Evaluation of the efficiency of web-application safety scanners.

Abstract

The level of security of web applications is constantly growing every year, but new ratings of the most common security threats indicate that the problem of ensuring their security is very relevant and constantly changing. Therefore, it is essential to understand the importance of using automatic security scans of web applications and objectively assess their real effectiveness. The paper considers the process of testing web applications for vulnerabilities (and examples of their detection), using free web crawlers (with open-source) by the "black box" method. In this case, scanners interact with applications in the same way as a typical user through a web interface, through the HTTP protocol. The main purpose of the testing is to compare several open-source scanners and determine their effectiveness. It is underlined that it is impossible to evaluate all the indicators of scanners due to the existence of many factors. - Therefore, in the framework of this work, all judgments and conclusions were made only based on an analysis of the received reports of each test scanner. This article provides information about the individual parameters and the number of vulnerabilities found. The testing results indicate that the practice of using only one scanner is not effective, so you need to use several different solutions at once when testing. This will allow you to get more objective results in terms of detecting both already known security threats and finding new vulnerabilities (with their addition to the final report). The work will be useful to those interested in assessing the security state of modern web applications.