Penetration Testing mailing list archives
Re: Web Application Scanners Comparison
From: anantasec <anantasec () googlemail com>
Date: Wed, 28 Jan 2009 18:41:03 +0200
Initially, in the first scans I've included this information in the evaluation (I've written down the number of requests and the time it takes to complete the scan). However, it got pretty hard to correlate and compare all those numbers and I got lazy in the end and didn't include them in the report. Sorry about that. Also, different scanners perform different kind of tests and use different techniques to discover a vulnerability. It's pretty hard to compare them. WebInspect has some nasty bug: it was entering a loop when scanning some cgi directory that was returning HTTP 403 Forbidden. It was discovering /cgi-bin/dir1/dir2/dir3/... and so on. I had to stop the scan after two days. Weird stuff: on WebInspect it's not possible (or I don't know how) to stop a scheduled scan. I had to kill the process. And you don't have any feedback about the status of the scheduled scans. That's fine for small scans but if you look at the same window after two days of scanning and nothing is changed you start to loose you patience. For speed, AppScan is finishing first in almost all cases (if not all). However, it also generated the lowest number of requests. AppScan doesn't perform a very comprehensive scan in my opinion.
Nice report. It would be useful to include other parameters like speed (time spent in each task for different tools) and stability. The last parameter is specially important for me since I've used one of them (I'll give no name, I don't want to harm any vendor) and it is horribly unstable (many crashes, freezes, etc). Cheers, -Roman
-- http://anantasec.blogspot.com
Current thread:
- Web Application Scanners Comparison anantasec (Jan 27)
- Message not available
- Re: Web Application Scanners Comparison anantasec (Jan 27)
- Re: Web Application Scanners Comparison Andre Gironda (Jan 28)
- Re: Web Application Scanners Comparison anantasec (Jan 28)
- Re: Web Application Scanners Comparison anantasec (Jan 27)
- Message not available
- Re: Web Application Scanners Comparison love.wadhwa () naukri com (Jan 28)
- Re: Web Application Scanners Comparison anantasec (Jan 28)
- Re: Web Application Scanners Comparison Dotzero (Jan 28)
- Re: Web Application Scanners Comparison anantasec (Jan 28)
- Re: Web Application Scanners Comparison Roman Medina-Heigl Hernandez (Jan 28)
- Re: Web Application Scanners Comparison anantasec (Jan 28)
- Message not available
- Re: Web Application Scanners Comparison anantasec (Jan 28)
- Re: Web Application Scanners Comparison Derek Fountain (Jan 28)
- Re: Web Application Scanners Comparison Adriel T. Desautels (Jan 28)
- Re: Web Application Scanners Comparison anantasec (Jan 28)