[WEB SECURITY] Re: Web Application Scanners Comparison

romain r at fuckthespam.com
Tue Jan 27 16:58:03 EST 2009


Well, I'm wondering who can take this seriously.

- What policies did you use for the tools? Did you create them?

- Any specific tuning?

- What about the application coverage (not only links)? Maybe a tool
didn't find a vulnerability because it didn't cover this part of the
application. Should it then get -5, since it's a crawler problem?

- The scoring system is over simplistic and assume that a web apps
scanner is a web security fuzzer. Rating the coverage of the application
is, most of the time, needed if you want serious results.
If a tool don't cover a part of the application and generates a
false-negative, I don't think it should count as much as if it cover the
application and also generates a false-negative: since you focus on
rating the vulnerability finding, you have no idea what you are scoring
here -- the badness of the crawler/parser or the badness of the attack
engine.

- You said you use different type of technologies, correct, but all the
applications seems to be the same type (CMSs/Blogs/Forums). Would have
been interesting in using different things too (document management,
"ERP", stuff like that).

The JavaScript part is very interesting though.

Cheers,

--Romain
http://rgaucher.info

anantasec wrote:
> Hi all,
> 
> In the past weeks, I've performed an evaluation/comparison of three
> popular web vulnerability scanners.This evaluation was ordered by a
> penetration testing company that will remain anonymous. The vendors
> were not contacted during or after the evaluation.
> 
> The applications (web scanners) included in this evaluation are:
> - Acunetix WVS version 6.0 (Build 20081217)
> - IBM Rational AppScan version 7.7.620 Service Pack 2
> - HP WebInspect version 7.7.869
> 
> I've tested 13 web applications (some of them containing a lot of
> vulnerabilities), 3 demo applications provided by the vendors
> (testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and
> I've done some tests to verify Javascript execution capabilities.
> 
> In total, 16 applications were tested. I've tried to cover all the
> major platforms, therefore I have applications in PHP, ASP, ASP.NET
> and Java.
> 
> The report can be found at http://drop.io/anantasecfiles/
> The full URL to the PDF document:
> http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d789224ea665f45/759c3010-ce68-012b-dcee-f407c7ff11c2/9eeb1f00-cea5-012b-aa7b-f219675fa758/report.pdf/report_pdf.pdf
> 
> I've included enough information in this report (the javascript files
> used for testing, exact version and URL for all the tested
> applications) so anybody with enough patience can verify and reproduce
> the results presented here.
> 
> Therefore, I will not respond to emails for vendors. You have the
> information, fix your scanners!
> 
> Best wishes & regards,
> anantasec
> 


-- 

--Romain
http://rgaucher.info

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list