{"id":3177,"date":"2011-09-14T17:33:05","date_gmt":"2011-09-14T16:33:05","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=3177"},"modified":"2011-09-14T17:33:05","modified_gmt":"2011-09-14T16:33:05","slug":"wavsep-web-application-vulnerability-scanner-evaluation-project","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2011\/09\/wavsep-web-application-vulnerability-scanner-evaluation-project\/","title":{"rendered":"WAVSEP &#8211; Web Application Vulnerability Scanner Evaluation Project"},"content":{"rendered":"<p>The author of WAVSEP (Shay Chen) e-mailed quite some time back about this project, but I have to say I honestly didn&#8217;t have time to look at it back then. It popped back up on my radar again when it was mentioned by the author of &#8211; <a href=\"https:\/\/www.darknet.org.uk\/2011\/08\/arachni-v3-0-released-web-application-security-scanner-framework\/\">Arachni v0.3<\/a> &#8211; his tool did extremely well in the WAVSEP tests.<\/p>\n<p>The benchmark tests the SQL Injection and Reflected XSS vulnerability detection accuracy of12 commercial web application scanners and 48 free &#038; open source web application scanners, and discusses the capabilities of many others (including information about a potential Trojan horse in one of them).<\/p>\n<p>In addition to the benchmark, the author has published a detailed feature comparison between all the scanners (which generally include every open source or free to use web application vulnerability scanner commonly available)<\/p>\n<p>The research compares the following aspects of these tools:<\/p>\n<ul>\n<li>Number &#038; Type of Vulnerability Detection Features<\/li>\n<li>SQL Injection Detection Accuracy<\/li>\n<li>Reflected Cross Site Scripting Detection Accuracy<\/li>\n<li>General &#038; Special Scanning Features<\/li>\n<\/ul>\n<p>And what the author believes to me most important is that during his research he has developed a toolkit that can be used by any individual or organization to test the accuracy of web application scanners in a very detailed and accurate manner.<\/p>\n<p>I for one applaud his efforts and I think this is a great project, of course there&#8217;s no completely objective ranking for these kind of things &#8211; but this study does give you a good idea of where different apps stand especially in terms of <a href=\"https:\/\/www.darknet.org.uk\/tag\/sql-injection\/\">SQL Injection<\/a> and <a href=\"https:\/\/www.darknet.org.uk\/tag\/xss\/\">XSS<\/a> detection.<\/p>\n<p>A lot of the tools we&#8217;ve written about here at Darknet come out tops (unsurprisingly).<\/p>\n<p>The benchmark and reports (about 13 in total) can be found here:<\/p>\n<p><a href=\"http:\/\/sectooladdict.blogspot.com\/\">http:\/\/sectooladdict.blogspot.com\/<\/a><\/p>\n<p>The framework for assessing vulnerability scanners was implemented in JEE and can be downloaded here:<\/p>\n<p><a href=\"http:\/\/wavsep.googlecode.com\/files\/wavsep-v1.0.3-war.zip\">wavsep-v1.0.3-war.zip<\/a><\/p>\n<p>Or you can read more <a href=\"http:\/\/code.google.com\/p\/wavsep\/\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The author of WAVSEP (Shay Chen) e-mailed quite some time back about this project, but I have to say I honestly didn&#8217;t have time to look at it back then. It popped back up on my radar again when it was mentioned by the author of &#8211; Arachni v0.3 &#8211; his tool did extremely well [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[15],"tags":[3620,396,376],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3177"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=3177"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/3177\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=3177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=3177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=3177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}