Tuesday, January 27, 2009

Web Vulnerability Scanners Comparison

In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation.

The applications (web scanners) included in this evaluation are:
- Acunetix WVS version 6.0 (Build 20081217)
- IBM Rational AppScan version 7.7.620 Service Pack 2
- HP WebInspect version 7.7.869

I've tested 13 web applications (some of them containing a lot of vulnerabilities), 3 demo applications provided by the vendors (testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and I've done some tests to verify Javascript execution capabilities.

In total, 16 applications were tested. I've tried to cover all the major platforms, therefore I have applications in PHP, ASP, ASP.NET and Java.

The report can be found at http://drop.io/anantasecfiles/
The full URL to the PDF document: http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d789224ea665f45/759c3010-ce68-012b-dcee-f407c7ff11c2/9eeb1f00-cea5-012b-aa7b-f219675fa758/report.pdf/report_pdf.pdf

I've included enough information in this report (the javascript files used for testing, exact version and URL for all the tested applications) so anybody with enough patience can verify and reproduce the results presented here.

Therefore, I will not respond to emails for vendors. You have the information, fix your scanners!

44 comments:

  1. Excellent report. I too preferred AppScan, but your report has me thinking twice. Great Job!

    Billy Rios

    ReplyDelete
  2. Thank you very much Billy.
    BTW, I'm following your blog. You have some great posts in there.

    ReplyDelete
  3. Hi Nice Blog.web based timecard Labor Time Tracker is a “labor time tracker” for your business. It is a smarter, easier and faster way to track employee time for payroll and job costing.

    ReplyDelete
  4. Not sure if anyone saw this, but Acunetix (who won) must be listening, because they claim they now catch everything in this test suite...
    http://www.acunetix.com/blog/productnews/updated-acunetix-wvs-addresses-anantas-comparison-report-issues/

    ReplyDelete
  5. Thanks, the report is very helpfull.

    I try to reproduce the javascript tests and acunetix doen't report any problem with the javascript files you provided.

    Can you comment what are the vulnerabilities present in javascript files?

    maybe is the configuration of acunetix, but I tried too with w3af and nothing is reported.

    nico

    ReplyDelete
  6. If you lend someone $20 and never see that person again, it was probably worth it.............................................

    ReplyDelete
  7. Hi AnantaSec,

    would be nice if you could confirm this.
    http://labs.german-websecurity.com/en/blog/?p=12

    If you need a free scan from german-websecurity.com for this test, just send them a email.

    ReplyDelete
  8. 偉大的致富萬能之鑰,正是幫你充分掌握自己心志所必須的自律自制..............................

    ReplyDelete
  9. 幸福是人人都要,又怎麼可能都歸你所有?要知道這世界幸福本來就不多 ..................................................

    ReplyDelete
  10. 知足常樂~~有這麼好的文章,人生足矣~~哈哈 ....................................................

    ReplyDelete
  11. 我們不是因為快樂而歌唱,而是唱歌使我們快樂..................................................

    ReplyDelete
  12. 好文章給人的感覺就是很好,謝謝您~~........................................

    ReplyDelete
  13. Beauty, unaccompanied by virtue, is as a flower without perfume...................................................

    ReplyDelete
  14. 死亡是悲哀的,但活得不快樂更悲哀。.................................................................                           

    ReplyDelete
  15. 當一個人內心能容納兩樣相互衝突的東西,這個人便開始變得有價值了。............................................................

    ReplyDelete
  16. 有用的才華若不用,便如同日晷儀放在陰暗之中............................................................

    ReplyDelete
  17. 好文章就值得回響,如果可以常常看到您的更新,應該是件很幸福的事情~~............................................................

    ReplyDelete
  18. 這麼好的部落格,以後看不到怎麼辦啊!!!..................................................................

    ReplyDelete
  19. 我們能互相給予的最佳禮物是「真心的關懷」。..................................................

    ReplyDelete
  20. 不論做什麼事,相信自己,別讓別人的一句話,把你擊倒。..................................................

    ReplyDelete
  21. 愛,拆開來是心和受兩個字。用心去接受對方的一切,用心去愛對方的所有。......................................................................

    ReplyDelete
  22. 每日都有新日光,每日都有新希望。.................................................

    ReplyDelete
  23. 你的部落內容真棒,一定要持續下去! .................................[/url]...............

    ReplyDelete
  24. 每次看完你的文章,總是回味許久,要經常發表喔。..................................................

    ReplyDelete
  25. 這麼用心的經營你的文章, 當然值得我們留連拜訪的!...............................................................

    ReplyDelete
  26. Its great to know about PTLLS Course announcement. This is the edge of competition and one have to be skillful before joining a career.This would help you to ensure your security.

    ReplyDelete