When doing a web vulnerability assessment with tools such as Acunetix and w3af, is it worth it to install the same web application on multiple types of web servers (Apache, IIS, etc.)?
If differences could be found, in the scanning results, between the different web servers, what type of different vulnerabilities could be found? Also, please keep in mind that I am solely testing the web application; I'm not testing Apache, PHP, MySQL, etc.
This could be of benefit if customers buy your web application and then install it on a platform of their own and you need to make it secure despite the underlying OS and back-end architecture.
If the application has been properly put together and treats user input correctly in all places, then there should be no difference. If however, parts of the application will allow an MS SQL exploit to work whereas a MySQL one will fail, or a Windows exploit will work, however when hosted on Linux this is not possible, then there is benefit. Of course, you will not know this unless you assess vulnerabilities on these platforms either dynamically (using a scanner like you propose, plus manual testing) or statically (analysing source code both automatically and manually).
Having said that, most applications would tend to exhibit similar vulnerabilities no matter what platform they have been installed on, and would have to be coded in a unique way for it to be exploitable on one platform and not the other.
If you find something different between servers, then you're finding problems with the server/infrastructure and not the app. Yes, there are instances when a particular infrastructure can process application code differently, but then that's a problem with the infrastructure and not the application code itself.
I would not see that there would be value in this sort of testing unless you intend to run the app on those different servers in production.
