Review: WebInspect

WebInspect manages to be powerful and useful while remaining intuitive and easy to use. This is important as busy administrators want things up and running fast, but also want custom configuration as they become more experienced.

Users will benefit from the built-in policy templates and powerful scanning while they learn how to best shape the tool to their own requirements. It starts with the Scan Wizard, which allows you to choose between a web assessment (as in website URL), enterprise assessment (via a range of IP addresses), or web service assessment (via assessment of the WSDL file).

Next you may choose a comprehensive scan to map out a sites tree structure for later analysis or a step mode approach which follows you as you manually navigate the site.

An intuitive GUI shows vulnerabilities as they are discovered (in summary terms). It also provides an in-depth appraisal of each instance via the Information Pane, where there is a detailed description of the vulnerability in question with a recommended fix. The depth of this information varies according to the vulnerability found but it is often extensive. You can view the http request and response, details of methods used, and more.

The database of vulnerabilities is kept current via the Smart Update feature, and there is a Policy Manager where policies may be edited or created from scratch and agents can be created. You can also intuitively create virtually any report you can think of with a few mouse clicks. The reports are attractively formatted and easy to read.

WebInspect is well considered. Everything is where you expect it to be and everything works.

For:

Ease of use, depth of scanning.

Very little.

A powerful tool for evaluating websites and web-based applications and services.