WebApp Sec mailing list archives
Re: Comparison report on web app security scanners now translated to English
From: Rogan Dawes <rogan () dawes za net>
Date: Mon, 14 Aug 2006 14:22:51 +0200
Holger.Peine () iese fraunhofer de wrote:
On May 5th, I posted the URL for a comparison report on web app security scanners to this list: http://fhgonline.fraunhofer.de/server?suche-publica&num=048.06/D&iese Here is what I wrote about the contents of the report at that time: "As I had mentioned in another posting to this list some time ago, a few months ago I completed a fairly extensive review of various tools: AppScan, WebInspect, Acunetix, (note AppScan and WebInspecthave produced new versions since then), Burp, WebScarab, Spike Proxy, and some minor remarks on a few other tools. I used two applications as benchmarks: WebGoat and a proprietary application in production use. The report totals to about 170 pages."However, at that time in May, there was no English translation of theGerman original, which many people have asked for meanwhile. Yesterday, I was surprised to hear that Cenzic Inc. have had the report translated. So here is the English version now, a bit rough on the edges, but you willcertainly get the picture: http://www.iese.fraunhofer.de/download/Security-Checker-Tools-for-Web-Ap plications.pdf (that link will be valid for four weeks from today). My thanks go to Cenzic for this contribution to the community. Kind regards, Holger Peine
Hi Holger,I read with interest the translated version of your document. One thing that amused me a lot is the report of how Spike Proxy supports VulnXML.
In fact, the 1500-odd VulnXML tests that SpikeProxy ships with were actually created by myself from the Nikto database available at the time, using a simple script. I doubt that they have been updated since then (although I have not checked).
You might wonder why WebScarab never implemented the VulnXML tests, since I created the specification. In fact, I concluded that in order to achieve a meaningful spectrum of tests using VulnXML, we would have to define and implement a near-Turing-complete language. XML is clearly not the right tool for such a task, and so the effort languished and died.
To summarise, a tester would get better results by using an up-to-date version of Nikto, rather than relying on the VulnXML tests in Spike Proxy. (assuming they were not updated and extended from the original set created)
Regards, Rogan DawesP.S. Thanks a lot for your work in comparing these tools. I can see that you went to a lot of effort to test them, and your/Fraunhofer's publishing of the results to the broader community is much appreciated!
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. Try it today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
Current thread:
- Comparison report on web app security scanners now translated to English Holger.Peine (Aug 10)
- Re: Comparison report on web app security scanners now translated to English Rogan Dawes (Aug 16)
- <Possible follow-ups>
- RE: Comparison report on web app security scanners now translated to English Holger.Peine (Aug 18)
- Comparison report on web app security scanners now translated to English Cleiton Martins (Sep 19)
- Re: Comparison report on web app security scanners now translated to English Saqib Ali (Sep 22)
- Re: Comparison report on web app security scanners now translated to English Roberto Tanara (Sep 22)
- RE: Comparison report on web app security scanners now translated to English Evans, Arian (Sep 22)