WAVSEP 1.0 – Web Application Vulnerability Scanner Evaluation Project
A web application that contains a collection of unique vulnerable pages designed to help assessing the features, quality and accuracy of web application vulnerability scanners.
Here The PDF document called Application Active Scan Features Comparison
Here is what comes from Author’s blog (http://sectooladdict.blogspot.com/)
I’ve been collecting them for years, trying to get my hands on anything that was released within the genre. It started as a necessity, transformed into a hobby, and eventually turned into a relatively huge collection… But that’s when the problems started.
While back in 2005 I could barely find freeware web application scanners, by 2008 I had SO MANY of them that I couldn’t decide which ones to use. By 2010 the collection became so big that I came to the realization that I HAVE to choose.
I started searching for benchmarks in the field, but at the time, only located benchmarks the focused on comparing commercial web application scanners (with the exception of one benchmark that also covered 3 open source web application scanners), leaving the freeware & open source scanners in an uncharted territory;
- · http://www.virtualforge.de/index.php/en/library/white-papers/web-application-vulnerability-scanners-a-benchmark_en.html (Anonymous scanners)
- · http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html (commercial scanners)
- · http://www.cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf (mostly commercial, but including W3AF, paros and grendel-scan)
- · http://ha.ckers.org/files/Accuracy_and_Time_Costs_of_Web_App_Scanners.pdf (commercial scanners)
By 2010 I had over 50 tools, so I eventually decided to test them myself using the same model used in previous benchmarks (a big BIG mistake).
I initially tested the various tools against a vulnerable ASP.net web application and came to conclusions as to which tool is the “best”… and if it weren’t for my curiosity, that probably would have been the end of it and my conclusions might have mislead many more.
I decided to test the tools against another vulnerable web application, just to make sure the results were consistent, and arbitrarily selected “Insecure Web App” (a vulnerable JEE web application) as the second target… and to my surprise, the results of the tests against it were VERY different.
Some of the Tools that were efficient in the test against the vulnerable ASP.net application (which will stay anonymous for the time being) didn’t function very well and missed many exposures, while some of the tools that I previously classified as “useless” detected exposures that NONE of the other tools found.
After performing an in-depth analysis for the different vulnerabilities in the tested applications, I came to the conclusion that although the applications included a similar classification of exposures (SQL Injection, RXSS, Information disclosure, etc), the properties and restrictions in the exposure instances were VERY different in each application.