[WEB SECURITY] Re: Web Application Scanners Comparison
r at fuckthespam.com
Tue Jan 27 16:58:03 EST 2009
Well, I'm wondering who can take this seriously.
- What policies did you use for the tools? Did you create them?
- Any specific tuning?
- What about the application coverage (not only links)? Maybe a tool
didn't find a vulnerability because it didn't cover this part of the
application. Should it then get -5, since it's a crawler problem?
- The scoring system is over simplistic and assume that a web apps
scanner is a web security fuzzer. Rating the coverage of the application
is, most of the time, needed if you want serious results.
If a tool don't cover a part of the application and generates a
false-negative, I don't think it should count as much as if it cover the
application and also generates a false-negative: since you focus on
rating the vulnerability finding, you have no idea what you are scoring
here -- the badness of the crawler/parser or the badness of the attack
- You said you use different type of technologies, correct, but all the
applications seems to be the same type (CMSs/Blogs/Forums). Would have
been interesting in using different things too (document management,
"ERP", stuff like that).
> Hi all,
> In the past weeks, I've performed an evaluation/comparison of three
> popular web vulnerability scanners.This evaluation was ordered by a
> penetration testing company that will remain anonymous. The vendors
> were not contacted during or after the evaluation.
> The applications (web scanners) included in this evaluation are:
> - Acunetix WVS version 6.0 (Build 20081217)
> - IBM Rational AppScan version 7.7.620 Service Pack 2
> - HP WebInspect version 7.7.869
> I've tested 13 web applications (some of them containing a lot of
> vulnerabilities), 3 demo applications provided by the vendors
> (testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and
> In total, 16 applications were tested. I've tried to cover all the
> major platforms, therefore I have applications in PHP, ASP, ASP.NET
> and Java.
> The report can be found at http://drop.io/anantasecfiles/
> The full URL to the PDF document:
> used for testing, exact version and URL for all the tested
> applications) so anybody with enough patience can verify and reproduce
> the results presented here.
> Therefore, I will not respond to emails for vendors. You have the
> information, fix your scanners!
> Best wishes & regards,
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives:
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
More information about the websecurity