Scanner vs. Recon

What is the difference between Scanner and Recon you may ask? In this blog post we will explore this topic.

Screenshot 01

In order to answer this question we need to look deeper into our core philosophy when developing tools. Websecurify is opposing the idea of putting too much functionality into a single tool. The reason for this is complex but it comes down to several things such as the fact that it is difficult to maintain and improve a large monolithic code-base over time and it is hard to apply fixes when things break. Not to mention that 100s of different configuration options make the user experience confusing. Because of this, if you look at some of the security vendors out there, their technology hasn't changed much while Websecurify's toolkit flourished and transformed several times.

The Scanner and Recon follow closely this philosophy. The Scanner, is general purpose scanner much like Acunetix, Netsparker, WebInspect and so on. It can find all standard vulnerabilities like SQL Injection, XSS, XXE (External XML Entity Injection) etc. much like all other tools. However, if you try to use the Scanner to fingerprint and discover vulnerabilities across multiple applications, perhaps your entire web estate, you will quickly find out that you will be facing an impossible problem. None of the general purpose scanners are designed to handle this type of situation and for a good reason.

The fact of the matter is that scanning tools can either be fast or through. The Scanner falls into the through category. Recon on the other hand is fast. The testing engine used in Recon is exactly the same as the testing engine that we use in the Scanner but it has been tweaked to perform better at the expense of not going deep enough, which is fine when you are testing 60,000 web sites at once (yes we do that from time to time). So the main difference between both tools is that Recon has been optimized to go through the test as quickly as it can skipping steps when necessary while the Scanner has been designed to go deep until it eliminates all possibilities.

The differences do not stop here however. Recon, unlike the Scanner, has a backend component, which is very unusual for the online Suite. You see, the Suite does not rely on our servers to do the its job. The work is done from your very own browser and this is why you can even test sites that are not directly available on the Internet. Recon needs a backend component to do some of the special-case fingerprinting such as identifying subdomains, virtual hosts, etc. This type of data is fetched directly from our massive database which is unreasonable to ship with the tool itself. This is why you will see that recon can fingerprint virtualhosts, ip address, subdomains and even adjacent hosts with a great precision.

Last but not least both Recon and Scanner have their own use-cases. Use the Scanner when you have a single application at hand so that you can go as deeper into the app structure as an automated tool can. For large infrastructure fingerprints/tests use Recon. Not always an attacker will exploit your application directly, unless you have an obvious critical vulnerability. In many cases the attacker will leverage a vulnerability in an application close enough so that they can get a foothold for further infiltration. Recon is great at identifying these types of vulnerabilities.

I hope that this blog post makes it clear what the differences between Recon and Resend are and we also hope that you will spare a few minutes to try them both. It is easy to get started and there is a 100% trial so you have no excuse.

If you have any other pending questions do not hesitate to get in touch.