Benchmarking might not be the correct term as graudit does not have the capacity to determine if a signature match is in fact a vulnerability or not. It only highlights a potential problem area so you can pay closer attention to it. Like most signature based approaches it does stand a fairly good chance of catching low hanging fruit, but certain kind of vulnerabilities will remain impossible to detect. None-the-less I am aiming to improve the standard of the signature sets, so from now on graudit will be "benchmarked" on each release.
To avoid writing signatures for specific vulnerabilities I am using two vulnerable applications to benchmark graudit with;
* Multillidae
* Damn Vulnerable Web Application
My hope is to approximate 100% low and 75% medium detection rate by version 2.0. Now to find some non PHP equivalents for the other languages.
To avoid writing signatures for specific vulnerabilities I am using two vulnerable applications to benchmark graudit with;
* Multillidae
* Damn Vulnerable Web Application
My hope is to approximate 100% low and 75% medium detection rate by version 2.0. Now to find some non PHP equivalents for the other languages.
