Acunetix Web Vulnerability Scanner placed first in a paper released by Adam Doup´e, Marco Cova, and Giovanni Vigna from the University of California, Santa Barbara.  In the paper “Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners”, the authors compared the capalities of eleven black box web security scanners (both commercial and open source) against a realistic test web application called WackoPicko.

“In comparison, our work, to the best of our knowledge, performs the largest evaluation of web application scanners in terms of the number of tested tools (eleven, both commercial and open-source), and the class of vulnerabilities analyzed. In addition, we discuss the effectiveness of different configurations and levels of manual intervention, and examine in detail the reasons for a scanner’s success or failure.”

“we decided to create our own test application, called WackoPicko. It is important to note that WackoPicko is a realistic, fully functional web application.  As opposed to a simple test application that contains just vulnerabilities, WackoPicko tests the scanners under realistic conditions. To test the scanners’ support for clientside JavaScript code, we also used the open source Web Input Vector Extractor Teaser (WIVET). WIVET is a synthetic benchmark that measures how well a crawler is able to discover and follow links in a variety of formats, such as JavaScript, Flash, and form submissions.”

Download the paper “Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners” from here.


Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.

Comments are closed.