Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Comparison report on web app security scanners

from [Bogdan Calin] Network Security [Permanent Link]
Subject: Re: Comparison report on web app security scanners
Date: Tue, 16 May 2006 17:10:21 +0300 
Hello,

A few days ago Dr. Holger Peine published a "Comparison report on web app security scanners".

For this report he used two web applications: one of them is WebGoat and the other one is a proprietary application which is not public.

I don't know anything about this proprietary application but I would like to say that WebGoat is not a good test case for evaluating web scanners.

WebGoat is using server side state variables to track user actions. For example, if you want to test the String SQL injection flaw you first need to navigate to the "String SQL injection" section in order to set the proper state of the application.

If the application is not in the proper state, the SQL injection test will not work. The application will just ignore your inputs.

An automated scanner cannot guess this application behavior, and unless you optimize your scanner for this particular application it will not be able to scan it properly.

When the scanner has finished discovering the site structure, WebGoat will be in some unknown state. All tests will be performed while WebGoat is in this state.

This is not a common implementation.

Because we are offering free audits, we have audited more than 1,000 websites and didn't encountered this kind of implementation.

WebGoat is great for learning about web security flaws but I don't think it should be used as a test case for web security scanners.

Bogdan Calin
Acunetix Ltd. - www.acunetix.com
Acunetix Web Vulnerability Scanner

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security assessment by leading market research firm. Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: MYSQL and PHP, KlientÅ aptarnavimas
Next by Date:  Final Registration Reminder: 2006 European OWASP AppSec Conference - May 30-31, 2006 near Brussels, Dave Wichers
Previous by Thread:  Comparison report on web app security scanners, Holger.Peine
Next by Thread:  RE: Comparison report on web app security scanners, Mark Curphey
Indexes:  [Date] [Thread] [Top] [All Lists]