NTOSpider is the only application security scanner capable of accurately testing a complex application workflow like shopping cart or application processing. Complex workflows are different than other areas of applications because they require the functionality to be tested in the prescribed order of the workflow and the workflow must best tested in its entirety. NTOSpider can test a complex workflow in order and in its entirety. Its important to understand that web application security scanners are designed to attack pages randomly because for most of the application functionality, its actually better to attack it randomly.

For more information on testing complex workflows, visit our blog,
Web Application Security Testing for Complex Application Workflows. Not so Complex Anymore.

Why is it important to test the workflow in order and in its entirety?

Order

Take a shopping cart example where the scanner might randomly attack a billing form, but because there are no items in the cart, the application informs the user that they have no items in their cart and discards the attack payloads. The scanner doesn’t even know this happened and misses web application security vulnerabilities as a result.

Entirety

In the shopping cart example, the scanner may attempt a SQL injection attack on the ‘last name’ field in the billing form. At that point the data is often held in temporary session storage. It isn’t until the order confirmation page, when the user confirms the order and the information is sent to the SQL server, that the attack is executed. So if application scanners don’t complete the workflow, the attack is never executed and the SQL injection vulnerability goes undetected.