WAVSEP – Web Application Vulnerability Scanner Evaluation Project

Outsmart Malicious Hackers


The author of WAVSEP (Shay Chen) e-mailed quite some time back about this project, but I have to say I honestly didn’t have time to look at it back then. It popped back up on my radar again when it was mentioned by the author of – Arachni v0.3 – his tool did extremely well in the WAVSEP tests.

The benchmark tests the SQL Injection and Reflected XSS vulnerability detection accuracy of12 commercial web application scanners and 48 free & open source web application scanners, and discusses the capabilities of many others (including information about a potential Trojan horse in one of them).

In addition to the benchmark, the author has published a detailed feature comparison between all the scanners (which generally include every open source or free to use web application vulnerability scanner commonly available)

The research compares the following aspects of these tools:

  • Number & Type of Vulnerability Detection Features
  • SQL Injection Detection Accuracy
  • Reflected Cross Site Scripting Detection Accuracy
  • General & Special Scanning Features

And what the author believes to me most important is that during his research he has developed a toolkit that can be used by any individual or organization to test the accuracy of web application scanners in a very detailed and accurate manner.

I for one applaud his efforts and I think this is a great project, of course there’s no completely objective ranking for these kind of things – but this study does give you a good idea of where different apps stand especially in terms of SQL Injection and XSS detection.

A lot of the tools we’ve written about here at Darknet come out tops (unsurprisingly).

The benchmark and reports (about 13 in total) can be found here:

http://sectooladdict.blogspot.com/

The framework for assessing vulnerability scanners was implemented in JEE and can be downloaded here:

wavsep-v1.0.3-war.zip

Or you can read more here.


Posted in: Web Hacking

, ,

Latest Posts:


BSQLinjector - Blind SQL Injection Tool Download BSQLinjector – Blind SQL Injection Tool Download in Ruby
BSQLinjector is an easy to use Blind SQL Injection tool in Ruby, that uses blind methods to retrieve data from SQL databases.
CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds


Comments are closed.