Some developers and I wandered across a pretty interesting situation recently: it seems there is an ambiguous corner case concerning how to resolve a relative URI containing only query parameters (a link such as "?foo=bar").  We were finding that certain programming languages were resolving the URIs differently than ...

The release of WebInspect 7.7.113.3 (the Nov/2007 hotfix release) brought along a significant feature: a new-and-improved audit engine for finding local file reading/inclusion vulnerabilities.  This article will introduce you to this new engine, how it works, and explain how to tune the associated check inputs in order to tailor the engine to ...

This is the third part in my three-part series on check tuning.  Part one addressed the basic concepts of check inputs and tuning checks, while part two addressed some basic network topology concepts.  This part will utilize the previously discussed concepts to tune three specific network-related checks.The three target checks are:  ...

Launching a web scan is conceptually pretty easy: you just pop in a target URL and click 'Go'.  You don't have to necessarily worry about routing tables, firewalls, and all that other network architecture stuff that magically lets the scanning system talk to the target web site. That is, you don't have to worry about it ...

This is the first article in a three part series that focuses on tuning the checks included with WebInspect (and sister products, DevInspect and QAInspect), with the goal of increasing accuracy and usefulness. By default, the current version of WebInspect ships with thousands of checks.  A 'check' is a generic term used to describe a ...