WebApp Sec mailing list archives

Re: Web Application Scanners Comparison

From: anantasec <anantasec () googlemail com>
Date: Wed, 28 Jan 2009 18:41:03 +0200

Initially, in the first scans I've included this information in the
evaluation (I've written down the number of requests and the time it
takes to complete the scan).
However, it got pretty hard to correlate and compare all those numbers
and I got lazy in the end and didn't include them in the report. Sorry
about that.
Also, different scanners perform different kind of tests and use
different techniques to discover a vulnerability. It's pretty hard to
compare them.

WebInspect has some nasty bug: it was entering a loop when scanning
some cgi directory that was returning HTTP 403 Forbidden. It was
discovering /cgi-bin/dir1/dir2/dir3/... and so on. I had to stop the
scan after two days. Weird stuff: on WebInspect it's not possible (or
I don't know how) to stop a scheduled scan. I had to kill the process.
And you don't have any feedback about the status of the scheduled
scans. That's fine for small scans but if you look at the same window
after two days of scanning and nothing is changed you start to loose
you patience.

For speed, AppScan is finishing first in almost all cases (if not
all). However, it also generated the lowest number of requests.
AppScan doesn't perform a very comprehensive scan in my opinion.

Nice report. It would be useful to include other parameters like speed
(time spent in each task for different tools) and stability. The last
parameter is specially important for me since I've used one of them (I'll
give no name, I don't want to harm any vendor) and it is horribly unstable
(many crashes, freezes, etc).

Cheers,
-Roman



-- 
http://anantasec.blogspot.com

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------

Current thread:

Web Application Scanners Comparison anantasec (Jan 27)
- Re: Web Application Scanners Comparison romain (Jan 27)
  - Re: Web Application Scanners Comparison anantasec (Jan 27)
    - Message not available
    - Re: Web Application Scanners Comparison anantasec (Jan 28)
    - Re: Web Application Scanners Comparison BSK (Jan 29)
- Message not available
  - Re: Web Application Scanners Comparison anantasec (Jan 27)
- Message not available
  - Re: Web Application Scanners Comparison anantasec (Jan 28)
- RE: Web Application Scanners Comparison Calderon, Juan Carlos (GE, Corporate, consultant) (Jan 28)
  - Re: Web Application Scanners Comparison anantasec (Jan 28)
- Re: Web Application Scanners Comparison love.wadhwa () naukri com (Jan 28)
- Message not available
  - Re: Web Application Scanners Comparison anantasec (Jan 28)