As far as I know, there hasn't been a concerted effort on this part yet, and it's something I've been meaning to get around to doing. I've been trying to run w3af in concert with other freeware, commercial, and manual testing to compare findings, but haven't yet done any testing with synthetic sites yet. Andreas does have some testing scripts, but he hasn't shared the details of his testing environment with the rest of us yet as far as I know.
I've been collecting a list of testing resources, but my consulting business gets too busy in the winter to be able to actually do much testing yet. Also, a performance bug in the GUI with large # of knowledge base entries has thwarted my desire to test it on larger sites. (http://sourceforge.net/tracker/index.php?func=detail&aid=2460411&group_id=170274&atid=853652) Here's some of the testing resources I've collected: http://suif.stanford.edu/~livshits/securibench/ Excellent collection of known vulnerable apps http://suif.stanford.edu/~livshits/work/securibench-micro/ Micro benchmarks of vulnerabilities http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project Older version is included in securibench http://www.foundstone.com/us/resources-free-tools.asp Hackme series of tests, many different technologies http://zero.webappsecurity.com/ Test site for WebInspect http://demo.testfire.net Test site for Appscan I'd like to build a test environment based on http://samurai.inguardians.com/ sometime. I have an older one I've used for other projects based on Backtrack 2, but I think it would be easier to build on samurai or the OWASP live cd (http://www.owasp.org/index.php/Category:OWASP_Live_CD_2008_Project) rather then keep trying to update my old software. Ideally we need both a static set of regression tests that we can test w3af with over time and ongoing testing on new custom apps. One of my goals for the year is building a new testing suite to go with the WASC Web Application Security Scanner Evaluation Criteria (http://www.webappsec.org/projects/wassec/). But first I've gotta finish my billable work. ;-) Any input you have or work that you wish to do in this area would be highly appreciated! Steve mouse wrote: > What are folks using to benchmark or test updated versions of w3af? > Does anyone have a set of vmimages with vulnerable web apps or a list of > vulnerable apps that are used in this effort? Or do folks generally use > custom apps? > > Thanks, > Drew > > > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Check out the new SourceForge.net Marketplace. > It is the best place to buy or sell services for > just about anything Open Source. > http://p.sf.net/sfu/Xq1LFB > > > ------------------------------------------------------------------------ > > _______________________________________________ > W3af-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/w3af-users -- | Steven E. Pinkham | | GPG public key ID CD31CAFB | ------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ W3af-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/w3af-users
