i-manager Publications

A Comparative Study of Web Application Security Scanners for Vulnerability Detection

Hasan Abualese*, Thamer Al-Rousan**

* The World Islamic Sciences and Education University, Amman, Jordan.

** Isra University, Jordan.

Periodicity:April - June'2023
DOI : https://doi.org/10.26634/jse.17.4.19813

Abstract

A Web Vulnerability Scanner (WVS) is a software tool that assesses the security of web applications by conducting automated penetration tests. It speeds up the process, reduces costs, and eliminates the need for specialized testing engineers. This study evaluates the vulnerability detection capabilities of six WVSs, three commercial scanners, and three open-source scanners. The goal is to identify and mitigate potential security risks before they are exploited by malicious users. The study employed two well-known vulnerable web applications and four relevant metrics, such as detection rate of accuracy, recall, precision, and the ability to detect different vulnerabilities using the Open Web Application Security Project (OWASP) as a reference.

Keywords

Web Applications, Evaluation, Vulnerabilities, Web Vulnerability Scanners, Vulnerability Detection.

How to Cite this Article?

Abualese, H., and Al-Rousan, T. (2023). A Comparative Study of Web Application Security Scanners for Vulnerability Detection. i-manager’s Journal on Software Engineering, 17(4), 1-8. https://doi.org/10.26634/jse.17.4.19813

References

[1]. Abualese, H., Al-Rousan, T., & Al-Shargabi, B. (2019). A new trust framework for e-government in cloud of things. International Journal of Electronics and Telecommunications, 65(3), 397-405.

[2]. Akrout, R., Alata, E., Kaaniche, M., & Nicomette, V. (2014). An automated black box approach for web vulnerability identification and attack scenario generation. Journal of the Brazilian Computer Society, 20, 1-16.

[3]. Al Awaida, S. A., Al-Shargabi, B., & Al-Rousan, T. (2019). Automated arabic essay grading system based on f-score and arabic worldnet. Jordanian Journal of Computers and Information Technology, 5(3), 170-180.

[4]. Al-Rousan, T., Sulaiman, S., & Salam, R. A. (2009). Risk analysis and web project management. Journal of Software, 4(6), 614-621.

[5]. Al-Rouson, T., Sulaimin, S., & Salam, R. A. (2009). Supporting architectural design decision through risk identification architecture pattern (RIAP) model. WSEAS Transactions on Information Science and Applications, 6(4), 611-620.

[6]. Antunes, N., & Vieira, M. (2013). Penetration testing for web services. Computer, 47(2), 30-36.

[7]. Antunes, N., & Vieira, M. (2017). Designing vulnerability testing tools for web services: Approach, components, and tools. International Journal of Information Security, 16, 435-457.

[8]. Ban, G., Xu, L., Xiao, Y., Li, X., Yuan, Z., & Huo, W. (2021). B2SMatcher: Fine-Grained version identification of open-Source software in binary files. Cybersecurity, 4(1), 1-21.

[9]. Calzavara, S., Rabitti, A., & Bugliesi, M. (2018). Semantics-based analysis of content security policy deployment. ACM Transactions on the Web (TWEB), 12(2), 1-36.

[10]. Cao, S., Sun, X., Bo, L., Wei, Y., & Li, B. (2021). Bgnn4vd: Constructing bidirectional graph neuralnetwork for vulnerability detection. Information and Software Technology, 136, 106576.

[11]. Curphey, M., & Arawo, R. (2006). Web application security assessment tools. IEEE Security & Privacy, 4(4), 32-41.

[12]. De Ryck, P., Desmet, L., Piessens, F., & Johns, M. (2014). Primer on Client-Side Web Security. Springer.

[13]. Ðurić, Z. (2014). WAPTT-Web application penetration testing tool. Advances in Electrical and Computer Engineering, 14(1), 93-102.

[14]. DVWA. (n.d.). Damn Vulnerable Web Application.

[15]. Fazzini, M., Saxena, P., & Orso, A. (2015, May). AutoCSP: Automatically retrofitting CSP to web applications. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, 1, 336-346. IEEE.

[16]. Fonseca, J., Vieira, M., & Madeira, H. (2009, June). Vulnerability & attack injection for web applications. In 2009 IEEE/IFIP International Conference on Dependable Systems & Networks (pp. 93-102). IEEE.

[17]. Huang, Y. W., & Lee, D. T. (2005). Web application security—Past, present, and future. In Computer Security in the 21st Century (pp. 183-227). Springer, Boston.

[18]. Huang, Y. W., Tsai, C. H., Lin, T. P., Huang, S. K., Lee, D. T., & Kuo, S. Y. (2005). A testing framework for web application security assessment. Computer Networks, 48(5), 739-761.

[19]. Idrissi, S. E., Berbiche, N., Guerouate, F., & Shibi, M. (2017). Performance evaluation of web application security scanners for prevention and protection against vulnerabilities. International Journal of Applied Engineering Research, 12(21), 11068-11076.

[20]. Kirsten, S. (n.d.). Cross Site Request Forgery (CSRF).

[21]. Laranjeiro, N., Vieira, M., & Madeira, H. (2009). Protecting database centric web services against SQL/XPath injection attacks. In Database and Expert Systems Applications, 20, 271-278. Springer, Berlin, Heidelberg.

[22]. Lee, M., Lee, Y., & Yoon, H. (2016). An enhanced rulebased web scanner based on similarity score. Advances in Electrical and Computer Engineering, 16(3), 9-14.

[23]. Li, N., Xie, T., Jin, M., & Liu, C. (2010). Perturbationbased user-input-validation testing of web applications. Journal of Systems and Software, 83(11), 2263-2274.

[24]. Meeus, W., Van Beeck, K., Goedemé, T., Meel, J., & Stroobandt, D. (2012). An overview of today's high-level synthesis tools. Design Automation for Embedded Systems, 16, 31-51.

[25]. Mohammed, R. (2016). Assessment of web scanner tools. International Journal of Computer Applications, 133(5), 1-4.

[26]. Muñoz, F. R., Cortes, I. I. S., & Villalba, L. J. G. (2018). Enlargement of vulnerable web applications for testing. The Journal of Supercomputing, 74, 6598-6617.

[27]. Nidhra, S., & Dondeti, J. (2012). Black box and white box testing techniques-A literature review. International Journal of Embedded Systems and Applications (IJESA), 2(2), 29-50.

[28]. Nikolic, B., Radivojevic, Z., Djordjevic, J., & Milutinovic, V. (2009). A survey and evaluation of simulators suitable for teaching courses in computer architecture and organization. IEEE Transactions on Education, 52(4), 449-458.

[29]. OWASP. (n.d.). OWASP WebGoat.

[30]. Palsetia, N., Deepa, G., Khan, F. A., Thilagam, P. S., & Pais, A. R. (2016). Securing native XML database-driven web applications from XQuery injection vulnerabilities. Journal of Systems and Software, 122, 93-109.

[31]. Parvez, M., Zavarsky, P., & Khoury, N. (2015, December). Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities. In 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST) (pp. 186-191). IEEE.

[32]. Roy, S., Sharmin, N., Acosta, J. C., Kiekintveld, C., & Laszka, A. (2022). Survey and taxonomy of adversarial reconnaissance techniques. ACM Computing Surveys, 55(6), 1-38.

[33]. Shoufan, A., Lu, Z., & Huss, S. A. (2014). A web-based visualization and animation platform for digital logic design. IEEE Transactions on Learning Technologies, 8(2), 225-239.

[34]. Suto, L. (2007). Analyzing the effectiveness and coverage of web application security scanners. In Conference on Web Application Security, San Francisco.

[35]. Tripp, O., Pistoia, M., Cousot, P., Cousot, R., & Guarnieri, S. (2013). Andromeda: Accurate and scalable security analysis of web applications. In Fundamental Approaches to Software Engineering (pp. 210-225). Springer, Berlin Heidelberg.

[36]. Trost, A., & Zemva, A. (2019). A web-based tool for learning digital circuit high-level modeling. International Journal of Engineering Education, 35(4), 1224-1237.

[37]. Xu, X., Zheng, Q., Yan, Z., Fan, M., Jia, A., & Liu, T. (2021, May). Interpretation-enabled software reuse detection based on a multi-level birthmark model. In 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE) (pp. 873-884). IEEE.

[38]. ZAP. (n.d.). OWASP ZED Attack Proxy (ZAP).

[39]. Zhao, Q., Huang, C., & Dai, L. (2023). VULDEFF: vulnerability detection method based on function fingerprints and code differences. Knowledge-Based Systems, 260, 110139.

A Comparative Study of Web Application Security Scanners for Vulnerability Detection

Abstract

Keywords

How to Cite this Article?

References

If you have access to this article please login to view the article or kindly login to purchase the article

Purchase Instant Access

Options for accessing this content:

	North Americas,UK, Middle East,Europe		India	Rest of world
	USD	EUR	INR	USD-ROW
Pdf	35	35	200	20
Online	35	35	200	15
Pdf & Online	35	35	400	25