n

W e b S o c k

D W R

C u s t o m

11

ParosPro

3

12

Syhunt Dynamic (Sandcat Pro)

3

13

WebCruiser Enterprise Edition

3

Statistics

#	G E T	P O S T	C O O K I E	H E A D E R	S E C R E T	P N a m e	X M L	X m l A T T	X m l T A G	J S O N	. N e t E N C	A M F	J a v a S E R	. N e t S E R	W C F	W C F - B i n	W e b S o c k	D W R	C u s t o m
Scanners:	13	13	11	9	2	7	6	4	2	6	0	3	0	0	2	1	0	0	3

Glossary

Alias	General Feature	Description	References
GET	HTTP Query String Parameters	Input parameters sent in the URL	1
POST	HTTP Body Parameters	Input parameters sent in the HTTP body	1
COOKIE	HTTP Cookie Parameters	Input parameters sent in the HTTP cookie	1
HEADER	HTTP Headers	HTTP request headers used by the application	1
SECRET	Secret HTTP Parameters	Non-visible valid HTTP parameters (such as GET to POST, etc)
PName	HTTP Parameter Names	HTTP parameter names used by the application
XML	XML Element Content	The content of XML elements	1
XmlATT	XML Attributes	XML attributes	1
XmlTAG	XML Tags	The names of XML tags	1
JSON	JSON Parameters	Parameters sent in JSON format	1
.NetENC	.Net PostBack Encoded Parameters	Parameters sent after undergoing .net PostBack encoding	1
AMF	Flash Action Message Format	Parameters sent in Flash AMF format	1
JavaSER	Java Serialized Objects	Parameters sent within Java serialized objects	1
.NetSER	.Net Serialized Objects / Remoting	Parameters sent within .Net serialized objects / remoting	1
WCF	.Net WCF Objects	Parameters sent in WCF requests	1
WCF-Bin	.Net Binary WCF Objects	Parameters sent in binary WCF requests	1
WebSock	HTML5 WebSockets	Direct Socket Browser-Server Communication	1
DWR	Java Direct Web Remoting	Parameters sent in DWR format	1
Custom	Custom Input Vector	Support for defining custom input vectors in the HTTP request

Copyright © 2012 by Shay Chen (sectooladdict). All rights reserved.
Click here to learn how this information may be published or reused.