WebApp Sec mailing list archives
Re: Environment for testing WebApp Security Scanners
From: "Roman H." <ref66 () yahoo com>
Date: Tue, 8 Aug 2006 03:54:13 -0700 (PDT)
René, You might want to consider looking at the OWASP SiteGenerator project (coded by Dinis Cruz and sponsored by Foundstone). It has tried to tackle the exact problem that you are working on. So I would suggest that you make use of it in your research, and perhaps build on Dinis' work to improve SiteGenerator (maybe reach a 1.0 version?). What everyone would really love to see is some actual published results against a test suite, but it's not likely you will convince any vendors to let you do that. WebGoat is probably not the best app for your purposes, since it's designed to be a tutorial and doesn't resemble a real-world business application (i.e. the market for scanners). Besides, I would bet that many of the scanners have specifically coded signatures for WebGoat. On the other hand, SiteGenerator can be easily reconfigured to have a different sitemap with new custom vulnerabilities so it never looks the same to a scanner. http://www.owasp.org/index.php/Owasp_SiteGenerator Cheers, Roman Hustad ----- Original Message ---- From: René Palige <rwp () gmx de> To: webappsec () securityfocus com Sent: Monday, August 7, 2006 1:33:02 PM Subject: Environment for testing WebApp Security Scanners Hi! I?m currently working on my bachelor thesis which is about the development of a testsuite for different Web Application Security Scanners. My goal is to provide an environment which can be used as a basis for testing and evaluating the performance of the many tools already existing. Consequently the main part of my work will be to implement different types of vulnerabilites in more or less realistic scenarios and with different characteristics. At the moment I?m planning to use OWASPs WebGoat as some kind of groundwork. My questions: Which "features" would you consider to be necessary or useful in this context? And what basic requirements do you see which should be met? Would it be best to focus on "real-life scenarios"? Or rather to cover as many aspects of a special class of vulnerabilities as possible? Thanks in advance, R. Palige ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB --------------------------------------------------------------------------
Current thread:
- Environment for testing WebApp Security Scanners René Palige (Aug 07)
- RE: Environment for testing WebApp Security Scanners Mark Curphey (Aug 08)
- Re: Environment for testing WebApp Security Scanners Roman H. (Aug 08)
- RE: Environment for testing WebApp Security Scanners Brokken, Allen P. (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners Gerald Quakenbush (Aug 08)
- RE: Environment for testing WebApp Security Scanners Mark Curphey (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 08)
- Re: Environment for testing WebApp Security Scanners Dean H. Saxe (Aug 08)
- Re: Environment for testing WebApp Security Scanners c0redump (Aug 09)
- Re: Environment for testing WebApp Security Scanners mikeiscool (Aug 09)
- <Possible follow-ups>
- RE: Environment for testing WebApp Security Scanners Evans, Arian (Aug 23)