Web Vuln
Web Vuln
Web Vuln
anantasec"g ail.co
This evaluation was ordered by a penetration testing company that will remain anonymous. The vendors were not contacted during or after the evaluation. Applications (web scanners) included in this report Web Scanner Version Acunetix WVS '!( )ational AppScan ,* Web'nspect 6.0 !uild "00#$"$%& %.%.6"0 Service *ac+ " %.%.#6-
Testing procedure '.ve tested $/ web applications some of them containing a lot of vulnerabilities&0 / demo applications provided by the vendors testphp.acunetix.com0 demo.testfire.net0 1ero.webappsecurity.com& and '.ve done some tests to verify 2avascript execution capabilities. 'n total0 $6 applications were tested. '.ve tried to cover all the ma3or platforms0 therefore ' have applications in *,*0 AS*0 AS*.45T and 2ava. Note for Application Tests: 'n this report '.ve only included 6important6 vulnerabilities li+e S78 in3ection0 8ocal9)emote :ile 'nclusion0 ;SS0 ... Vulnerabilities li+e 6<nencrypted 8ogin :orm60 6=irectory listing found60 65mail address found60 ... were not included to avoid clutter. S78 in3ection vulnerabilities can be discovered through error messages or blind S78 in3ection. Some scanners are showing " alerts> one for the vulnerability found through error message and another for the blind techni?ue. 'n these cases only one vulnerability has been counted. Legend Icon
Explanation A valid vulnerability was reported. A valid vulnerability was missed. false negative& A false positive was reported.
How score was calculated @ points for each valid vulnerability A@ points for each false negative valid vulnerability not found& A$ point for each false positive
Javascript tests
Javascript tests
Test + description Test 2S $ A simple document.location Test 2S " A simple 3avascript obfuscation Test 2S / A script generated from document.write Test 2S B A external script test $ Test 2S @ A external script test " Test 2S 6 A external script test / Test 2S % A simple variable concatenation Test 2S # A 3avascript obfuscation C pac+ing Test 2S - A form generated from script Test 2S $0 A DA hrefE generated from document.write recursive& Test 2S $$ A 3avascript encoding Test 2S $" A ;(8,TT*)e?uest ;,)& open Test 2S $/ A document.location C unescape on ;,) callbac+ Test 2S $B A 3avascript obfuscation C pac+ing on ;,) callbac+ Test 2S $@ A form created with create5lement C appendFhild Test 2S $6 A usage of ;,).responseText on ;,) callbac+ Test 2S $% A document.write from frame$ to frame" Test 2S $# A ;,) with *GST and parameters Summary Score ile 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA$.html 3avascriptA".html 3avascriptA/.html 3avascriptAB.html 3avascriptA6.html 3avascriptA%.html 3avascriptA#.html [email protected] B missed $B found !" $ missed $% found #" " missed $6 found $" AppScan WebInspect Acunetix
%otes> A 1ip file containing all the 3avascript tests can be downloaded from http>99drop.io9anantasecfiles9.
#pplication tests $.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Summary Score people.php people.php a3ax9updatechec+.php ile 'ara(eter 4ew*assword Fonfirm*assword )e?uest4ame / missed 0 found A$@ $ missed " found @ $ missed " found @ 0 missed / found $@ AppScan WebInspect Acunetix Acunetix + AcuSensor
http://getvanilla.co /
)alse positives
%on)Vulnerabilit& (usic!ox (ultiple S78 'n3ection (x!! *ortal index.php S78 'n3ection Summary Score index.php index.php ile page page " reported A" 0 reported 0 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
%otes> The false positives reported by AppScan> (usic!ox and (x!! were not installed on the web server.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& index.php index.php
ile sort
Acunetix + AcuSensor
category 4.A. The vulnerability is in the <)'. articleHid category s categoryHid lang Foo+ie& lang Foo+ie& author - missed $ found AB0 % missed / found A"0 % missed / found A"0 $ missed - found B0
S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection :ile 'nclusion 8:'& :ile 'nclusion 8:'& =irectory Traversal Summary Score
printHversion.php index.php
)alse positives
%on)Vulnerabilit& (A;S'T5 index.php S78 'n3ection *,* )eal 5state Flassifieds header.php )emote :ile index.php index.php ile 'ara(eter category loc AppScan WebInspect Acunetix Acunetix + AcuSensor
'nclusion phpWord*ress S78 'n3ection Summary Score index.php ctg / reported A/ 0 reported 0 0 reported 0 0 reported 0
*otal score
%otes> :or this application ' didn.t listed some ;SS vulnerabilities found by Acunetix C AcuSensor in tinymce script included in this application. There were too many of those to be listed here.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& )emote Fode 5xecution Summary Score index.php index.php
1ttss-2.0 /
Acunetix + AcuSensor
$ missed $ found 0
$ missed $ found 0
$ missed $ found 0
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 0 reported 0
*otal score
%otes> The advisory from milw0rm is http>99www.milw0rm.com9exploits9%%/$.
Vali( vulnerabilities
Vulnerabilit& Summary Score
)alse positives
%on)Vulnerabilit& Word*ress (ultiple )emote :ile 'nclusion Summary Score ile wpAsettings.php 'ara(eter re?uireHonce $ reported A$ 0 reported 0 0 reported 0 0 reported 0 AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
Vali( vulnerabilities
Vulnerabilit& Summary Score
http://000.vbulletin.co /
)alse positives
%on)Vulnerabilit& S78 'n3ection Summary Score fa?.php ile fa? $ reported A$ 'ara(eter AppScan WebInspect 49A 49A 49A 0 0 reported 0 0 reported 0 Acunetix Acunetix + AcuSensor
*otal score
%otes> 'n this case Web'nspect didn.t finished the scan. ' stopped the application after two days of scanning. <nfortunately0 this scan was scheduled so ' didn.t managed to investigate what happened. After that0 ' didn.t started any schedulded scans with Web'nspect because in Web'nspect you don.t have enough feedbac+ you have no idea what.s going on with the scheduled scan&.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS&
riotpi5 v0.2$
http://000.riotpi5.co /
'ara(eter reply message page forumid 4.A. The vulnerability is in the <)'.
Acunetix + AcuSensor
/ riotpi.,_+'/read.php/!"!#Sc$i %t!alert&*4)4)4)3)),3-#/Sc$i% t!
Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection Summary Score
4.A. The vulnerability is in the <)'. username username username username username $" missed B found AB0 $B missed " found A60 $" missed B found AB0 0 missed $6 found #0
)alse positives
%on)Vulnerabilit& =VIuestboo+ FrossASite Scripting Word*ress *ool Theme FrossA Site Scripting in *ath Summary Score index.php index.php ile page D<)'E " reported A" 0 reported 0 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
%otes> The advisory from milw0rm is located at http>99www.milw0rm.com9exploits9%6#".
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection
http://000.pligg.co /
ile index.php login.php login.php register.php register.php register.php register.php register.php register.php register.php register.php out.php story.php userrss.php cloud.php login.php cvote.php editlin+.php chec+Hurl.php out.php recommend.php rss.php story.php
'ara(eter category username category email username password password" regHusername regHpassword regHpassword" regHemail title title status category'= username id id url url title rows title
Acunetix + AcuSensor
S78 'n3ection S78 'n3ection S78 'n3ection =irectory Traversal =irectory Traversal Summary Score
id rows id template Foo+ie& template Foo+ie& $B missed $B found 0 $B missed $B found 0 $B missed $B found 0 " missed "6 found $"0
)alse positives
%on)Vulnerabilit& eTic+et (ultiple S78 'n3ection Sphider (ultiple FrossASite Scripting S78 'n3ection Summary Score index.php index.php search.php ile 'ara(eter status category search " reported A" $ reported A$ 0 reported 0 0 reported 0 AppScan WebInspect Acunetix Acunetix + AcuSensor
*otal score
%otes> The advisory from milw0rm is located at http>99www.milw0rm.com9exploits96$B6. ' didn.t included some ;SS vulnerabilities detected by Acunetix C AcuSensor. There are a lot of them.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection Summary Score
Java 7 *o cat
'ara(eter name0 email0 ...& ?uery sort!y sortGrder who7uote page page
rss9pm.externalSend.3bb user'd rss9pm.externalSend.3bb username memberHlist.3bb memberHlist.3bb sort!y sortGrder @ missed 6 found @ / missed # found "@ 0 missed $$ found @@
)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection Summary Score ile 9rss9searchHauthor.3bb unansweredHposts.3bb u page 0 reported 0 " reported A" 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A
*otal score
Vali( vulnerabilities
Java 7 *o cat
http://000.1oru so1t0are.ca/
Vulnerabilit& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Summary Score
ile createAccount.3sp login.3sp login.3sp login.3sp post.3sp post.3sp post.3sp search.3sp error.3sp
'ara(eter name0 email0 ...& referer username password referer name email ? msg
0 missed - found B@
0 missed - found B@
$ missed # found /@
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor
*otal score
Vali( vulnerabilities
Vulnerabilit& Summary Score
Java 7 *o cat
)alse positives
%on)Vulnerabilit& Fross Site Scripting ;SS& S78 'n3ection Summary Score fa?.php advancedSearch.action ile fa? tags 0 reported 0 " reported A" )* 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A
*otal score
Vali( vulnerabilities
Vulnerabilit& Summary Score
)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection S78 'n3ection Summary Score ile =efault.aspx =efault.aspx Fomments.aspx Fomments.aspx Fomments.aspx Fomments.aspx 'ara(eter Fategory Jear Article'= Article4ame
ctl00KFontentKFommentFontent ctl00KFontentKSubmitHFontent
Acunetix + AcuSensor
6 reported A6
$ reported A$ )+
0 reported 0
0 reported 0
*otal score
%otes> !oth Web'nspect and AppScan are reporting false positives based on the following error message> "The changes you requested to the table were not successful because they would create duplicate values in the index, primary key, or relationship !hange the data in the field or fields that contain duplicate data, remove the index, or redefine the index to permit duplicate entries and try again " That.s not an S78 in3ection vulnerability. Anyway0 '.ve chec+ed the code 3ust to be sure and ' can confirm this is not a real vulnerability. !asically AppScan will report an S78 in3ection vulnerability everytime it finds 6,le-bException6 in the response. That.s pretty lame.
Vali( vulnerabilities
Vulnerabilit& Fross Site Scripting ;SS& Summary Score
$ missed 0 found A@
$ missed 0 found A@
$ missed 0 found A@
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 0 reported 0
*otal score
Vali( vulnerabilities
Vulnerabilit& S78 'n3ection Summary Score
:ave>s -.S3v2.0.2
http://000.(avi(pire?.co /c s/
ile blog.aspx n
0 missed $ found @
0 missed $ found @
0 missed $ found @
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 0 reported 0
*otal score
http://testphp.acuneti5.co /
'ara(eter name name text login Foo+ie& cat artist search:or uuname 4.A. The vulnerability is in the <)'. id id id artist cat artist pic file
Acunetix + AcuSensor
0 missed $% found #@
)alse positives
ile test r
Acunetix + AcuSensor
$ reported A$
0 reported 0
$reported A$
0 reported 0
*otal score
%otes. There is a *,* Fode 5xecution vulnerability reported by Acunetix WVS. That vulnerability is only reported by Acunetix WVS and it seems to be a false positive. ,owever0 the attac+ vector from WVS wor+s but any other *,* code doesn.t wor+. Therefore0 ' suspect it.s some +ind of simulation for demonstration purposes.
http://(e o.test1ire.net/
)alse positives
%on)Vulnerabilit& Summary Score ile 'ara(eter AppScan 0 reported 0 WebInspect 0 reported 0 Acunetix 0 reported 0 Acunetix + AcuSensor 49A
*otal score
http://9ero.0ebappsecurity.co /
userAagent ,eader&
Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& Fross Site Scripting ;SS& S78 'n3ection S78 'n3ection 8ocal :ile 'nclusion ,TT* )esponse Splitting Summary Score
coo+ietest9ShowFoo+ies.asp userid Foo+ie& coo+ietest9ShowFoo+ies.asp username Foo+ie& coo+ietest9ShowFoo+ies.asp State Foo+ie& coo+ietest9ShowFoo+ies.asp Leyed Foo+ie& ban+login.asp plin+.asp plin+.asp login$.asp forgot$.asp rootlogin.asp login$.asp err a c login get txt4ame login "% missed % found A$00 / missed /$ found $B0 "B missed $0 found A%0
)alse positives
%on)Vulnerabilit& S78 'n3ection S78 'n3ection Summary Score plin+.asp plin+.asp ile a c " reported A" 0 reported 0 0 reported 0 'ara(eter AppScan WebInspect Acunetix Acunetix + AcuSensor 49A
*otal score
%otes> pcomboindex.asp will dump the ,TT* re?uest so any header can be used to cause an ;SS vulnerability.
;est scores / application
%r/ $ " / B @ 6 % # $0 $$ $" $/ $B $@ $6 Tested application 2avascript tests VanillaA$.$.B VivvoF(SA/.B fttssA".0 WordpressA".6.@ vbulletinHv/.6.# riotpix v0.6$ 3avabbHv0.-Ja1d =iscussion :orumHv/.0 pebbleHv"./.$ Triptych!logHv.-.0 =(I :orumsHv/.$ =ave.s F(SHv".0." Acunetix =emo Application A Acunetix Acuart AppScan =emo Application A Altoro (utual
'lat0or( 49A *,* *,* *,* *,* *,* *,* 2ava 2ava 2ava AS*.45T AS*.45T AS*.45T *,* AS*.45T
Acunetix + AcuSensor
Web'nspect =emo Application A free !an+ online AS* Su((ar& * wins 1 wins $ wins
!efore starting this evaluation my favorite scanner was AppScan. They have a nice interface and ' had the impression they are very fast. After the evaluation0 '.ve radically changed my opinion> AppScan scored worst in almost all the cases. They are finishing the scan ?uic+ly because they don.t do a comprehensive test. And they have a huge rate of false positives. Almost all scans contain some false positives most of the times for applications that are not even installed on the machine&. They have a lot of space for improvement. Acunetix WVS and Web'nspect are relatively good scanners. 'f you are in the position to use the AcuSensor technology *,*0 AS*.45T and you are not re?uired to do a blac+box testing& then Acunetix WVS C AcuSensor is the better choice. As these results show0 blac+box testing is not enough anymore. 'f you cannot use AcuSensor then you should decide between Web'nspect and Acunetix WVS. !oth have their advantages and disadvantages. !rowse the results and decide for yourself. inal words '.ve included enough information in this report the 3avascript files used for testing0 exact version and <)8 for all the tested applications& so anybody with enough patience can verify and reproduce the results presented here. Therefore0 ' will not respond to emails for vendors. Jou have the information0 fix your scannersM