Commercial: Acunetix, Netsparker, Appscan, WebInspect
Open-Source: w3af, Wapiti, GrendelScan, Websecurify, Skipfish
Dedicated to all those services opened to browsers and the backend servers that support them.
This paper presented the evaluation of eleven black-box web vulnerability scanners.
The results of the evaluation clearly show that the ability to crawl a web application and
reach “deep” into the application’s resources is as important as the ability to detect the
It is also clear that although techniques to detect certain kinds of vulnerabilities are
well-established and seem to work reliably, there are whole classes of vulnerabilities
that are not well-understood and cannot be detected by the state-of-the-art scanners.We
found that eight out of sixteen vulnerabilities were not detected by any of the scanners.
We have also found areas that require further research so that web application vulnerability
scanners can improve their detection of vulnerabilities. Deep crawling is vital
to discover all vulnerabilities in an application. Improved reverse engineering is necessary
to keep track of the state of the application, which can enable automated detection
of complex vulnerabilities.
Finally, we found that there is no strong correlation between cost of the scanner and
functionality provided as some of the free or very cost-effective scanners performed as
well as scanners that cost thousands of dollars.
Users browsing this forum: No registered users and 0 guests