RE: Good benchmark application for web security testing tools?

["Benjamin Livshits" <livshits () cs stanford edu>]

We put together a suite of Web application security benchmarks called
Stanford SecuriBench:

        http://suif.stanford.edu/~livshits/securibench/

You will probably find this to be a useful starting point for your purposes.

-Ben

> -----Original Message-----
> From: Peine,Holger [mailto:Holger.Peine () iese fraunhofer de] 
> Sent: Tuesday, October 04, 2005 4:46 AM
> To: webappsec () securityfocus com
> Subject: Good benchmark application for web security testing tools?
>
> The idea of reviewing the available (free or commercial) web 
> application security testing tools has been mentioned several 
> times on this list.
> However, what would a good benchmarking application for these 
> tools be, i.e. a "typical" web application with a number of 
> known vulnerabilities?
>
> Initially I was thinking of Webgoat, which at least has a 
> nice variety of vulnerabilities, but Webgoat's structure is 
> not very representative of your typical web application's 
> structure and workflow (and apart from
>
> that, Webgoat is somewhat small, too). So, what application 
> would you suggest?
>
> Thanks for your opinion,
> Holger Peine
>
> --
> Dr. Holger Peine, Security and Safety
> Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, 
> Germany Phone +49-631-6800-2134, Fax -1299 (shared) 
> www.iese.fraunhofer.de/Staff/peine -- PGP key on request or 
> via http://pgp.mit.edu