WAVSEP – Web Application Vulnerability Scanner Evaluation Project

The New Acunetix V12 Engine


The author of WAVSEP (Shay Chen) e-mailed quite some time back about this project, but I have to say I honestly didn’t have time to look at it back then. It popped back up on my radar again when it was mentioned by the author of – Arachni v0.3 – his tool did extremely well in the WAVSEP tests.

The benchmark tests the SQL Injection and Reflected XSS vulnerability detection accuracy of12 commercial web application scanners and 48 free & open source web application scanners, and discusses the capabilities of many others (including information about a potential Trojan horse in one of them).

In addition to the benchmark, the author has published a detailed feature comparison between all the scanners (which generally include every open source or free to use web application vulnerability scanner commonly available)

The research compares the following aspects of these tools:

  • Number & Type of Vulnerability Detection Features
  • SQL Injection Detection Accuracy
  • Reflected Cross Site Scripting Detection Accuracy
  • General & Special Scanning Features

And what the author believes to me most important is that during his research he has developed a toolkit that can be used by any individual or organization to test the accuracy of web application scanners in a very detailed and accurate manner.

I for one applaud his efforts and I think this is a great project, of course there’s no completely objective ranking for these kind of things – but this study does give you a good idea of where different apps stand especially in terms of SQL Injection and XSS detection.

A lot of the tools we’ve written about here at Darknet come out tops (unsurprisingly).

The benchmark and reports (about 13 in total) can be found here:

http://sectooladdict.blogspot.com/

The framework for assessing vulnerability scanners was implemented in JEE and can be downloaded here:

wavsep-v1.0.3-war.zip

Or you can read more here.

Posted in: Web Hacking

, ,


Latest Posts:


HTTP Security Considerations - An Introduction To HTTP Basics HTTP Security Considerations – An Introduction To HTTP Basics
HTTP is ubiquitous now with pretty much everything being powered by an API, a web application or some kind of cloud-based HTTP driven infrastructure. With that HTTP Security becomes paramount and to secure HTTP you have to understand it.
Cangibrina - Admin Dashboard Finder Tool Cangibrina – Admin Dashboard Finder Tool
Cangibrina is a Python-based multi platform admin dashboard finder tool which aims to obtain the location of website dashboards by using brute-force, wordlists etc.
Enumall - Subdomain Discovery Using Recon-ng & AltDNS Enumall – Subdomain Discovery Using Recon-ng & AltDNS
Enumall is a Python-based tool that helps you do subdomain discovery using only one command by combining the abilities of Recon-ng and AltDNS.
RidRelay - SMB Relay Attack For Username Enumeration RidRelay – SMB Relay Attack For Username Enumeration
RidRelay is a Python-based tool to enumerate usernames on a domain where you have no credentials by using a SMB Relay Attack with low privileges.
NetBScanner - NetBIOS Network Scanner NetBScanner – NetBIOS Network Scanner
NetBScanner is a NetBIOS network scanner tool that scans all computers in the IP addresses range you choose, using the NetBIOS protocol.
Metta - Information Security Adversarial Simulation Tool Metta – Information Security Adversarial Simulation Tool
Metta is an information security preparedness tool in Python to help with adversarial simulation and assess security defense preparation and alerts.


Comments are closed.