How to Download and Use Cenzic Hailstorm for Web Application Security Testing
Cenzic Hailstorm is a powerful tool that can scan web applications for various vulnerabilities, such as SQL injection, cross-site scripting, session tampering, and more. It can also test AJAX-enabled applications, which are becoming more popular in the web 2.0 era. In this article, we will show you how to download and use Cenzic Hailstorm for web application security testing.
Step 1: Download Cenzic Hailstorm
To download Cenzic Hailstorm, you need to visit the official website of Trustwave, the company that acquired Cenzic in 2014. Trustwave offers Cenzic Hailstorm as part of its cloud-based security testing platform, along with other services such as application, database, and network penetration testing and scanning. You can choose from different plans and pricing options depending on your needs and budget. You can also request a free trial or a demo to test the tool before buying it.
Once you have registered and logged in to Trustwave's portal, you can access the Cenzic Hailstorm dashboard, where you can create and manage your projects, scan results, reports, and settings. You can also download the Cenzic Hailstorm desktop client, which allows you to run scans offline or on your own network. The desktop client requires Windows operating system and .NET framework.
Step 2: Create a Project and Configure Scan Settings
To start a scan with Cenzic Hailstorm, you need to create a project and configure the scan settings. A project is a collection of scan targets, policies, schedules, reports, and notifications. You can create multiple projects for different web applications or scenarios.
To create a project, click on the \"New Project\" button on the dashboard. You will be asked to enter a project name and description, and select a scan target. A scan target is the URL of the web application that you want to test. You can also specify additional parameters such as login credentials, cookies, headers, proxies, etc.
After creating a project, you can configure the scan settings by clicking on the \"Scan Settings\" tab. Here you can choose from different scan policies that define the scope and depth of the scan. A scan policy is a set of rules that determine which vulnerabilities to look for, how to test them, and how to report them. You can use the predefined policies or create your own custom policies.
Some of the scan settings that you can configure are:
Scan Mode: You can choose between Standard Mode or Smart Mode. Standard Mode scans all pages and links within the scan target, while Smart Mode scans only pages that are likely to contain vulnerabilities based on heuristics.
Scan Speed: You can adjust the speed of the scan by changing the number of concurrent requests and the delay between requests. A faster scan may reduce the scan time but may also increase the load on the web server or trigger anti-scanning mechanisms.
Scan Depth: You can limit the depth of the scan by setting the maximum number of links to follow from the scan target or the maximum number of pages to scan per domain.
Scan Coverage: You can specify which types of pages or links to include or exclude from the scan based on their extensions, parameters, content types, etc.
Scan Validation: You can enable or disable various validation methods that verify if a vulnerability is real or false positive. For example, you can use confirmation requests, response comparison, error messages, etc.
Scan Reporting: You can choose which types of reports to generate after the scan is completed. For example, you can generate executive summary reports, detailed technical reports, compliance reports, etc.
Step 3: Run and Monitor the Scan
To run a scan with Cenzic Hailstorm, you need to click on the \"Start Scan\" button on the dashboard. You will be asked to confirm your scan settings and enter a name for your scan session. A scan session is a record of a single scan run with its results and reports.
Once the scan is started, you can monitor its progress and status on the dashboard. You can see information such as: