The SQL Injection Detection Accuracy of Web Application Scanners

The current information is based on the results of the *2011/2012* benchmarks (excpet for entries marked as updated or new )

Last updated: 29/03/2014, Currently compares 56 scanners
Sorted in a descending order according to the scanner sql injection detection ratio and product name.
Hint: click the version link to get more information about each scanner evaluation, and the product name to get detailed information on the product.

Unified List   Commercial Scanners   Free / Open Source Scanners


Rank
#
LogoVulnerability ScannerVersionVendorDetection AccuracyChart
1
sqlmap1.0sqlmap developers100.00% Detection Rate
0.00% False Positives
(136/136)
(0/10)
2
arachni0.4.6Tasos Laskos100.00% Detection Rate
20.00% False Positives
(136/136)
(2/10)
2
Vega1.0Subgraph100.00% Detection Rate
20.00% False Positives
(136/136)
(2/10)
2
Wapiti2.3.0OWASP100.00% Detection Rate
20.00% False Positives
(136/136)
(2/10)
3
ZAP2.2.2OWASP100.00% Detection Rate
30.00% False Positives
(136/136)
(3/10)
4
Syhunt Mini (Sandcat Mini)4.4.3.0Syhunt100.00% Detection Rate
50.00% False Positives
(136/136)
(5/10)
5
IronWASP0.9.7.4Lavakumar Kuppan99.26% Detection Rate
0.00% False Positives
(135/136)
(0/10)
6
WATOBO0.9.19Andreas Schmidt83.09% Detection Rate
60.00% False Positives
(113/136)
(6/10)
7
Andiparos1.0.6Compass Security AG77.21% Detection Rate
40.00% False Positives
(105/136)
(4/10)
7
Paros Proxy3.2.13MileSCAN Technologies77.21% Detection Rate
40.00% False Positives
(105/136)
(4/10)
8
SkipFish2.10Michal Zalewski - Google76.47% Detection Rate
0.00% False Positives
(104/136)
(0/10)
9
Netsparker Community Edition3.1.6.0Netsparker Ltd72.06% Detection Rate
30.00% False Positives
(98/136)
(3/10)
10
Sandcat Free Edition4.0.0.1Syhunt58.82% Detection Rate
20.00% False Positives
(80/136)
(2/10)
11
Oedipus1.8.1Jordan Del Grande58.82% Detection Rate
40.00% False Positives
(80/136)
(4/10)
12
WebSecurify (Opensource Version)0.9GNU Citizen58.82% Detection Rate
50.00% False Positives
(80/136)
(5/10)
13
ProxyStrike2.2Edge Security52.21% Detection Rate
0.00% False Positives
(71/136)
(0/10)
14
PowerFuzzer1.0Marcin Kozlowski51.47% Detection Rate
40.00% False Positives
(70/136)
(4/10)
15
WebCruiser Free Edition2.4.2Janus Security50.74% Detection Rate
0.00% False Positives
(69/136)
(0/10)
16
Gamja1.6Sanghun Jeon50.00% Detection Rate
80.00% False Positives
(68/136)
(8/10)
17
WSTool0.14001Kim Young-il45.59% Detection Rate
40.00% False Positives
(62/136)
(4/10)
18
Grendel Scan1.0David Byrne42.65% Detection Rate
50.00% False Positives
(58/136)
(5/10)
19
safe3wvs (limited free edition)10.1Safe3 Network Center40.44% Detection Rate
30.00% False Positives
(55/136)
(3/10)
20
Damn Small SQLi Scanner (DSSS)0.1hMiroslav Stampar39.71% Detection Rate
20.00% False Positives
(54/136)
(2/10)
21
JSky Free Edition1.0.0NoSec38.24% Detection Rate
20.00% False Positives
(52/136)
(2/10)
22
SQLiX1.0OWASP37.50% Detection Rate
20.00% False Positives
(51/136)
(2/10)
23
W3AF1.6W3AF developers35.29% Detection Rate
30.00% False Positives
(48/136)
(3/10)
24
Mini MySqlat0r0.5SCRT Information Security26.47% Detection Rate
0.00% False Positives
(36/136)
(0/10)
25
Uber Web Security Scanner0.0.2Levent Kayan & Illuminatus21.32% Detection Rate
40.00% False Positives
(29/136)
(4/10)
26
Secubat0.5Stefan Kals18.38% Detection Rate
70.00% False Positives
(25/136)
(7/10)
27
Grabber0.1Romain Gaucher15.44% Detection Rate
20.00% False Positives
(21/136)
(2/10)
28
Scrawlr1.0HP Application Security Center13.24% Detection Rate
0.00% False Positives
(18/136)
(0/10)
29
aidSQL02062011Lynxec11.76% Detection Rate
0.00% False Positives
(16/136)
(0/10)
30
iScan0.1Simone Margaritelli0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)
30
LoverBoy1.0Ashaman Boyd0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)
30
openAcunetix0.1John Martinelli0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)
30
Priamos1.0Yigit Aktan0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)
30
SQID (SQL Injection Digger)0.3Metaeye Security Group0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)
30
VulnDetector0.0.2Brad Cable0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)
30
Web Injection Scanner (WIS)0.4netXeyes0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)
30
Xcobra0.2Taras Ivashchenko0.00% Detection Rate
0.00% False Positives
(0/136)
(0/10)

Copyright © 2010-2014 by Shay Chen. All rights reserved.
Click here to learn how this information may be published or reused.