RE: Comparison report on web app security scanners

["Mark Curphey" <mark () curphey com>]

Hacme Bank 2 (coded by Dinis Cruz) was rewritten from the ground up to be a
real world ASP.NET app. FYI there is also now Hacme Flowers (PHP), Hacme
Books (Java), Hacme Shipping (ColdFusion), Hacme Travel (C++) and now Hacme
Casino (Ruby on Rails and AJAX) which makes it an interesting test bed. 

However that said I sponsored Dinis to build OWASP SiteGenerator late last
year which was designed from the ground up as a benchmarking / test tool.
The idea is you can build sites that replicate your own (mix a bit of
Javascript navigation, flash animation, bad HTML, workflow, 10% complex sql
injection, 25% stored XSS etc) or a series of sites to see where automation
is good and where it is not. I believe Dinis is looking for companies to
partner with him to run tests that can be published against this framework. 

Given WebGoat was written using Eclipse and a JDK (no special sauce) I fail
to see why it's not real world app but I do agree its not suitable for
benchmarking. Note the term benchmarking, not the term testing. Testing to
see if tools find simple holes surely could use any broken app? Testing how
many of certain types (quantifiable results) requires a benchmarking
platform. That IMHO is not WebGoat or the Hacme Series but SiteGenerator. 

I am looking forward to the results of a public quantifiable test using
SiteGenerator and a consistent set of criteria.


-----Original Message-----
From: Ory Segal [mailto:osegal () watchfire com] 
Sent: Tuesday, May 16, 2006 10:53 AM
To: webappsec () securityfocus com
Cc: Holger.Peine () iese fraunhofer de; Bogdan Calin
Subject: RE: Comparison report on web app security scanners

Hello,

I would like to add several important comments to this thread, in behalf
of Watchfire:

According to tests done in Watchfire's labs, when using AppScan 6.0 SP2
+ update 553 on the WebGoat application - AppScan will find 85 links,
will create 9557 tests and will eventually find 31 issues (211 different
test variants).
 
People who perform such benchmarks against WebGoat should pay attention
to the fact that AppScan needs some configuration in order to run
successfully on this application - 

- Explore method should be set to DFS (Depth First)
- Scan should be done in Single threaded mode
- Path limit should be disabled (no path limit)
- Depth limit should be enabled (otherwise one of the lessons gets into
an infinite loop)
- HTTP Authentication - use guest/guest
- Add the "Screen" parameter to the black-list (untested parameters)
- Auto-form filler should be enabled 

(!!!) IMPORTANT: all of the above configuration items existed in AppScan
for a long time, these were not added in order to "cook the product" to
work properly on WebGoat. 

In addition I support what Acunetix mentioned, WebGoat and the
FoundStone (Hackme) banking applications are poor examples to be testing
on.
 
I am also quoting Mark Curphey (OWASP), regarding OWASP's WebGoat
project:
"That said its (i.e. Foundstone's HackMe bank) not a good benchmarking
tool for testing these tools, nor is WebGoat"  - taken from:
http://seclists.org/lists/webappsec/2005/Oct-Dec/0025.html 
 
Thank you very much,
-Ory Segal
Watchfire


-----Original Message-----
From: Bogdan Calin [mailto:bogdan () acunetix com] 
Sent: Tuesday, May 16, 2006 17:10
To: webappsec () securityfocus com
Cc: Holger.Peine () iese fraunhofer de
Subject: Re: Comparison report on web app security scanners

Hello,

A few days ago Dr. Holger Peine published a "Comparison report on web
app security scanners".

For this report he used two web applications: one of them is WebGoat and
the other one is a proprietary application which is not public.

I don't know anything about this proprietary application but I would
like to say that WebGoat is not a good test case for evaluating web
scanners.

WebGoat is using server side state variables to track user actions. For
example, if you want to test the String SQL injection flaw you first
need to navigate to the "String SQL injection" section in order to set
the proper state of the application.

If the application is not in the proper state, the SQL injection test
will not work. The application will just ignore your inputs.

An automated scanner cannot guess this application behavior, and unless
you optimize your scanner for this particular application it will not be
able to scan it properly.

When the scanner has finished discovering the site structure, WebGoat
will be in some unknown state. All tests will be performed while WebGoat
is in this state.

This is not a common implementation.

Because we are offering free audits, we have audited more than 1,000
websites and didn't encountered this kind of implementation.

WebGoat is great for learning about web security flaws but I don't think
it should be used as a test case for web security scanners.

Bogdan Calin
Acunetix Ltd. - www.acunetix.com
Acunetix Web Vulnerability Scanner

------------------------------------------------------------------------
-
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application
security assessment by leading market research firm. Watchfire's AppScan
is the industry's first and leading web application security testing
suite, and the only solution to provide comprehensive remediation tasks
at every level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
------------------------------------------------------------------------
--



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire named worldwide market share leader in web application security 
assessment by leading market research firm. Watchfire's AppScan is the 
industry's first and leading web application security testing suite, and 
the only solution to provide comprehensive remediation tasks at every 
level of the application. See for yourself. 
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007t9c
--------------------------------------------------------------------------