anantasec posted a scanner comparison to the web security mailing list today.
"In the past weeks, I've performed an evaluation/comparison of three
popular web vulnerability scanners.This evaluation was ordered by a
penetration testing company that will remain anonymous. The vendors
were not contacted during or after the evaluation.
The applications (web scanners) included in this evaluation are:
– Acunetix WVS version 6.0 (Build 20081217)
– IBM Rational AppScan version 7.7.620 Service Pack 2
– HP WebInspect version 7.7.869
I've tested 13 web applications (some of them containing a lot of
vulnerabilities), 3 demo applications provided by the vendors
(testphp.acunetix.com, demo.testfire.net, zero.webappsecurity.com) and
I've done some tests to verify Javascript execution capabilities.
In total, 16 applications were tested. I've tried to cover all the
major platforms, therefore I have applications in PHP, ASP, ASP.NET
and Java.
The report can be found at http://drop.io/anantasecfiles/
The full URL to the PDF document:
http://drop.io/download/497f0f4e/c1d8b2966f85fb8549a18cbe2d78922…
I've included enough information in this report (the javascript files
used for testing, exact version and URL for all the tested
applications) so anybody with enough patience can verify and reproduce
the results presented here.
Therefore, I will not respond to emails for vendors. You have the
information, fix your scanners!" – anantec
If you're lazy and just want the conclusions here they are
"Conclusions
Before starting this evaluation my favorite scanner was AppScan. They have a nice interface and I had the impression they are very fast.
After the evaluation, I've radically changed my opinion: AppScan scored worst in almost all the cases.
They are finishing the scan quickly because they don't do a comprehensive test.
And they have a huge rate of false positives. Almost all scans contain some false positives (most of the times for applications that are not
even installed on the machine). They have a lot of space for improvement.
Acunetix WVS and WebInspect are relatively good scanners.
If you are in the position to use the AcuSensor technology (PHP, ASP.NET and you are not required to do a blackbox testing) then
Acunetix WVS + AcuSensor is the better choice.
As these results show, blackbox testing is not enough anymore.
If you cannot use AcuSensor then you should decide between WebInspect and Acunetix WVS.
Both have their advantages and disadvantages. Browse the results and decide for yourself." – anantec
