In a recent study, popular web application security scanners were put to the test to see just how many exploitable vulnerabilities they could find. Hackazon, a modern Web 2.0 and vulnerable PHP web application, was downloaded on a Windows 10 VM. It has many, many preconfigured vulnerabilities. The whole setup requires a PHP framework, an Apache server, and a MySQL database. Of the scanners, Acunetix, OWASP ZAP, and Burp Suite Pro were tested
In total, Acutenix discovered 45 vulnerabilities, 4 of which were considered high, 30 were medium, 8 were low, and 3 were informational. Overall, Acutenix performed extremely well at detecting most XSS, one blind SQL, and one XSRF vulnerabilities; however, it failed to detect most SQL, Stored XSS, Integer Overflow, and File Upload vulnerabilities
Discovered a high number of vulnerabilities, which was a whopping 1676, but this number mostly included a significant amount of duplicate alerts. Additionally, only one high-level vulnerability was discovered; 313 vulnerabilities were medium, and the rest were low. ZAP detected many issues, such as click-jacking, XSS, and path traversal vulnerabilities
Perhaps had the best results since it correctly discovered the most of the vulnerabilities, such as a BlindSQL, two SQL, one XSRF, and two reflected XSS vulnerabilities. In total, it discovered 499 vulnerabilities, 45 of which were high, 450 were low, and 4 were informational
The scanners performed well at detecting XSS and SQLi vulnerabilities, but overlooked most other vulnerabilities. In fact, 75% of the preconfigured vulnerabilities in this study went undetected. It appears that these scanners have difficulty detecting stored XSS, OS Command Injection, Remote File Inclusion, and Integer Overflow vulnerabilities.
EXPLANATIONS & LIMITATIONS
The most plausible explanation for the scanners’ shortcoming and uneven performance were likely due to the fact that they were deployed in an automated or PaS setting, which would undoubtedly limit their coverage.
(Continued in comments)