WebApp Sec mailing list archives
RE: Good benchmark application for web security testing tools?
From: "Ofer Shezaf" <Ofer.Shezaf () breach com>
Date: Tue, 4 Oct 2005 18:11:43 -0400
Any single application that you select, especially a well known benchmark application, would achieve biased results, as it is VERY easy to make a testing software work fine with a specific application. A somewhat better solution would be to select (yourself) a web application on sourceforge (neither the most popular nor the least popular) and test against it. This approach has its problems. For example, you will probably find a PHP application. Additionally, you will not know in advance what the security problems are (but than this is the reason to choose this method: neither will the tool makers). ~ Ofer Ofer Shezaf OWASP Israel Chair http://www.owasp.org/local/israel.html CTO, Breach Security Phone (US): +1 (760) 268.1924 ext. 702 Phone (Israel): +972 (9) 956.0036 ext.212 Cell: +972 (54) 443.1119 ofers () breach com http://www.breach.com
-----Original Message----- From: Eoin Keary [mailto:eoinkeary () gmail com] Sent: Tuesday, October 04, 2005 5:39 PM To: Peine,Holger Cc: webappsec () securityfocus com Subject: Re: Good benchmark application for web security testing
tools?
hackmebank Or hackmebooks from foundstone? On 04/10/05, Peine,Holger <Holger.Peine () iese fraunhofer de> wrote:The idea of reviewing the available (free or commercial) web
application
security testing tools has been mentioned several times on this
list.
However, what would a good benchmarking application for these tools
be,
i.e. a "typical" web application with a number of known
vulnerabilities?
Initially I was thinking of Webgoat, which at least has a nice
variety
of vulnerabilities, but Webgoat's structure is not very
representative
of your typical web application's structure and workflow (and apart
from
that, Webgoat is somewhat small, too). So, what application would
you
suggest? Thanks for your opinion, Holger Peine -- Dr. Holger Peine, Security and Safety Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany Phone +49-631-6800-2134, Fax -1299 (shared) www.iese.fraunhofer.de/Staff/peine -- PGP key on request or via http://pgp.mit.edu
Current thread:
- Good benchmark application for web security testing tools? Peine,Holger (Oct 04)
- Re: Good benchmark application for web security testing tools? Eoin Keary (Oct 04)
- RE: Good benchmark application for web security testing tools? Benjamin Livshits (Oct 04)
- <Possible follow-ups>
- RE: Good benchmark application for web security testing tools? Steven Rebello (Oct 04)
- RE: Good benchmark application for web security testing tools? Evans, Arian (Oct 04)
- RE: Good benchmark application for web security testing tools? Lodin, Steven (Oct 04)
- RE: Good benchmark application for web security testing tools? Ofer Shezaf (Oct 04)
- RE: Good benchmark application for web security testing tools? Mark Curphey (Oct 06)
- RE: Good benchmark application for web security testing tools? Evans, Arian (Oct 07)
- RE: Good benchmark application for web security testing tools? Mark Curphey (Oct 10)