The OWASP Benchmark Project is a Python test suite designed to verify the speed and accuracy of vulnerability detection tools. It is a fully runnable open source web application that can be analyzed by any type of Application Security Testing (AST) tool, including SAST, DAST (like ZAP), and IAST tools. The intent is that all the vulnerabilities deliberately included in and scored by the Benchmark are actually exploitable so it's a fair test for any kind of application vulnerability detection tool.
The Benchmark project also includes scorecard generators for numerous open source and commercial AST tools, and the set of supported tools is growing all the time. This scoring capability is implemented in the BenchmarkUtils project, which is at: https://github.com/OWASP/BenchmarkUtils.
The project documentation is all on the OWASP site at the OWASP Benchmark project pages. Please refer to that site for all the project details.
This is a preliminary initial release we are calling v0.1. Over the next several months we plan to improve/upgrade this project to get to a full v1.0 release when we have sufficient vulnerability coverage implemented.
Note that all the releases that are available here: https://github.com/OWASP/BenchmarkPython/releases, are historical. The latest release is always available live by simply cloning or pulling the head of this repository (i.e., git pull).
Running Benchmark Itself:
- runBenchmark.sh - run the Benchmark Python Web Application (accessible via local machine only)
- runRemoteAccessibleBenchmark.sh - like the above but allows port 8443 to be accessible outside the machine the Python Benchmark is running on.
ACKNOWLEDGEMENTS: The OWASP Benchmark project would like to thank the contributions of AppSecAI (https://www.appsecai.io) and their team members Theo Cartsonis and Jessica Salawu for doing the bulk of the development work to produce this first release of the Benchmark for Python test suite.