RE: Web Application Scanners Comparison

["Calderon, Juan Carlos (GE, Corporate, consultant)" <juan.calderon () ge com>]

It would have being great if you had included IBM Ration Appscan Build
edition and HP DevInspect to the testing just as you did with AcuSensor,
so that all 3 scanners were compared in both areas, automated blackbox
and static source code analysis.

Regards,
Juan Carlos Calderon

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of anantasec
Sent: Martes, 27 de Enero de 2009 08:15 a.m.
To: pen-test () securityfocus com; webappsec () securityfocus com
Subject: Web Application Scanners Comparison

Hi all,

In the past weeks, I've performed an evaluation/comparison of three
popular web vulnerability scanners.This evaluation was ordered by a
penetration testing company that will remain anonymous. The vendors were
not contacted during or after the evaluation.

The applications (web scanners) included in this evaluation are:
- Acunetix WVS version 6.0 (Build 20081217)
- IBM Rational AppScan version 7.7.620 Service Pack 2
- HP WebInspect version 7.7.869

I've tested 13 web applications (some of them containing a lot of
vulnerabilities), 3 demo applications provided by the vendors
(testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and
I've done some tests to verify Javascript execution capabilities.

In total, 16 applications were tested. I've tried to cover all the major
platforms, therefore I have applications in PHP, ASP, ASP.NET and Java.

The report can be found at http://drop.io/anantasecfiles/ The full URL
to the PDF document:
http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d789224ea665f4
5/759c3010-ce68-012b-dcee-f407c7ff11c2/9eeb1f00-cea5-012b-aa7b-f219675fa
758/report.pdf/report_pdf.pdf

I've included enough information in this report (the javascript files
used for testing, exact version and URL for all the tested
applications) so anybody with enough patience can verify and reproduce
the results presented here.

Therefore, I will not respond to emails for vendors. You have the
information, fix your scanners!

Best wishes & regards,
anantasec

--
http://anantasec.blogspot.com

------------------------------------------------------------------------
-
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment With the
rapid rise in the number and types of security threats, web application
security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed?
What tools can accelerate the assessment process? Download this
Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
------------------------------------------------------------------------
-


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------