Assessment of Web Scanner Tools

Mohammed, Rawaa Abbas

doi:10.5120/ijca2016907794

Cited by 8 publications

(6 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Rawaa [39] performed an assessment of web scanner tools and evaluated the effectiveness and differences to find flaws and limitations in different web scanner tools. The evaluation of black box web application vulnerability scanners was focused on SQLI and XSS attacks due to their severity level.…”

Section: Literature Reviewmentioning

confidence: 99%

A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions

Shahid

Hameed²,

Javed

et al. 2022

Applied Sciences

View full text Add to dashboard Cite

The growing use of the internet has resulted in an exponential rise in the use of web applications. Businesses, industries, financial and educational institutions, and the general populace depend on web applications. This mammoth rise in their usage has also resulted in many security issues that make these web applications vulnerable, thereby affecting the confidentiality, integrity, and availability of associated information systems. It has, therefore, become necessary to find vulnerabilities in these information system resources to guarantee information security. A publicly available web application vulnerability scanner is a computer program that assesses web application security by employing automated penetration testing techniques that reduce the time, cost, and resources required for web application penetration testing and eliminates test engineers’ dependency on human knowledge. However, these security scanners possess various weaknesses of not scanning complete web applications and generating wrong test results. Moreover, intensive research has been carried out to quantitatively enumerate web application security scanners’ results to inspect their effectiveness and limitations. However, the findings show no well-defined method or criteria available for assessing their results. In this research, we have evaluated the performance of web application vulnerability scanners by testing intentionally defined vulnerable applications and the level of their respective precision and accuracy. This was achieved by classifying the analyzed tools using the most common parameters. The evaluation is based on an extracted list of vulnerabilities from OWASP (Open Web Application Security Project).

show abstract

Section: Literature Reviewmentioning

confidence: 99%

A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions

Shahid

Hameed²,

Javed

et al. 2022

Applied Sciences

View full text Add to dashboard Cite

show abstract

Section: ) Skipfishmentioning

confidence: 99%

“…Skipfish is Google's web app vulnerability detection tool [23], [24]. By performing recursive crawls and dictionarybased probes, it can generate an interactive sitemap of the target site [23], [24]. Skipfish is particularly useful in determining whether a site is vulnerable to scripting or injection attacks [25].…”

Section: ) Skipfishmentioning

confidence: 99%

CyExec*: A High-Performance Container-Based Cyber Range With Scenario Randomization

Nakata

Otsuka

2021

IEEE Access

View full text Add to dashboard Cite

With increasing threats to information security, information security education through practical exercises specifically cyber range has attracted attention. However, the use of a cyber range is not widespread because of the high initial and maintenance cost and difficulty of developing new scenarios. Because many virtual instances are executed in the cyber range, the advantage of container type virtualization, which can provide a lightweight execution environment, is expected to increase efficient hardware utilization and decrease the total cost. On the other hand, containers pose challenges in scalability and scenario development when it comes to their use in cyber ranges because their performance advantages and vulnerability reproducibility have not been reported. In this paper, we conducted an exhaustive experiment to compare the performance and reproducibility of container-type virtualization with other virtualization types. The results show that containers can provide a more efficient execution environment than the other types, with almost perfect vulnerability reproducibility of more than 99% while reducing memory consumption by half and storage consumption to 1/60. The container's high performance and reproducibility enabled us to develop CyExec * , a cyber range system with DAG-based scenario randomization technology. CyExec * can increase educational effectiveness by automatically generating multiple scenarios with the same learning objective. Compared with a random scenario generator for CTF using another virtualization type, CyExec * shows more than three times higher performance. CyExec * can solve existing cyber range issues.

show abstract

“…Although the advantages of vulnerability scanners are indisputable, it remains unclear how well they perform on different types of vulnerabilities. Previous research has tried to address this question, but it typically focused on a very small set of vulnerability scanners [15,21,22], used a (custom) testbed with only a few vulnerability test cases [10,29,36], and/or concentrated on a narrow subset of the most common web vulnerabilities [2,24].…”

Section: Introductionmentioning

confidence: 99%

A Quantitative Assessment of the Detection Performance of Web Vulnerability Scanners

Lavens

Philippaerts

Joosen

2022

Proceedings of the 17th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Software developers use web application vulnerability scanners to automatically identify security weaknesses in their web applications. The scanners inspect source code or analyze the running application, and look for specific vulnerability types. While it can be expected that a scanner will not discover every vulnerability, no information is available on the expected efficacy of currently available vulnerability scanners for a given vulnerability type. We present an analysis of 24 web vulnerability scanners and determine their effectiveness on 11 vulnerability types. Our study offers insights into the trade-offs when selecting a specific type of scanner. We show that for some vulnerability types, most vulnerability scanners perform poorly. CCS CONCEPTS• Security and privacy → Software security engineering.

show abstract

Assessment of Web Scanner Tools

Cited by 8 publications

References 1 publication

A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions

A Comparative Study of Web Application Security Parameters: Current Trends and Future Directions

CyExec*: A High-Performance Container-Based Cyber Range With Scenario Randomization

A Quantitative Assessment of the Detection Performance of Web Vulnerability Scanners

Contact Info

Product

Resources

About