Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
If you have some interesting news or want to throw up a link to discuss it, here's the place. Anything is okay, even shameless vendor launches (since that is often applicable to what we work on). 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Web Application Scanners Comparison
Posted by: anantasec
Date: January 27, 2009 08:17AM

Hi all,

In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation.

The applications (web scanners) included in this evaluation are:
- Acunetix WVS version 6.0 (Build 20081217)
- IBM Rational AppScan version 7.7.620 Service Pack 2
- HP WebInspect version 7.7.869

I've tested 13 web applications (some of them containing a lot of vulnerabilities), 3 demo applications provided by the vendors (testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and I've done some tests to verify Javascript execution capabilities.

In total, 16 applications were tested. I've tried to cover all the major platforms, therefore I have applications in PHP, ASP, ASP.NET and Java.

The report can be found at http://drop.io/anantasecfiles/
The full URL to the PDF document: http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d789224ea665f45/759c3010-ce68-012b-dcee-f407c7ff11c2/9eeb1f00-cea5-012b-aa7b-f219675fa758/report.pdf/report_pdf.pdf

I've included enough information in this report (the javascript files used for testing, exact version and URL for all the tested applications) so anybody with enough patience can verify and reproduce the results presented here.

Therefore, I will not respond to emails for vendors. You have the information, fix your scanners!

Best wishes & regards,
anantasec

http://anantasec.blogspot.com

Options: ReplyQuote
Re: Web Application Scanners Comparison
Posted by: zeno
Date: January 28, 2009 11:15AM

More discussion at http://www.cgisecurity.com/2009/01/web-application-scanners-comparison.html

Options: ReplyQuote


Sorry, only registered users may post in this forum.