RE: Comparison report on web app security scanners

["Mark Curphey" <mark () curphey com>]

Bullshit....

-----Original Message-----
From: Bogdan Calin [mailto:bogdan () acunetix com] 
Sent: Tuesday, May 16, 2006 10:10 AM
To: webappsec () securityfocus com
Cc: Holger.Peine () iese fraunhofer de
Subject: Re: Comparison report on web app security scanners

Hello,

A few days ago Dr. Holger Peine published a "Comparison report on web 
app security scanners".

For this report he used two web applications: one of them is WebGoat and 
the other one is a proprietary application which is not public.

I don't know anything about this proprietary application but I would 
like to say that WebGoat is not a good test case for evaluating web 
scanners.

WebGoat is using server side state variables to track user actions. For 
example, if you want to test the String SQL injection flaw you first 
need to navigate to the "String SQL injection" section in order to set 
the proper state of the application.

If the application is not in the proper state, the SQL injection test 
will not work. The application will just ignore your inputs.

An automated scanner cannot guess this application behavior, and unless 
you optimize your scanner for this particular application it will not be 
able to scan it properly.

When the scanner has finished discovering the site structure, WebGoat 
will be in some unknown state. All tests will be performed while WebGoat 
is in this state.

This is not a common implementation.

Because we are offering free audits, we have audited more than 1,000 
websites and didn't encountered this kind of implementation.

WebGoat is great for learning about web security flaws but I don't think 
it should be used as a test case for web security scanners.

Bogdan Calin
Acunetix Ltd. - www.acunetix.com
Acunetix Web Vulnerability Scanner

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------