By one estimate more than 50-60% of all Web applications and web sites contain some critical vulnerability that can be easily compromised. Using SSL, firewalls and locked-down servers can lead to a sense of security, but none of these things address the issue of web application hacking — attacks made through ports 80 and 443.Database-driven dynamic content is clearly the main area of vulnerability. Any web app that operates dynamically based on user input has the potential to be compromised by maliciously altering the data communicated to the server.Two common types of vulnerabilities are called SQL Injection and Cross Site Scripting (XSS). SQL injection is the ability to inject and run arbitrary SQL code without having standard database access. XSS means to forcibly insert html or script into another web page.Scanning software is now available that can automatically exercise pages of a web application, looking for potential vulnerabilities. Whitehat security has a good set of slides describing web application vulnerability issues. It discusses limitations of today’s web scanning software. The current generation of software is really only good at looking at technical vulnerabilities. There is another realm of logical vulnerability issues not addressed. And then there is a big hurdle for being able to identify and load scenarios into the web scan software so it knows how to access all or most pages of the application.Given these limitations, it still seems like web scanning software is a huge step forward to identify vulnerabilities. At Formtek, our development and engineering groups have used a couple of these Web Scan products: WatchFire and Acunetix.We were basically pleased with the results. Working with our QA people, we identified scenarios that do thorough coverage of our app web pages. With the scenarios in place, we then pointed the scanners to our web-based apps. The reports that were generated were very detailed. They also alerted us to some things we had never considered. I’d recommend the use of the web scanning tools.Based on our findings, the Formtek | Orion version 188.8.131.52 patch was created. Re-running the scan tools against this version of Orion came up clean. Going forward, we plan to make the use of a web application scanner a standard part of the Formtek QA test cycle.