The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2008. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape. We ascertain which classes of attacks are the most prevalent [...]

It’s been almost 2 years since the last update on Nikto, which was version 2.
For those that don’t know, Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over [...]

Websecurify is a web and web2.0 security initiative specializing in researching security issues and building the next generation of tools to defeat and protect web technologies.

Key Features

JavaScript – Websecurify Security Testing Framework is the first tool of its kind to be written entirely in JavaScript using only standard technologies adopted by the leading browsers.
Multiple Environments [...]

HP SWFScan is a free tool developed by HP Web Security Research Group, which will automatically find security vulnerabilities in applications built on the Flash platform.

HP is offering SWFScan because:

Their research shows that developers and increasingly implementing applications built on the Adobe Flash platform without the required security expertise.
As a result, they are seeing a [...]

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security.

Vulnerabilities

SQL Injection
XSS (Cross Site Scripting)
LFI (Local File Inclusion)
RFI (Remote File Inclusion)
Command Execution
Upload Script
Login Brute [...]

You may remember we wrote about Samurai being released back in November 2008, it’s been quite a while since the last update.

The authors have updated and fixed a number of issues with the environment as well as improved performance of the java based tools. They have also included a virtual machine of the environment. [...]

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management [...]

Durzosploit is a JavaScript exploit generation framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites.

Please note that Durzosploit does not find browser vulnerabilities, it only is an framework containing exploits you can use.
At present [...]

I saw a relevant paper published today by an individual that claims the comparison was ordered by a penetration testing company (a company which remains unnamed).
The vendors were not contacted during or after the evaluation.
Testing Procedure
The author tested 13 web applications (some of them containing a lot of vulnerabilities), 3 demo applications provided by the [...]

FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful firefox extensions oriented application security auditing and assessment
FireCAT 1.5 will be the last release of this 1.x branch. In fact, we are working on a new improved version 2.0 (management of plugins, instant download from security-database, ability to add [...]