Abstract
SummaryWeb vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open‐source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open‐source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open‐source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false‐positives.
Highlights
The economic importance of web applications in multiple domains, including banking [1], transportation [2], manufacturing [3], business [4], and education [5], has increased the need for a mechanism to control and improve their quality
Makino and Kleve [25] examined the vulnerability detection capability of two open-source scanners, OWASP ZAP and Skipfish, using the damn vulnerable web application (DVWA) and web application vulnerability scanner project [29],[30]: Their experimental results showed ZAP to be superior to Skipfish
The web application security consortium (WASC) [41] defines a eb a ca aafae application executed by a eb e e, ceddac eb age e e e HTTP
Summary
The economic importance of web applications in multiple domains, including banking [1], transportation [2], manufacturing [3], business [4], and education [5], has increased the need for a mechanism to control and improve their quality. The extensive, almost ubiquitous, use of web applications has resulted in an dramatic increase in attacks [6]. In an attempt to improve both vulnerability detection and the general quality of web applications, several web vulnerability scanners (WVSs) have been developed and studied, including: the web application attack and audit framework (W3af) [15]; OWASP zed attack proxy (OWASP ZAP) [16]; S [17]; Arachni [18]; Vega, [19]; Stalker [20]; and IronWASP [21]. We present the background to the study and an overview of some related work It includes a description of the evolution of web applications, web vulnerability scanners (WVSs), and the various security vulnerabilities in web applications.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
