Web Vuln

Web Vulnerability Scanners Evaluation -
January 2009 (http://anantasec.blogspot.co /!
anantasec"g ail.co
This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation. Applications (web scanners) included in this report Web Scanner Version Acunetix WVS '!( )ational AppScan ,* Web'nspect 6.0 !uild "00#$"$%& %.%.6"0 Service *ac+ " %.%.#6-
Testing procedure '.ve tested $/ web applications some of them containing a lot of vulnerabilities&0 / demo applications provided by the vendors testphp.acunetix.com0 demo.testfire.net0 1ero.webappsecurity.com& and '.ve done some tests to verify 2avascript execution capabilities. 'n total0 $6 applications were tested. '.ve tried to cover all the ma3or platforms0 therefore ' have applications in *,*0 AS*0 AS*.45T and 2ava. Note for Application Tests: 'n this report '.ve only included 6important6 vulnerabilities li+e S78 in3ection0 8ocal9)emote :ile 'nclusion0 ;SS0 ... Vulnerabilities li+e 6<nencrypted 8ogin :orm60 6=irectory listing found60 65mail address found60 ... were not included to avoid clutter. S78 in3ection vulnerabilities can be discovered through error messages or blind S78 in3ection. Some scanners are showing " alerts> one for the vulnerability found through error message and another for the blind techni?ue. 'n these cases only one vulnerability has been counted. Legend Icon
Explanation A valid vulnerability was reported. A valid vulnerability was missed. false negative& A false positive was reported.
Score @ points A@ points A$ point
How score was calculated @ points for each valid vulnerability A@ points for each false negative valid vulnerability not found& A$ point for each false positive
Javascript tests
Javascript tests
Test + description Test 2S $ A simple document.location Test 2S " A simple 3avascript obfuscation Test 2S / A script generated from document.write Test 2S B A external script test $ Test 2S @ A external script test " Test 2S 6 A external script test / Test 2S % A simple variable concatenation Test 2S # A 3avascript obfuscation C pac+ing Test 2S - A form generated from script Test 2S $0 A DA hrefE generated from document.write recursive& Test 2S $$ A 3avascript encoding Test 2S $" A ;(8,TT*)e?uest ;,)& open Test 2S $/ A document.location C unescape on ;,) callbac+ Test 2S $B A 3avascript obfuscation C pac+ing on ;,) callbac+ Test 2S $@ A form created with create5lement C appendFhild Test 2S $6 A usage of ;,).responseText on ;,) callbac+ Test 2S $% A document.write from frame$ to frame" Test 2S $# A ;,) with *GST and parameters Summary Score ile 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA".html 3avascriptA/.html 3avascriptAB.html 3avascriptA6.html 3avascriptA%.html 3avascriptA#.html 3avascriptA@.html B missed $B found !" $ missed $% found #" " missed $6 found $" AppScan WebInspect Acunetix
%otes> A 1ip file containing all the 3avascript tests can be downloaded from http>99drop.io9anantasecfiles9.
#pplication tests $.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Summary Score people.php people.php a3ax9updatechec+.php ile 'ara(eter 4ew*assword Fonfirm*assword )e?uest4ame / missed 0 found A$@ $ missed " found @ $ missed " found @ 0 missed / found $@ AppScan WebInspect Acunetix Acunetix + AcuSensor
Vanilla-$.$.%
&'&
http://getvanilla.co /
)alse positives
%on)Vulnerabilit& (usic!ox (ultiple S78 'n3ection (x!! *ortal index.php S78 'n3ection Summary Score index.php index.php ile page page " reported A" 0 reported 0 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
-$+
$,
%otes> The false positives reported by AppScan> (usic!ox and (x!! were not installed on the web server.
2.
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& index.php index.php
Vivvo-.S-/.%/
&'&
http://000.vivvo.net/
ile sort
'ara(eter
AppScan
WebInspect
Acunetix
Acunetix + AcuSensor
category 4.A. The vulnerability is in the <)'. articleHid category s categoryHid lang Foo+ie& lang Foo+ie& author - missed $ found AB0 % missed / found A"0 % missed / found A"0 $ missed - found B0
Fross Site Scripting ;SS&
/VivvoCMS3.4/admin/tinymce/jscripts/ti ny_mce/plugins/ibrowser/scrip ts/php humb/demo/php humb.dem o.demo.php/!"!#Sc$i%t!alert&' ()('))*(+),)-#/Sc$i%t!
S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection :ile 'nclusion 8:'& :ile 'nclusion 8:'& =irectory Traversal Summary Score
sendemail.php index.php a3ax.php search.php

admin9tinymce93scripts9tinyHmce9 plugins9ibrowser9ibrowser.php
printHversion.php index.php
)alse positives
%on)Vulnerabilit& (A;S'T5 index.php S78 'n3ection *,* )eal 5state Flassifieds header.php )emote :ile index.php index.php ile 'ara(eter category loc AppScan WebInspect Acunetix Acunetix + AcuSensor
'nclusion phpWord*ress S78 'n3ection Summary Score index.php ctg / reported A/ 0 reported 0 0 reported 0 0 reported 0
*otal score
-%/
-20
-20
%0
%otes> :or this application ' didn.t listed some ;SS vulnerabilities found by Acunetix C AcuSensor in tinymce script included in this application. There were too many of those to be listed here.
/.
Vulnerabilit& Fross Site Scripting ;SS& )emote Fode 5xecution Summary Score index.php index.php
1ttss-2.0 /
&'&
http://1ttss.source1orge.net/
ile
'ara(eter textoHoriginal vo1
AppScan
WebInspect
Acunetix
$ missed $ found 0
$ missed $ found 0
$ missed $ found 0
0 missed " found $0
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 0 reported 0
*otal score
%otes> The advisory from milw0rm is http>99www.milw0rm.com9exploits9%%/$.
$0
%.
Vulnerabilit& Summary Score
Wor(press-2.2.,
&'&
http://0or(press.org/
ile
'ara(eter
AppScan 0 missed 0 found 0
WebInspect 0 missed 0 found 0
Acunetix 0 missed 0 found 0
Acunetix + AcuSensor 0 missed 0 found 0
)alse positives
%on)Vulnerabilit& Word*ress (ultiple )emote :ile 'nclusion Summary Score ile wpAsettings.php 'ara(eter re?uireHonce $ reported A$ 0 reported 0 0 reported 0 0 reported 0 AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
-$
,.
vbulletin3v/.2.4
&'&
http://000.vbulletin.co /
ile
'ara(eter
WebInspect 49A 49A 0
)alse positives
%on)Vulnerabilit& S78 'n3ection Summary Score fa?.php ile fa? $ reported A$ 'ara(eter AppScan WebInspect 49A 49A 49A 0 0 reported 0 0 reported 0 Acunetix Acunetix + AcuSensor
*otal score
-$
%otes> 'n this case Web'nspect didn.t finished the scan. ' stopped the application after two days of scanning. <nfortunately0 this scan was scheduled so ' didn.t managed to investigate what happened. After that0 ' didn.t started any schedulded scans with Web'nspect because in Web'nspect you don.t have enough feedbac+ you have no idea what.s going on with the scheduled scan&.
2.
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS&
riotpi5 v0.2$
&'&
http://000.riotpi5.co /
ile message.php message.php sessionsHform.php sessionsHform.php

/ riotpi.,_+'/edit_posts.php/!" !#Sc$i%t!alert&*4),*4)3)*)4-# /Sc$i%t!
'ara(eter reply message page forumid 4.A. The vulnerability is in the <)'.
AppScan
WebInspect
Acunetix
/ riotpi.,_+'/edit_posts_script .php/!"!#Sc$i%t!alert&*4)''4) 3)+,*-#/Sc$i%t!
4.A. The vulnerability is in the <)'.
/ riotpi.,_+'/inde..php/!"!#Sc$ i%t!alert&*4+)*4)3)4+,-#/Sc$i %t!
/ riotpi.,_+'/message.php/!"!#S c$i%t!alert&*4+/)4)3)*'3-#/Sc $i%t!
/ riotpi.,_+'/preview.php/!"!#S c$i%t!alert&*4)4'4)3)+/4-#/Sc $i%t!
/ riotpi.,_+'/read.php/!"!#Sc$i %t!alert&*4)4)4)3)),3-#/Sc$i% t!
Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection Summary Score
/ riotpi.,_+'/sessions_0orm.php /!"!#Sc$i%t!alert&*4)+*4)3))/ 4-#/Sc$i%t!
4.A. The vulnerability is in the <)'. username username username username username $" missed B found AB0 $B missed " found A60 $" missed B found AB0 0 missed $6 found #0
editHposts.php editHpostsHscript.php index.php message.php read.php
)alse positives
%on)Vulnerabilit& =VIuestboo+ FrossASite Scripting Word*ress *ool Theme FrossA Site Scripting in *ath Summary Score index.php index.php ile page D<)'E " reported A" 0 reported 0 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
%otes> The advisory from milw0rm is located at http>99www.milw0rm.com9exploits9%6#".
-%2
-20
-%0
40
+.
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection
pligg beta v9.9.0
&'&
http://000.pligg.co /
ile index.php login.php login.php register.php register.php register.php register.php register.php register.php register.php register.php out.php story.php userrss.php cloud.php login.php cvote.php editlin+.php chec+Hurl.php out.php recommend.php rss.php story.php
'ara(eter category username category email username password password" regHusername regHpassword regHpassword" regHemail title title status category'= username id id url url title rows title
AppScan
WebInspect
Acunetix
S78 'n3ection S78 'n3ection S78 'n3ection =irectory Traversal =irectory Traversal Summary Score
story.php userrss.php vote.php live.php sidebarHstories.php
id rows id template Foo+ie& template Foo+ie& $B missed $B found 0 $B missed $B found 0 $B missed $B found 0 " missed "6 found $"0
)alse positives
%on)Vulnerabilit& eTic+et (ultiple S78 'n3ection Sphider (ultiple FrossASite Scripting S78 'n3ection Summary Score index.php index.php search.php ile 'ara(eter status category search " reported A" $ reported A$ 0 reported 0 0 reported 0 AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
-2
-$
$20
%otes> The advisory from milw0rm is located at http>99www.milw0rm.com9exploits96$B6. ' didn.t included some ;SS vulnerabilities detected by Acunetix C AcuSensor. There are a lot of them.
4.
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection Summary Score
6avabb3v0.99
Java 7 *o cat
http://000.6avabb.org/
ile saveHnewHmember.3bb doSearch.3bb memberHlist.3bb memberHlist.3bb ?uote.3bb ?uote.3bb viewtopic.3bb
'ara(eter name0 email0 ...& ?uery sort!y sortGrder who7uote page page
AppScan
WebInspect
Acunetix
Acunetix + AcuSensor 49A
rss9pm.externalSend.3bb user'd rss9pm.externalSend.3bb username memberHlist.3bb memberHlist.3bb sort!y sortGrder @ missed 6 found @ / missed # found "@ 0 missed $$ found @@
)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection Summary Score ile 9rss9searchHauthor.3bb unansweredHposts.3bb u page 0 reported 0 " reported A" 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A
*otal score
2/
,,
9.
8a9( :iscussion )oru 3v/.0
Java 7 *o cat
http://000.1oru so1t0are.ca/
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Summary Score
ile createAccount.3sp login.3sp login.3sp login.3sp post.3sp post.3sp post.3sp search.3sp error.3sp
'ara(eter name0 email0 ...& referer username password referer name email ? msg
AppScan
WebInspect
Acunetix
0 missed - found B@
0 missed - found B@
$ missed # found /@
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor
*otal score
%,
%,
/,
$0.
pebble3v2./.$
Java 7 *o cat
http://pebble.source1orge.net/
ile
'ara(eter
Acunetix + AcuSensor 49A 0
)alse positives
%on)Vulnerabilit& Fross Site Scripting ;SS& S78 'n3ection Summary Score fa?.php advancedSearch.action ile fa? tags 0 reported 0 " reported A" )* 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A
*otal score
$$.
*riptych;log3v.9.0
#S&.<E*
http://triptychstu(ios.net/triptychblog/
ile
'ara(eter
)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection Summary Score ile =efault.aspx =efault.aspx Fomments.aspx Fomments.aspx Fomments.aspx Fomments.aspx 'ara(eter Fategory Jear Article'= Article4ame
ctl00KFontentKFommentFontent ctl00KFontentKSubmitHFontent
AppScan
WebInspect
Acunetix
6 reported A6
$ reported A$ )+
0 reported 0
0 reported 0
*otal score
-2
%otes> !oth Web'nspect and AppScan are reporting false positives based on the following error message> "The changes you requested to the table were not successful because they would create duplicate values in the index, primary key, or relationship !hange the data in the field or fields that contain duplicate data, remove the index, or redefine the index to permit duplicate entries and try again " That.s not an S78 in3ection vulnerability. Anyway0 '.ve chec+ed the code 3ust to be sure and ' can confirm this is not a real vulnerability. !asically AppScan will report an S78 in3ection vulnerability everytime it finds 6,le-bException6 in the response. That.s pretty lame.
$2.
Vulnerabilit& Fross Site Scripting ;SS& Summary Score
:.= )oru s3v/.$
#S&.<E*
http://000.( g1oru s.co /
ile htmlform.aspx T5;T
'ara(eter
AppScan
WebInspect
Acunetix
Acunetix + AcuSensor 0 missed $ found @
$ missed 0 found A@
$ missed 0 found A@
$ missed 0 found A@
)alse positives
*otal score
-,
-,
-,
$/.
Vulnerabilit& S78 'n3ection Summary Score
:ave>s -.S3v2.0.2
#S&.<E*
http://000.(avi(pire?.co /c s/
ile blog.aspx n
'ara(eter
AppScan
WebInspect
Acunetix
Acunetix + AcuSensor 0 missed $ found @
0 missed $ found @
0 missed $ found @
0 missed $ found @
)alse positives
*otal score
#cuneti5 *est #pplication (#cuneti5 #cuart!

Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection =irectory Traversal Summary Score ile comment.php guestboo+.php guestboo+.php guestboo+.php listproducts.php listproducts.php search.php 9secured9newuser.php
/ 4,4.php/!"!#Sc$i%t!alert&4434 */41***'-#/Sc$i%t!
&'&
http://testphp.acuneti5.co /
'ara(eter name name text login Foo+ie& cat artist search:or uuname 4.A. The vulnerability is in the <)'. id id id artist cat artist pic file
AppScan
WebInspect
Acunetix
9A2A;9infoartist.php 9A2A;9infocateg.php 9A2A;9infotitle.php artists.php listproducts.php listproducts.php product.php showimage.php
$0 missed % found A$@
@ missed $" found /@
" missed $@ found 6@
0 missed $% found #@
)alse positives
%on)Vulnerabilit& S78 'n3ection :ile 'nclusion Summary Score search.php redir.php
ile test r
'ara(eter
AppScan
WebInspect
Acunetix
$ reported A$
0 reported 0
$reported A$
0 reported 0
*otal score
-$%
/,
2%
4,
%otes. There is a *,* Fode 5xecution vulnerability reported by Acunetix WVS. That vulnerability is only reported by Acunetix WVS and it seems to be a false positive. ,owever0 the attac+ vector from WVS wor+s but any other *,* code doesn.t wor+. Therefore0 ' suspect it.s some +ind of simulation for demonstration purposes.
#ppScan *est #pplication (#ltoro .utual!

Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting =G(& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection ;*ath 'n3ection 8ocal :ile 'nclusion Summary ile ban+9customi1e.aspx ban+9login.aspx ban+9transfer.aspx ban+9transfer.aspx comment.aspx search.aspx subscribe.aspx disclaimer.htm ban+9login.aspx ban+9login.aspx ban+9account.aspx 9 ban+9transaction.aspx ban+9transaction.aspx ban+9transfer.aspx ban+9transfer.aspx subscribe.aspx ban+9ws.asmx ban+9ws.asmx ban+9?ueryxpath.aspx default.aspx lang uid debitAccount creditAccount name txtSearch txt5mail D=G( basedE uid passw listAccounts
#S&.<E*
http://(e o.test1ire.net/
'ara(eter
AppScan
WebInspect
Acunetix
am<ser'd Foo+ie& before after debitAccount creditAccount txt5mail

HHpattern*arameterHHSGA*HHc reditAccountHH" HHpattern*arameterHHSGA*HHd ebitAccountHH$ Hctl0>Hctl0>Fontent>(ain>Text! ox$
content $ missed "0 found $/ missed # found $/ missed # found
Score
-@
A"@
A"@
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 49A
*otal score
9,
-2,
-2,
Web@nspect *est #pplication (1ree ;an? online!

Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& rootlogin.asp pformresults.asp pformresults.asp pformresults.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp forgot".asp login9login.asp testing9pcomboindex.asp pcomboindex.asp pcomboindex.asp ile 'ara(eter txt4ame txt:irst4ame txt8ast4ame dbFonnectString msg mobilephone country postcode homephone town address" surname email house street name msg <ser4ame cbo*age referer ,eader&
#S&
http://9ero.0ebappsecurity.co /
AppScan
WebInspect
Acunetix
userAagent ,eader&
coo+ietest9ShowFoo+ies.asp Second Foo+ie& coo+ietest9ShowFoo+ies.asp :irstFoo+ie Foo+ie&
Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection 8ocal :ile 'nclusion ,TT* )esponse Splitting Summary Score
coo+ietest9ShowFoo+ies.asp userid Foo+ie& coo+ietest9ShowFoo+ies.asp username Foo+ie& coo+ietest9ShowFoo+ies.asp State Foo+ie& coo+ietest9ShowFoo+ies.asp Leyed Foo+ie& ban+login.asp plin+.asp plin+.asp login$.asp forgot$.asp rootlogin.asp login$.asp err a c login get txt4ame login "% missed % found A$00 / missed /$ found $B0 "B missed $0 found A%0
)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection Summary Score plin+.asp plin+.asp ile a c " reported A" 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A
*otal score
-$02
$%0
-+0
%otes> pcomboindex.asp will dump the ,TT* re?uest so any header can be used to cause an ;SS vulnerability.
Su
;est scores / application
%r/ $ " / B @ 6 % # $0 $$ $" $/ $B $@ $6 Tested application 2avascript tests VanillaA$.$.B VivvoF(SA/.B fttssA".0 WordpressA".6.@ vbulletinHv/.6.# riotpix v0.6$ 3avabbHv0.-Ja1d =iscussion :orumHv/.0 pebbleHv"./.$ Triptych!logHv.-.0 =(I :orumsHv/.$ =ave.s F(SHv".0." Acunetix =emo Application A Acunetix Acuart AppScan =emo Application A Altoro (utual
ary results 1or all teste( applications
'lat0or( 49A *,* *,* *,* *,* *,* *,* 2ava 2ava 2ava AS*.45T AS*.45T AS*.45T *,* AS*.45T
AppScan
WebInspect
Acunetix
4o clear winner 4o clear winner
4o clear winner 4o clear winner 4o clear winner
Web'nspect =emo Application A free !an+ online AS* Su((ar& * wins 1 wins $ wins
-onclusions
!efore starting this evaluation my favorite scanner was AppScan. They have a nice interface and ' had the impression they are very fast. After the evaluation0 '.ve radically changed my opinion> AppScan scored worst in almost all the cases. They are finishing the scan ?uic+ly because they don.t do a comprehensive test. And they have a huge rate of false positives. Almost all scans contain some false positives most of the times for applications that are not even installed on the machine&. They have a lot of space for improvement. Acunetix WVS and Web'nspect are relatively good scanners. 'f you are in the position to use the AcuSensor technology *,*0 AS*.45T and you are not re?uired to do a blac+box testing& then Acunetix WVS C AcuSensor is the better choice. As these results show0 blac+box testing is not enough anymore. 'f you cannot use AcuSensor then you should decide between Web'nspect and Acunetix WVS. !oth have their advantages and disadvantages. !rowse the results and decide for yourself. inal words '.ve included enough information in this report the 3avascript files used for testing0 exact version and <)8 for all the tested applications& so anybody with enough patience can verify and reproduce the results presented here. Therefore0 ' will not respond to emails for vendors. Jou have the information0 fix your scannersM

Web Vuln

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web Vuln

Uploaded by

Copyright:

Available Formats

Web Vulnerability Scanners Evaluation -

January 2009 (http://anantasec.blogspot.co /!

Score @ points A@ points A$ point

Fross Site Scripting ;SS&

/VivvoCMS3.4/admin/tinymce/jscripts/ti ny_mce/plugins/ibrowser/scrip ts/php humb/demo/php humb.dem o.demo.php/!"!#Sc$i%t!alert&' ()('))*(+),)-#/Sc$i%t!

sendemail.php index.php a3ax.php search.php

'ara(eter textoHoriginal vo1

0 missed " found $0

AppScan 0 missed 0 found 0

WebInspect 0 missed 0 found 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 0 missed 0 found 0

AppScan 0 missed 0 found 0

WebInspect 49A 49A 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 0 missed 0 found 0

ile message.php message.php sessionsHform.php sessionsHform.php

Fross Site Scripting ;SS&

/ riotpi.,_+'/edit_posts_script .php/!"!#Sc$i%t!alert&*4)''4) 3)+,*-#/Sc$i%t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

/ riotpi.,_+'/inde..php/!"!#Sc$ i%t!alert&*4+)*4)3)4+,-#/Sc$i %t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

/ riotpi.,_+'/message.php/!"!#S c$i%t!alert&*4+/)4)3)*'3-#/Sc $i%t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

/ riotpi.,_+'/preview.php/!"!#S c$i%t!alert&*4)4'4)3)+/4-#/Sc $i%t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

4.A. The vulnerability is in the <)'.

/ riotpi.,_+'/sessions_0orm.php /!"!#Sc$i%t!alert&*4)+*4)3))/ 4-#/Sc$i%t!

editHposts.php editHpostsHscript.php index.php message.php read.php

pligg beta v9.9.0

story.php userrss.php vote.php live.php sidebarHstories.php

ile saveHnewHmember.3bb doSearch.3bb memberHlist.3bb memberHlist.3bb ?uote.3bb ?uote.3bb viewtopic.3bb

Acunetix + AcuSensor 49A

8a9( :iscussion )oru 3v/.0

Acunetix + AcuSensor 49A

AppScan 0 missed 0 found 0

WebInspect 0 missed 0 found 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 49A 0

AppScan 0 missed 0 found 0

WebInspect 0 missed 0 found 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 0 missed 0 found 0

:.= )oru s3v/.$

http://000.( g1oru s.co /

ile htmlform.aspx T5;T

Acunetix + AcuSensor 0 missed $ found @

Acunetix + AcuSensor 0 missed $ found @

#cuneti5 *est #pplication (#cuneti5 #cuart!

9A2A;9infoartist.php 9A2A;9infocateg.php 9A2A;9infotitle.php artists.php listproducts.php listproducts.php product.php showimage.php

$0 missed % found A$@

@ missed $" found /@

" missed $@ found 6@

%on)Vulnerabilit& S78 'n3ection :ile 'nclusion Summary Score search.php redir.php

#ppScan *est #pplication (#ltoro .utual!

Acunetix + AcuSensor 49A

am<ser'd Foo+ie& before after debitAccount creditAccount txt5mail

content $ missed "0 found $/ missed # found $/ missed # found

Web@nspect *est #pplication (1ree ;an? online!

Acunetix + AcuSensor 49A

/ riotpi.,_+'/edit_posts_script .php/!"!#Sc$i%t!alert&4)''4) 3)+,-#/Sc$i%t!

/ riotpi.,_+'/inde..php/!"!#Sc$ i%t!alert&4+)4)3)4+,-#/Sc$i %t!

/ riotpi.,_+'/message.php/!"!#S c$i%t!alert&4+/)4)3)'3-#/Sc $i%t!

/ riotpi.,_+'/sessions_0orm.php /!"!#Sc$i%t!alert&4)+4)3))/ 4-#/Sc$i%t!