NOTE: Read the article 2015 - How Does Netsparker
Earlier on this month, information security researcher and analyst Shay Chen released the 2013/2014 Web Application Vulnerability Scanners Benchmark, where he compared 63 different web vulnerability scanners, or as they are also known web application security scanners.
The comparison contains a good wealth of information and for those who have time, it is worth to dive into and
Hence when you also include the price in the equation, Netsparker is the best web vulnerability scanner with the best return on investment; while IBM
How did Netsparker Perform When Compared to Other Scanners?
There are several different angles on how you can look at the results to determine which is the best web vulnerability scanner for you. To start off with, below are the graphs for each web vulnerability class tested in this benchmark:
SQL Injection Vulnerabilities Detection
Netsparker detected all of the 136 SQL injection vulnerabilities like most of the other web vulnerability scanners. Only NTOSpider and N-Stalker did not detect all SQL injection vulnerabilities.
Cross-Site Scripting Vulnerabilities Detection
Netsparker detected all of the 66 cross-site scripting vulnerabilities like most of the other web vulnerability scanners. Only BurpSuite and N-Stalker failed to detect all XSS vulnerabilities.
Path Traversal / Local File Inclusion Vulnerabilities Detection
Here is where things start becoming interesting; IBM AppScan and Netpsarker are
According to the
Third placed NTOSpider missed 154, HP WebInspect missed 228, Acunetix WVS missed 348 and so on.
XSS via RFI Vulnerabilities Detection
Unvalidated and Open Redirects Vulnerabilities Detection
HP WebInspect detected the most unvalidated redirect vulnerabilities by detecting 15 out of 60, followed by Netsparker and IBM AppScan with 11 detections.
Old Backup Files Detected
Acunetix WVS leads the pack in this test, by detecting 60 out of 184 backup files. Then followed by Burpsuite with 46 detections, SyHunt with 34 detections and the rest follow.
Total Number of Identified Vulnerabilities
All Web Application Vulnerability Classes
After going through each individual vulnerability class chart, now its time to add up all vulnerabilities together and see how the scanners performed over all. As per the chart below, Netsparker and IBM AppScan were the only two automated web vulnerability scanners to identify more than 1,000 web application vulnerabilities. Both scanners lead thanks to excellent detection of critical path traversal and LFI vulnerabilities.
Netsparker detected 1,112 vulnerabilities and is only second to IBM AppScan, which detected 1,147 vulnerabilities. Next in line is NTOSpider with 958 vulnerabilities, then HP Webinspect with 917 vulnerabilities followed by Acunetix, which detected 819 vulnerabilities. BurpSuite, Syhunt and N-stalker follow with 791, 716 and 484 identified vulnerabilities respectively.
Direct Impact Web Application Vulnerabilities
Below is another chart showing how many direct impact vulnerabilities each web vulnerability scanner detected. By direct impact we mean critical vulnerabilities that if exploited could affect the operations of the web application and the business itself, hence excluding the "Old backup files" and "Unvalidated / Open redirects" vulnerabilities from this chart.
As we can see after excluded
False Positives and Web Security Scans Time Consumption
When compared to comparisons of previous years, all web vulnerability scanners improved their detection rate and all of them managed to reduce the number of reported false positives. Funnily enough Netsparker, the only false positive free web vulnerability scanner reported 3 false positive SQL Injection vulnerabilities. How did this happen?
To start off with, Netsparker is shipped with an exploitation engine that is automatically triggered once a vulnerability is detected. If the vulnerability is exploited it is not a false positive.
The Time Efficiency Factor - Netsparker Still Leads the Way
Even though Netsparker reported 3 false positive SQL injection vulnerabilities, it still leads the pack. When using Netsparker, the user only has to verify the 3 unconfirmed vulnerabilities.
On the other hand, all other web vulnerability scanners do not have an exploitation engine, hence the user
Which is the Best Web Vulnerability Scanner?
The best web vulnerability scanner is the one which detected most vulnerabilities, is the easiest to use and can automate most of your work. As we all know, users have to verify a scanners findings, therefore automated vulnerability confirmation is also something that should be considered in the equation. Verifying findings is a
How to Choose the Best Web Vulnerability Scanner for You?
Although the above statistics are a good indication of who are the web application security market leaders, don't base your judgement just on these facts. There is no better way to determine which is the best tool for you
If you are new to this geeky world of automated scanning, the article how to evaluate web vulnerability scanners will give you a better insight of how to choose the right web scanner for you. And if you'd like to learn more, read this Getting Started with Web Application Security.
What is Next for Netsparker Web Application Security Scanner?
We have done very well in identifying almost all critical vulnerabilities and can see that our lowest point is detecting old backup files on websites. We never really focused on these type of issues since the cost of identification and the worthy of finding is not of a great value.
Last but not least we would like to thank Shay Chen for all his professional work and dedication.