Tuesday, January 27, 2009

Web Vulnerability Scanners Comparison

In the past weeks, I've performed an evaluation/comparison of three popular web vulnerability scanners.This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation.

The applications (web scanners) included in this evaluation are:
- Acunetix WVS version 6.0 (Build 20081217)
- IBM Rational AppScan version 7.7.620 Service Pack 2
- HP WebInspect version 7.7.869

I've tested 13 web applications (some of them containing a lot of vulnerabilities), 3 demo applications provided by the vendors (testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and I've done some tests to verify Javascript execution capabilities.

In total, 16 applications were tested. I've tried to cover all the major platforms, therefore I have applications in PHP, ASP, ASP.NET and Java.

The report can be found at http://drop.io/anantasecfiles/
The full URL to the PDF document: http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d789224ea665f45/759c3010-ce68-012b-dcee-f407c7ff11c2/9eeb1f00-cea5-012b-aa7b-f219675fa758/report.pdf/report_pdf.pdf

I've included enough information in this report (the javascript files used for testing, exact version and URL for all the tested applications) so anybody with enough patience can verify and reproduce the results presented here.

Therefore, I will not respond to emails for vendors. You have the information, fix your scanners!

44 comments:

  1. Excellent report. I too preferred AppScan, but your report has me thinking twice. Great Job!

    Billy Rios

    ReplyDelete
  2. Thank you very much Billy.
    BTW, I'm following your blog. You have some great posts in there.

    ReplyDelete
  3. Hi Nice Blog.web based timecard Labor Time Tracker is a “labor time tracker” for your business. It is a smarter, easier and faster way to track employee time for payroll and job costing.

    ReplyDelete
  4. Not sure if anyone saw this, but Acunetix (who won) must be listening, because they claim they now catch everything in this test suite...
    http://www.acunetix.com/blog/productnews/updated-acunetix-wvs-addresses-anantas-comparison-report-issues/

    ReplyDelete
  5. Thanks, the report is very helpfull.

    I try to reproduce the javascript tests and acunetix doen't report any problem with the javascript files you provided.

    Can you comment what are the vulnerabilities present in javascript files?

    maybe is the configuration of acunetix, but I tried too with w3af and nothing is reported.

    nico

    ReplyDelete
  6. If you lend someone $20 and never see that person again, it was probably worth it.............................................

    ReplyDelete
  7. Hi AnantaSec,

    would be nice if you could confirm this.
    http://labs.german-websecurity.com/en/blog/?p=12

    If you need a free scan from german-websecurity.com for this test, just send them a email.

    ReplyDelete
  8. 偉大的致富萬能之鑰,正是幫你充分掌握自己心志所必須的自律自制..............................

    ReplyDelete
  9. 幸福是人人都要,又怎麼可能都歸你所有?要知道這世界幸福本來就不多 ..................................................

    ReplyDelete
  10. 死亡是悲哀的,但活得不快樂更悲哀。.................................................................                           

    ReplyDelete
  11. 當一個人內心能容納兩樣相互衝突的東西,這個人便開始變得有價值了。............................................................

    ReplyDelete
  12. 好文章就值得回響,如果可以常常看到您的更新,應該是件很幸福的事情~~............................................................

    ReplyDelete
  13. 不論做什麼事,相信自己,別讓別人的一句話,把你擊倒。..................................................

    ReplyDelete
  14. 愛,拆開來是心和受兩個字。用心去接受對方的一切,用心去愛對方的所有。......................................................................

    ReplyDelete
  15. Its great to know about PTLLS Course announcement. This is the edge of competition and one have to be skillful before joining a career.This would help you to ensure your security.

    ReplyDelete