For my work in the Samate Project, in the web apps scanners evaluation, I made a website with a variable level of security, because I was totally not satisfied by the Watchfire or the SPI-Dynamics demo websites.

Then, I started to consider this website as a test suite... The problem is the gap that could be in different type of tools: - basic tools (Paros, Pantera, Wapiti etc.) - famous commercials (webinspect, appscan, ntospider etc.) Mainly because of the AJAX.

Actually I use AJAX in different part of the website such as login system, registration, dynamic verification and I'm sure that if you cannot interpret the JavaScript, you cannot see the vulnerabilities in this code. Maybe the tools can parse some urls... maybe i have to create another "more classical" website, with only {php,mysql,sessions,cookies}... Wait and see the first results