{"id":3177,"date":"2011-09-14T17:33:05","date_gmt":"2011-09-14T16:33:05","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3177"},"modified":"2011-09-14T17:33:05","modified_gmt":"2011-09-14T16:33:05","slug":"wavsep-web-application-vulnerability-scanner-evaluation-project","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/09\/wavsep-web-application-vulnerability-scanner-evaluation-project\/","title":{"rendered":"WAVSEP – Web Application Vulnerability Scanner Evaluation Project"},"content":{"rendered":"
The author of WAVSEP (Shay Chen) e-mailed quite some time back about this project, but I have to say I honestly didn’t have time to look at it back then. It popped back up on my radar again when it was mentioned by the author of – Arachni v0.3<\/a> – his tool did extremely well in the WAVSEP tests.<\/p>\n The benchmark tests the SQL Injection and Reflected XSS vulnerability detection accuracy of12 commercial web application scanners and 48 free & open source web application scanners, and discusses the capabilities of many others (including information about a potential Trojan horse in one of them).<\/p>\n In addition to the benchmark, the author has published a detailed feature comparison between all the scanners (which generally include every open source or free to use web application vulnerability scanner commonly available)<\/p>\n The research compares the following aspects of these tools:<\/p>\n And what the author believes to me most important is that during his research he has developed a toolkit that can be used by any individual or organization to test the accuracy of web application scanners in a very detailed and accurate manner.<\/p>\n I for one applaud his efforts and I think this is a great project, of course there’s no completely objective ranking for these kind of things – but this study does give you a good idea of where different apps stand especially in terms of SQL Injection<\/a> and XSS<\/a> detection.<\/p>\n A lot of the tools we’ve written about here at Darknet come out tops (unsurprisingly).<\/p>\n The benchmark and reports (about 13 in total) can be found here:<\/p>\n http:\/\/sectooladdict.blogspot.com\/<\/a><\/p>\n The framework for assessing vulnerability scanners was implemented in JEE and can be downloaded here:<\/p>\n\n