Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Comparison report on web app security scanners now translated to Eng

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: Comparison report on web app security scanners now translated to English
Date: Mon, 14 Aug 2006 14:22:51 +0200
Holger.Peine@iese.fraunhofer.de wrote:
On May 5th, I posted the URL for a comparison report on web app security
scanners
to this list:
http://fhgonline.fraunhofer.de/server?suche-publica&num=048.06/D&iese
Here is what I wrote about the contents of the report at that time:
"As I had mentioned in another posting to this list some time ago,
a few months ago I completed a fairly extensive review of various
tools: AppScan, WebInspect, Acunetix, (note AppScan and WebInspect
have produced new versions since then), Burp, WebScarab, Spike Proxy, and some minor remarks on a few other tools. I used two applications as benchmarks: WebGoat and a proprietary application in production use. The report totals to about 170 pages."

However, at that time in May, there was no English translation of the
German original, which many people have asked for meanwhile. Yesterday, I was surprised to hear that Cenzic Inc. have had the report translated. So
here is the English version now, a bit rough on the edges, but you will
certainly
get the picture:
http://www.iese.fraunhofer.de/download/Security-Checker-Tools-for-Web-Ap
plications.pdf
(that link will be valid for four weeks from today).

My thanks go to Cenzic for this contribution to the community.

Kind regards,
Holger Peine



Hi Holger,

I read with interest the translated version of your document. One thing that amused me a lot is the report of how Spike Proxy supports VulnXML.

In fact, the 1500-odd VulnXML tests that SpikeProxy ships with were actually created by myself from the Nikto database available at the time, using a simple script. I doubt that they have been updated since then (although I have not checked).

You might wonder why WebScarab never implemented the VulnXML tests, since I created the specification. In fact, I concluded that in order to achieve a meaningful spectrum of tests using VulnXML, we would have to define and implement a near-Turing-complete language. XML is clearly not the right tool for such a task, and so the effort languished and died.

To summarise, a tester would get better results by using an up-to-date version of Nikto, rather than relying on the VulnXML tests in Spike Proxy. (assuming they were not updated and extended from the original set created)

Regards,

Rogan Dawes

P.S. Thanks a lot for your work in comparing these tools. I can see that you went to a lot of effort to test them, and your/Fraunhofer's publishing of the results to the broader community is much appreciated!

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [WEB SECURITY] "hack-me" Ajax apps?, kurt
Next by Date:  "hack-me" Ajax apps?, Jeff Robertson
Previous by Thread:  Comparison report on web app security scanners now translated to English, Holger.Peine
Next by Thread:  RE: Comparison report on web app security scanners now translated to English, Holger.Peine
Indexes:  [Date] [Thread] [Top] [All Lists]