Benchmark of Web Application Vulnerability Scanners

This technical report presents a comprehensive benchmark of various web application vulnerability scanners conducted in February 2024. The analysis includes prominent commercial scanners such as Acunetix, Burp Scanner, Qualys, and Rapid7 InsightAppSec, as well as the open-source tool ZAP (Zed Attack Proxy). The benchmark aims to provide an impartial evaluation of these scanners' effectiveness in detecting vulnerabilities by utilizing two targets: Broken Crystals and DVWA (Damn Vulnerable Web Application). The report outlines the methodology used for testing, which involved assessing true positive, false positive, and false negative rates to determine the accuracy of each scanner. Key findings indicate that while most scanners demonstrate comparable detection capabilities, there are notable discrepancies, particularly with Burp Suite and Acunetix. The report also discusses the challenges faced in establishing a standard benchmark due to the evolving nature of web security vulnerabilities and the complexities involved in testing methodologies.