An automated framework for evaluating open-source web scanner vulnerability severity

Abstract

The inevitable use of web applications has resulted in increased exposure to security vulnerabilities which are exploited by attackers each passing day. Fixing these vulnerabilities requires a great deal of effort and time, hence developers need to prioritize and channel their resources to the most severe vulnerabilities to curtail further exploitation. The common vulnerability scoring system (CVSS) is the de-facto standard for characterizing and measuring the severity of security vulnerabilities. However, the efficiency of the CVSS metric has been challenged in previous studies, leading to varied vulnerability scoring metrics. This paper proposes an automated framework for evaluating open-source Web scanner vulnerability severity using a Web vulnerability detection scanner called zed attach proxy to detect vulnerabilities in a damn vulnerable web application. Additionally, we use the OWASP 2017 top ten selection and prioritization scheme as our benchmark for the severity measure and ranking. The preliminary result shows that the most frequent vulnerabilities in Web applications, such as SQL injection and cross-site scripting are of medium severe with a severity score of 8.