WebApp Sec mailing list archives

RE: Good benchmark application for web security testing tools?

From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Tue, 4 Oct 2005 18:11:43 -0400


Any single application that you select, especially a well known
benchmark application, would achieve biased results, as it is VERY easy
to make a testing software work fine with a specific application. 

A somewhat better solution would be to select (yourself) a web
application on sourceforge (neither the most popular nor the least
popular) and test against it. This approach has its problems. For
example, you will probably find a PHP application. Additionally, you
will not know in advance what the security problems are (but than this
is the reason to choose this method: neither will the tool makers).

~ Ofer

Ofer Shezaf
OWASP Israel Chair
http://www.owasp.org/local/israel.html

CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers () breach com
http://www.breach.com

-----Original Message-----
From: Eoin Keary [mailto:eoinkeary () gmail com]
Sent: Tuesday, October 04, 2005 5:39 PM
To: Peine,Holger
Cc: webappsec () securityfocus com
Subject: Re: Good benchmark application for web security testing

tools?


hackmebank Or hackmebooks from foundstone?


On 04/10/05, Peine,Holger <Holger.Peine () iese fraunhofer de> wrote:

The idea of reviewing the available (free or commercial) web

application

security testing tools has been mentioned several times on this

list.

However, what would a good benchmarking application for these tools

be,

i.e. a "typical" web application with a number of known

vulnerabilities?


Initially I was thinking of Webgoat, which at least has a nice

variety

of vulnerabilities, but Webgoat's structure is not very

representative

of your typical web application's structure and workflow (and apart

from


that, Webgoat is somewhat small, too). So, what application would

you

suggest?

Thanks for your opinion,
Holger Peine

--
Dr. Holger Peine, Security and Safety
Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
Phone +49-631-6800-2134, Fax -1299 (shared)
www.iese.fraunhofer.de/Staff/peine -- PGP key on request or via
http://pgp.mit.edu

Current thread:

Good benchmark application for web security testing tools? Peine,Holger (Oct 04)
- Re: Good benchmark application for web security testing tools? Eoin Keary (Oct 04)
- RE: Good benchmark application for web security testing tools? Benjamin Livshits (Oct 04)
- <Possible follow-ups>
- RE: Good benchmark application for web security testing tools? Steven Rebello (Oct 04)
- RE: Good benchmark application for web security testing tools? Evans, Arian (Oct 04)
- RE: Good benchmark application for web security testing tools? Lodin, Steven (Oct 04)
- RE: Good benchmark application for web security testing tools? Ofer Shezaf (Oct 04)
- RE: Good benchmark application for web security testing tools? Mark Curphey (Oct 06)
- RE: Good benchmark application for web security testing tools? Evans, Arian (Oct 07)
- RE: Good benchmark application for web security testing tools? Mark Curphey (Oct 10)