You’ve made the right decision to improve your web application security stance and perform regular web application scanning. However, there are several renowned web vulnerability scanners on the market and you have to choose one. How do you do that?
As a first step, you probably researched all the options and selected a list of products that may satisfy your needs. Then, you checked whether the manufacturers of these products are renowned and trustworthy and whether the products have good ratings from other customers. You probably also read a lot of feature descriptions and possibly even some support documentation for these products. You’ve requested a demo, you’ve received a trial version of the product, and now you have the tool to test. Now what?
You can, of course, begin by testing the trial version of each tool with your own websites and web applications. However, unless you have been very lax with security, you won’t find that many types of vulnerabilities and you will have no idea how effective the tool will be in the future. You can also test the tool with intentionally vulnerable websites provided by the tool manufacturer (if any) but you won’t be able to see or tweak the application code, so it might not be enough. What else can you do?
Intentionally Vulnerable Applications to the Rescue
Aspiring penetration testers and security researchers have similar problems to yours. They need some kind of a testing ground to learn and verify their skills. It would not be very efficient if they created their own vulnerabilities and then tried to discover them. That’s why they rely on intentionally vulnerable applications.
Intentionally vulnerable applications are usually developed as open-source. Most often, they come as ready-to-install packages with a local web server and a local database. You can run them in silos completely independent of your current environment. Security analysts can practice their manual skills on such applications but these apps are just as good for evaluating web vulnerability scanners. Even professional benchmarkers use such applications as a basis for scanner evaluation.
Here are the most notable examples of renowned and continuously developed intentionally vulnerable web applications. We’ve also prepared step-by-step guides for each of them to show you how to use them to benchmark Acunetix.
- DVWA (Damn Vulnerable Web Application) is an open-source project developed by the DVWA team and hosted on GitHub. It is an application written in PHP/MySQL that contains a lot of intended vulnerabilities, both documented and undocumented.
See a step-by-step guide to scanning DVWA with Acunetix. - OWASP Juice Shop is an open-source project developed by the OWASP Foundation. It is an application written in Node.js, Express, and Angular. It claims to be the most advanced intentionally vulnerable web application.
See a step-by-step guide to scanning OWASP Juice Shop with Acunetix. - bWAPP (Buggy Web Application) is an open-source project. Similar to DWVA, it is written in PHP with a MySQL database.
See a step-by-step guide to scanning bWAPP with Acunetix.
There are more such applications available on the web. However, the above three are a good starting point. We will gladly show you how to configure Acunetix so you can thoroughly scan any testing environment. Get a Demo today.
Get the latest content on web security
in your inbox each week.