Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Good benchmark application for web security testing tools?

RE: Good benchmark application for web security testing tools?

From: Ofer Shezaf <Ofer.Shezaf_at_breach.com>
Date: Tue, 4 Oct 2005 18:11:43 -0400

Any single application that you select, especially a well known
benchmark application, would achieve biased results, as it is VERY easy
to make a testing software work fine with a specific application.

A somewhat better solution would be to select (yourself) a web
application on sourceforge (neither the most popular nor the least
popular) and test against it. This approach has its problems. For
example, you will probably find a PHP application. Additionally, you
will not know in advance what the security problems are (but than this
is the reason to choose this method: neither will the tool makers).

~ Ofer

Ofer Shezaf
OWASP Israel Chair
http://www.owasp.org/local/israel.html

CTO, Breach Security
Phone (US): +1 (760) 268.1924 ext. 702
Phone (Israel): +972 (9) 956.0036 ext.212
Cell: +972 (54) 443.1119
ofers_at_breach.com
http://www.breach.com

> -----Original Message-----
> From: Eoin Keary [mailto:eoinkeary_at_gmail.com]
> Sent: Tuesday, October 04, 2005 5:39 PM
> To: Peine,Holger
> Cc: webappsec_at_securityfocus.com
> Subject: Re: Good benchmark application for web security testing
tools?
>
> hackmebank Or hackmebooks from foundstone?
>
>
> On 04/10/05, Peine,Holger <Holger.Peine_at_iese.fraunhofer.de> wrote:
> > The idea of reviewing the available (free or commercial) web
application
> > security testing tools has been mentioned several times on this
list.
> > However, what would a good benchmarking application for these tools
be,
> > i.e. a "typical" web application with a number of known
vulnerabilities?
> >
> > Initially I was thinking of Webgoat, which at least has a nice
variety
> > of vulnerabilities, but Webgoat's structure is not very
representative
> > of your typical web application's structure and workflow (and apart
from
> >
> > that, Webgoat is somewhat small, too). So, what application would
you
> > suggest?
> >
> > Thanks for your opinion,
> > Holger Peine
> >
> > --
> > Dr. Holger Peine, Security and Safety
> > Fraunhofer IESE, Fraunhofer-Platz 1, 67663 Kaiserslautern, Germany
> > Phone +49-631-6800-2134, Fax -1299 (shared)
> > www.iese.fraunhofer.de/Staff/peine -- PGP key on request or via
> > http://pgp.mit.edu
> >
> >
> >
> >
Received on Oct 04 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]