This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners

Jump to: navigation, search


Registration | Hotel | Walter E. Washington Convention Center

The presentation

Owasp logo normal.jpg
The threat of cyber attacks due to improper security is a real and evolving danger. Corporate and personal data is breached and lost because of web application vulnerabilities thousands of times every year. Web application vulnerability scanners are tools that can be used by network administrators and security experts to help prevent and detect vulnerabilities such as SQL injection, cross-site scripting, and session hijacking. However, these tools have been found to have flaws and limitations. Research has shown that web application vulnerability scanners are not capable of always detecting vulnerabilities and attack vectors, and do not give effective measurements of web application security. This paper presents a method to analyze the flaws and limitations of several of the most popular commercial and free/open-source web application scanners by using a secure and insecure version of a custom-built web application. Our described method allows us to recommend improvements to web application scanner techniques that reduce the number of false-positive and false-negative results.

The speakers

Bios will be posted shortly