Nytro Posted October 21, 2013 Report Posted October 21, 2013 HackMiami Web Application Scanner 2013 PwnOffAn Analysis of Automated Web Application Scanning SuitesJames Ball, Alexander Heid, Rod SotoHack Miami –OverviewWeb application scanning suites have become commonplace within the information securityindustry. There are many open-source and free scanning suites available, as well as a widearray of commercially licensed scanning suites. Often these suites are marketed as automatedand simple to use. The notion is that a user can point the tool at a URL and the software will ripthe site apart, seeking out vulnerabilities such as SQL injections, Cross Site Scripting (XSS),and other common web application security issues.Successful exploitation of vulnerabilities such as SQLi and XSS can lead to the compromise ofdata. The impact of the compromise can be minimal to catastrophic. Even the reputationalimpact of minimal breaches can still be significant to an organization.This document is an analysis of the performance of five common web application scanners,which were put against three different types of web applications. The document will provide asan evaluation of the web application scanner suites from installation to the completion of thescan, and will rate the suites on multiple criteria.The Web Application PwnOff was a live event that took place at the HackMiami 2013 HackersConference in Miami Beach Florida. There were three target web applications, one PHP based,one JSP based and one .NET based. The scans consisted of a single pre-authentication scan,and a single post-authentication scan against each user level. Rating scores will be on a scaleof 1 (lowest) to 5 (highest).Download:http://hackmiami.org/whitepapers/HackMiami2013PwnOff.pdf Quote
