Web Vuln

Download as pdf or txt
Download as pdf or txt
You are on page 1of 26

Web Vulnerability Scanners Evaluation -

January 2009 (http://anantasec.blogspot.co /!

anantasec"g ail.co

This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation. Applications (web scanners) included in this report Web Scanner Version Acunetix WVS '!( )ational AppScan ,* Web'nspect 6.0 !uild "00#$"$%& %.%.6"0 Service *ac+ " %.%.#6-

Testing procedure '.ve tested $/ web applications some of them containing a lot of vulnerabilities&0 / demo applications provided by the vendors testphp.acunetix.com0 demo.testfire.net0 1ero.webappsecurity.com& and '.ve done some tests to verify 2avascript execution capabilities. 'n total0 $6 applications were tested. '.ve tried to cover all the ma3or platforms0 therefore ' have applications in *,*0 AS*0 AS*.45T and 2ava. Note for Application Tests: 'n this report '.ve only included 6important6 vulnerabilities li+e S78 in3ection0 8ocal9)emote :ile 'nclusion0 ;SS0 ... Vulnerabilities li+e 6<nencrypted 8ogin :orm60 6=irectory listing found60 65mail address found60 ... were not included to avoid clutter. S78 in3ection vulnerabilities can be discovered through error messages or blind S78 in3ection. Some scanners are showing " alerts> one for the vulnerability found through error message and another for the blind techni?ue. 'n these cases only one vulnerability has been counted. Legend Icon

Explanation A valid vulnerability was reported. A valid vulnerability was missed. false negative& A false positive was reported.

Score @ points A@ points A$ point

How score was calculated @ points for each valid vulnerability A@ points for each false negative valid vulnerability not found& A$ point for each false positive

Javascript tests
Javascript tests
Test + description Test 2S $ A simple document.location Test 2S " A simple 3avascript obfuscation Test 2S / A script generated from document.write Test 2S B A external script test $ Test 2S @ A external script test " Test 2S 6 A external script test / Test 2S % A simple variable concatenation Test 2S # A 3avascript obfuscation C pac+ing Test 2S - A form generated from script Test 2S $0 A DA hrefE generated from document.write recursive& Test 2S $$ A 3avascript encoding Test 2S $" A ;(8,TT*)e?uest ;,)& open Test 2S $/ A document.location C unescape on ;,) callbac+ Test 2S $B A 3avascript obfuscation C pac+ing on ;,) callbac+ Test 2S $@ A form created with create5lement C appendFhild Test 2S $6 A usage of ;,).responseText on ;,) callbac+ Test 2S $% A document.write from frame$ to frame" Test 2S $# A ;,) with *GST and parameters Summary Score ile 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA".html 3avascriptA/.html 3avascriptAB.html 3avascriptA6.html 3avascriptA%.html 3avascriptA#.html [email protected] B missed $B found !" $ missed $% found #" " missed $6 found $" AppScan WebInspect Acunetix

%otes> A 1ip file containing all the 3avascript tests can be downloaded from http>99drop.io9anantasecfiles9.

#pplication tests $.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Summary Score people.php people.php a3ax9updatechec+.php ile 'ara(eter 4ew*assword Fonfirm*assword )e?uest4ame / missed 0 found A$@ $ missed " found @ $ missed " found @ 0 missed / found $@ AppScan WebInspect Acunetix Acunetix + AcuSensor

Vanilla-$.$.%

&'&

http://getvanilla.co /

)alse positives
%on)Vulnerabilit& (usic!ox (ultiple S78 'n3ection (x!! *ortal index.php S78 'n3ection Summary Score index.php index.php ile page page " reported A" 0 reported 0 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor

*otal score

-$+

$,

%otes> The false positives reported by AppScan> (usic!ox and (x!! were not installed on the web server.

2.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& index.php index.php

Vivvo-.S-/.%/

&'&

http://000.vivvo.net/

ile sort

'ara(eter

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

category 4.A. The vulnerability is in the <)'. articleHid category s categoryHid lang Foo+ie& lang Foo+ie& author - missed $ found AB0 % missed / found A"0 % missed / found A"0 $ missed - found B0

Fross Site Scripting ;SS&

/VivvoCMS3.4/admin/tinymce/jscripts/ti ny_mce/plugins/ibrowser/scrip ts/php humb/demo/php humb.dem o.demo.php/!"!#Sc$i%t!alert&' ()('))*(+),)-#/Sc$i%t!

S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection :ile 'nclusion 8:'& :ile 'nclusion 8:'& =irectory Traversal Summary Score

sendemail.php index.php a3ax.php search.php


admin9tinymce93scripts9tinyHmce9 plugins9ibrowser9ibrowser.php

printHversion.php index.php

)alse positives
%on)Vulnerabilit& (A;S'T5 index.php S78 'n3ection *,* )eal 5state Flassifieds header.php )emote :ile index.php index.php ile 'ara(eter category loc AppScan WebInspect Acunetix Acunetix + AcuSensor

'nclusion phpWord*ress S78 'n3ection Summary Score index.php ctg / reported A/ 0 reported 0 0 reported 0 0 reported 0

*otal score

-%/

-20

-20

%0

%otes> :or this application ' didn.t listed some ;SS vulnerabilities found by Acunetix C AcuSensor in tinymce script included in this application. There were too many of those to be listed here.

/.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& )emote Fode 5xecution Summary Score index.php index.php

1ttss-2.0 /

&'&

http://1ttss.source1orge.net/

ile

'ara(eter textoHoriginal vo1

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

$ missed $ found 0

$ missed $ found 0

$ missed $ found 0

0 missed " found $0

)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 0 reported 0

*otal score
%otes> The advisory from milw0rm is http>99www.milw0rm.com9exploits9%%/$.

$0

%.
Vali( vulnerabilities
Vulnerabilit& Summary Score

Wor(press-2.2.,

&'&

http://0or(press.org/

ile

'ara(eter

AppScan 0 missed 0 found 0

WebInspect 0 missed 0 found 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 0 missed 0 found 0

)alse positives
%on)Vulnerabilit& Word*ress (ultiple )emote :ile 'nclusion Summary Score ile wpAsettings.php 'ara(eter re?uireHonce $ reported A$ 0 reported 0 0 reported 0 0 reported 0 AppScan WebInspect Acunetix Acunetix + AcuSensor

*otal score

-$

,.
Vali( vulnerabilities
Vulnerabilit& Summary Score

vbulletin3v/.2.4

&'&

http://000.vbulletin.co /

ile

'ara(eter

AppScan 0 missed 0 found 0

WebInspect 49A 49A 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 0 missed 0 found 0

)alse positives
%on)Vulnerabilit& S78 'n3ection Summary Score fa?.php ile fa? $ reported A$ 'ara(eter AppScan WebInspect 49A 49A 49A 0 0 reported 0 0 reported 0 Acunetix Acunetix + AcuSensor

*otal score

-$

%otes> 'n this case Web'nspect didn.t finished the scan. ' stopped the application after two days of scanning. <nfortunately0 this scan was scheduled so ' didn.t managed to investigate what happened. After that0 ' didn.t started any schedulded scans with Web'nspect because in Web'nspect you don.t have enough feedbac+ you have no idea what.s going on with the scheduled scan&.

2.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS&

riotpi5 v0.2$

&'&

http://000.riotpi5.co /

ile message.php message.php sessionsHform.php sessionsHform.php


/ riotpi.,_+'/edit_posts.php/!" !#Sc$i%t!alert&*4),*4)3)*)4-# /Sc$i%t!

'ara(eter reply message page forumid 4.A. The vulnerability is in the <)'.

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

Fross Site Scripting ;SS&

/ riotpi.,_+'/edit_posts_script .php/!"!#Sc$i%t!alert&*4)''4) 3)+,*-#/Sc$i%t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

/ riotpi.,_+'/inde..php/!"!#Sc$ i%t!alert&*4+)*4)3)4+,-#/Sc$i %t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

/ riotpi.,_+'/message.php/!"!#S c$i%t!alert&*4+/)4)3)*'3-#/Sc $i%t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

/ riotpi.,_+'/preview.php/!"!#S c$i%t!alert&*4)4'4)3)+/4-#/Sc $i%t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS&

/ riotpi.,_+'/read.php/!"!#Sc$i %t!alert&*4)4)4)3)),3-#/Sc$i% t!

4.A. The vulnerability is in the <)'.

Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection Summary Score

/ riotpi.,_+'/sessions_0orm.php /!"!#Sc$i%t!alert&*4)+*4)3))/ 4-#/Sc$i%t!

4.A. The vulnerability is in the <)'. username username username username username $" missed B found AB0 $B missed " found A60 $" missed B found AB0 0 missed $6 found #0

editHposts.php editHpostsHscript.php index.php message.php read.php

)alse positives
%on)Vulnerabilit& =VIuestboo+ FrossASite Scripting Word*ress *ool Theme FrossA Site Scripting in *ath Summary Score index.php index.php ile page D<)'E " reported A" 0 reported 0 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor

*otal score
%otes> The advisory from milw0rm is located at http>99www.milw0rm.com9exploits9%6#".

-%2

-20

-%0

40

+.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection

pligg beta v9.9.0

&'&

http://000.pligg.co /

ile index.php login.php login.php register.php register.php register.php register.php register.php register.php register.php register.php out.php story.php userrss.php cloud.php login.php cvote.php editlin+.php chec+Hurl.php out.php recommend.php rss.php story.php

'ara(eter category username category email username password password" regHusername regHpassword regHpassword" regHemail title title status category'= username id id url url title rows title

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

S78 'n3ection S78 'n3ection S78 'n3ection =irectory Traversal =irectory Traversal Summary Score

story.php userrss.php vote.php live.php sidebarHstories.php

id rows id template Foo+ie& template Foo+ie& $B missed $B found 0 $B missed $B found 0 $B missed $B found 0 " missed "6 found $"0

)alse positives
%on)Vulnerabilit& eTic+et (ultiple S78 'n3ection Sphider (ultiple FrossASite Scripting S78 'n3ection Summary Score index.php index.php search.php ile 'ara(eter status category search " reported A" $ reported A$ 0 reported 0 0 reported 0 AppScan WebInspect Acunetix Acunetix + AcuSensor

*otal score

-2

-$

$20

%otes> The advisory from milw0rm is located at http>99www.milw0rm.com9exploits96$B6. ' didn.t included some ;SS vulnerabilities detected by Acunetix C AcuSensor. There are a lot of them.

4.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection Summary Score

6avabb3v0.99

Java 7 *o cat

http://000.6avabb.org/

ile saveHnewHmember.3bb doSearch.3bb memberHlist.3bb memberHlist.3bb ?uote.3bb ?uote.3bb viewtopic.3bb

'ara(eter name0 email0 ...& ?uery sort!y sortGrder who7uote page page

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor 49A

rss9pm.externalSend.3bb user'd rss9pm.externalSend.3bb username memberHlist.3bb memberHlist.3bb sort!y sortGrder @ missed 6 found @ / missed # found "@ 0 missed $$ found @@

)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection Summary Score ile 9rss9searchHauthor.3bb unansweredHposts.3bb u page 0 reported 0 " reported A" 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A

*otal score

2/

,,

9.
Vali( vulnerabilities

8a9( :iscussion )oru 3v/.0

Java 7 *o cat

http://000.1oru so1t0are.ca/

Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Summary Score

ile createAccount.3sp login.3sp login.3sp login.3sp post.3sp post.3sp post.3sp search.3sp error.3sp

'ara(eter name0 email0 ...& referer username password referer name email ? msg

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor 49A

0 missed - found B@

0 missed - found B@

$ missed # found /@

)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor

*otal score

%,

%,

/,

$0.
Vali( vulnerabilities
Vulnerabilit& Summary Score

pebble3v2./.$

Java 7 *o cat

http://pebble.source1orge.net/

ile

'ara(eter

AppScan 0 missed 0 found 0

WebInspect 0 missed 0 found 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 49A 0

)alse positives
%on)Vulnerabilit& Fross Site Scripting ;SS& S78 'n3ection Summary Score fa?.php advancedSearch.action ile fa? tags 0 reported 0 " reported A" )* 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A

*otal score

$$.
Vali( vulnerabilities
Vulnerabilit& Summary Score

*riptych;log3v.9.0

#S&.<E*

http://triptychstu(ios.net/triptychblog/

ile

'ara(eter

AppScan 0 missed 0 found 0

WebInspect 0 missed 0 found 0

Acunetix 0 missed 0 found 0

Acunetix + AcuSensor 0 missed 0 found 0

)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection Summary Score ile =efault.aspx =efault.aspx Fomments.aspx Fomments.aspx Fomments.aspx Fomments.aspx 'ara(eter Fategory Jear Article'= Article4ame
ctl00KFontentKFommentFontent ctl00KFontentKSubmitHFontent

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

6 reported A6

$ reported A$ )+

0 reported 0

0 reported 0

*otal score

-2

%otes> !oth Web'nspect and AppScan are reporting false positives based on the following error message> "The changes you requested to the table were not successful because they would create duplicate values in the index, primary key, or relationship !hange the data in the field or fields that contain duplicate data, remove the index, or redefine the index to permit duplicate entries and try again " That.s not an S78 in3ection vulnerability. Anyway0 '.ve chec+ed the code 3ust to be sure and ' can confirm this is not a real vulnerability. !asically AppScan will report an S78 in3ection vulnerability everytime it finds 6,le-bException6 in the response. That.s pretty lame.

$2.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Summary Score

:.= )oru s3v/.$

#S&.<E*

http://000.( g1oru s.co /

ile htmlform.aspx T5;T

'ara(eter

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor 0 missed $ found @

$ missed 0 found A@

$ missed 0 found A@

$ missed 0 found A@

)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 0 reported 0

*otal score

-,

-,

-,

$/.
Vali( vulnerabilities
Vulnerabilit& S78 'n3ection Summary Score

:ave>s -.S3v2.0.2

#S&.<E*

http://000.(avi(pire?.co /c s/

ile blog.aspx n

'ara(eter

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor 0 missed $ found @

0 missed $ found @

0 missed $ found @

0 missed $ found @

)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 0 reported 0

*otal score

#cuneti5 *est #pplication (#cuneti5 #cuart!


Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection =irectory Traversal Summary Score ile comment.php guestboo+.php guestboo+.php guestboo+.php listproducts.php listproducts.php search.php 9secured9newuser.php
/ 4,4.php/!"!#Sc$i%t!alert&4434 */41***'-#/Sc$i%t!

&'&

http://testphp.acuneti5.co /

'ara(eter name name text login Foo+ie& cat artist search:or uuname 4.A. The vulnerability is in the <)'. id id id artist cat artist pic file

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

9A2A;9infoartist.php 9A2A;9infocateg.php 9A2A;9infotitle.php artists.php listproducts.php listproducts.php product.php showimage.php

$0 missed % found A$@

@ missed $" found /@

" missed $@ found 6@

0 missed $% found #@

)alse positives

%on)Vulnerabilit& S78 'n3ection :ile 'nclusion Summary Score search.php redir.php

ile test r

'ara(eter

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

$ reported A$

0 reported 0

$reported A$

0 reported 0

*otal score

-$%

/,

2%

4,

%otes. There is a *,* Fode 5xecution vulnerability reported by Acunetix WVS. That vulnerability is only reported by Acunetix WVS and it seems to be a false positive. ,owever0 the attac+ vector from WVS wor+s but any other *,* code doesn.t wor+. Therefore0 ' suspect it.s some +ind of simulation for demonstration purposes.

#ppScan *est #pplication (#ltoro .utual!


Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting =G(& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection ;*ath 'n3ection 8ocal :ile 'nclusion Summary ile ban+9customi1e.aspx ban+9login.aspx ban+9transfer.aspx ban+9transfer.aspx comment.aspx search.aspx subscribe.aspx disclaimer.htm ban+9login.aspx ban+9login.aspx ban+9account.aspx 9 ban+9transaction.aspx ban+9transaction.aspx ban+9transfer.aspx ban+9transfer.aspx subscribe.aspx ban+9ws.asmx ban+9ws.asmx ban+9?ueryxpath.aspx default.aspx lang uid debitAccount creditAccount name txtSearch txt5mail D=G( basedE uid passw listAccounts

#S&.<E*

http://(e o.test1ire.net/

'ara(eter

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor 49A

am<ser'd Foo+ie& before after debitAccount creditAccount txt5mail


HHpattern*arameterHHSGA*HHc reditAccountHH" HHpattern*arameterHHSGA*HHd ebitAccountHH$ Hctl0>Hctl0>Fontent>(ain>Text! ox$

content $ missed "0 found $/ missed # found $/ missed # found

Score

-@

A"@

A"@

)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 49A

*otal score

9,

-2,

-2,

Web@nspect *est #pplication (1ree ;an? online!


Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& rootlogin.asp pformresults.asp pformresults.asp pformresults.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp 3oin.asp forgot".asp login9login.asp testing9pcomboindex.asp pcomboindex.asp pcomboindex.asp ile 'ara(eter txt4ame txt:irst4ame txt8ast4ame dbFonnectString msg mobilephone country postcode homephone town address" surname email house street name msg <ser4ame cbo*age referer ,eader&

#S&

http://9ero.0ebappsecurity.co /

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor 49A

userAagent ,eader&

coo+ietest9ShowFoo+ies.asp Second Foo+ie& coo+ietest9ShowFoo+ies.asp :irstFoo+ie Foo+ie&

Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection 8ocal :ile 'nclusion ,TT* )esponse Splitting Summary Score

coo+ietest9ShowFoo+ies.asp userid Foo+ie& coo+ietest9ShowFoo+ies.asp username Foo+ie& coo+ietest9ShowFoo+ies.asp State Foo+ie& coo+ietest9ShowFoo+ies.asp Leyed Foo+ie& ban+login.asp plin+.asp plin+.asp login$.asp forgot$.asp rootlogin.asp login$.asp err a c login get txt4ame login "% missed % found A$00 / missed /$ found $B0 "B missed $0 found A%0

)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection Summary Score plin+.asp plin+.asp ile a c " reported A" 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A

*otal score

-$02

$%0

-+0

%otes> pcomboindex.asp will dump the ,TT* re?uest so any header can be used to cause an ;SS vulnerability.

Su
;est scores / application
%r/ $ " / B @ 6 % # $0 $$ $" $/ $B $@ $6 Tested application 2avascript tests VanillaA$.$.B VivvoF(SA/.B fttssA".0 WordpressA".6.@ vbulletinHv/.6.# riotpix v0.6$ 3avabbHv0.-Ja1d =iscussion :orumHv/.0 pebbleHv"./.$ Triptych!logHv.-.0 =(I :orumsHv/.$ =ave.s F(SHv".0." Acunetix =emo Application A Acunetix Acuart AppScan =emo Application A Altoro (utual

ary results 1or all teste( applications

'lat0or( 49A *,* *,* *,* *,* *,* *,* 2ava 2ava 2ava AS*.45T AS*.45T AS*.45T *,* AS*.45T

AppScan

WebInspect

Acunetix

Acunetix + AcuSensor

4o clear winner 4o clear winner

4o clear winner 4o clear winner 4o clear winner

Web'nspect =emo Application A free !an+ online AS* Su((ar& * wins 1 wins $ wins

-onclusions
!efore starting this evaluation my favorite scanner was AppScan. They have a nice interface and ' had the impression they are very fast. After the evaluation0 '.ve radically changed my opinion> AppScan scored worst in almost all the cases. They are finishing the scan ?uic+ly because they don.t do a comprehensive test. And they have a huge rate of false positives. Almost all scans contain some false positives most of the times for applications that are not even installed on the machine&. They have a lot of space for improvement. Acunetix WVS and Web'nspect are relatively good scanners. 'f you are in the position to use the AcuSensor technology *,*0 AS*.45T and you are not re?uired to do a blac+box testing& then Acunetix WVS C AcuSensor is the better choice. As these results show0 blac+box testing is not enough anymore. 'f you cannot use AcuSensor then you should decide between Web'nspect and Acunetix WVS. !oth have their advantages and disadvantages. !rowse the results and decide for yourself. inal words '.ve included enough information in this report the 3avascript files used for testing0 exact version and <)8 for all the tested applications& so anybody with enough patience can verify and reproduce the results presented here. Therefore0 ' will not respond to emails for vendors. Jou have the information0 fix your scannersM

You might also like