Evaluation of the efficiency of web-application safety scanners.

doi:10.26565/2519-2310-2021-2-01

Dmytro Ivanenko V. N. Karazin Kharkiv National University
Oleksii Pryshchepa V. N. Karazin Kharkiv National University

DOI: https://doi.org/10.26565/2519-2310-2021-2-01

Keywords: Web application vulnerabilities, vulnerability scanners, efficient scanners, web application security testing, pentesting

Abstract

The level of security of web applications is constantly growing every year, but new ratings of the most common security threats indicate that the problem of ensuring their security is very relevant and constantly changing. Therefore, it is essential to understand the importance of using automatic security scans of web applications and objectively assess their real effectiveness. The paper considers the process of testing web applications for vulnerabilities (and examples of their detection), using free web crawlers (with open-source) by the "black box" method. In this case, scanners interact with applications in the same way as a typical user through a web interface, through the HTTP protocol. The main purpose of the testing is to compare several open-source scanners and determine their effectiveness. It is underlined that it is impossible to evaluate all the indicators of scanners due to the existence of many factors. - Therefore, in the framework of this work, all judgments and conclusions were made only based on an analysis of the received reports of each test scanner. This article provides information about the individual parameters and the number of vulnerabilities found. The testing results indicate that the practice of using only one scanner is not effective, so you need to use several different solutions at once when testing. This will allow you to get more objective results in terms of detecting both already known security threats and finding new vulnerabilities (with their addition to the final report). The work will be useful to those interested in assessing the security state of modern web applications.

Downloads

Download data is not yet available.

Author Biographies

Dmytro Ivanenko, V. N. Karazin Kharkiv National University

Ph.D., Senior Lecturer, Department of Security of Information Systems and Technologies

Oleksii Pryshchepa, V. N. Karazin Kharkiv National University

CSD Student, Department of Security of Information Systems and Technologies

References

OWASP Top 10 – 2017. (2017). Вилучено з https://owasp.org/www-project-top-ten/

OWASP Web Security Testing Guide, (2020).

Andrey Petukhov. How to Choose a Web Application Vulnerability Scanner? (2015). Вилучено з https://www.securitylab.ru/blog /personal/andrepetukhov/143697.php

ZAP - Full Scan. (2021). Вилучено з https://www.zaproxy.org/docs/docker/full-scan/

The web-application vulnerability scanner. (2021). Вилучено з https://wapiti.sourceforge.io/

Nikto: A Practical Website Vulnerability Scanner. (2021). Вилучено з https://securitytrails.com/blog/nikto-website-vulnerability-scanner

Damn Vulnerable Web Application Docker container (2018). Вилучено з https://github.com/opsxcq/docker-vulnerable-dvwa

OWASP Juice Shop. (2021). Вилучено з https://github.com/juice-shop/juice-shop

WebGoat 8: A deliberately insecure Web Application. (2021). Вилучено з https://github.com/WebGoat/WebGoat

Scan Reports. (2021). Вилучено з https://github.com/G4rr/reports