[WEB SECURITY] Web Application Scanners Comparison

Ory Segal SEGALORY at il.ibm.com
Thu Jan 29 09:48:44 EST 2009


Could you be kind enough and share with us the environment on which you 
have installed the web applications? operating system, version, service 
packs, web server type and version, etc.?

Thank you,
-Ory Segal

anantasec <anantasec at googlemail.com>
websecurity at webappsec.org, pen-test at securityfocus.com, 
webappsec at securityfocus.com, vuln-dev at securityfocus.com, 
bugtraq at securityfocus.com, webappsec at lists.owasp.org, 
security-basics at securityfocus.com, anantasec at googlemail.com
01/27/2009 07:10 PM
[WEB SECURITY] Web Application Scanners Comparison

Hi all,

In the past weeks, I've performed an evaluation/comparison of three
popular web vulnerability scanners.This evaluation was ordered by a
penetration testing company that will remain anonymous. The vendors
were not contacted during or after the evaluation.

The applications (web scanners) included in this evaluation are:
- Acunetix WVS version 6.0 (Build 20081217)
- IBM Rational AppScan version 7.7.620 Service Pack 2
- HP WebInspect version 7.7.869

I've tested 13 web applications (some of them containing a lot of
vulnerabilities), 3 demo applications provided by the vendors
(testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and
I've done some tests to verify Javascript execution capabilities.

In total, 16 applications were tested. I've tried to cover all the
major platforms, therefore I have applications in PHP, ASP, ASP.NET
and Java.

The report can be found at http://drop.io/anantasecfiles/
The full URL to the PDF document:

I've included enough information in this report (the javascript files
used for testing, exact version and URL for all the tested
applications) so anybody with enough patience can verify and reproduce
the results presented here.

Therefore, I will not respond to emails for vendors. You have the
information, fix your scanners!

Best wishes & regards,


Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090129/75856386/attachment.html>

More information about the websecurity mailing list