Last update: August 24th, 2007
Description
Web Application Security Scanners are automated tools to check a website's applications for common security problems such as
Cross Site Scripting,
SQL Injection,
Directory Traversal, Mis-configurations, and
remote command execution vulnerabilities. These web application security scanners crawl through a website and parse the url to identify vulnerabilities in the website by injecting various attack vectors while maintaining the session state.
The Web Application Security Evaluation Criteria is a set of guidelines to evaluate web application security scanners on their identification of web application vulnerabilities and its completeness. It will cover things like crawling, parsing, session handling, types of vulnerabilities and information about those vulnerabilities. This document shall evaluate the technical aspects of the web application security scanners and NOT the features provided by it. This document should define the minimum criteria to be followed by a web application scanner. This document WILL NOT evaluate the products and provide the results of such evaluation instead this project will provide the tools and documentation to enable anyone to evaluate a product.
SPI dynamics has generously donated a framework which can be used to test a scanners against the criterias
(once we define them all). Special thanks to Caleb Sima of SPI dynamics and Ivan Ristic of Breach Security.
Participating
If you would like to be involved with the project, please contact
Anurag Agarwal
