CFP last date
20 December 2024
Reseach Article

Security Testing and Assessment of Vulnerability Scanners in Quest of Current Information Security Landscape

by Chanchala Joshi, Umesh Kumar Singh
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 145 - Number 2
Year of Publication: 2016
Authors: Chanchala Joshi, Umesh Kumar Singh
10.5120/ijca2016910563

Chanchala Joshi, Umesh Kumar Singh . Security Testing and Assessment of Vulnerability Scanners in Quest of Current Information Security Landscape. International Journal of Computer Applications. 145, 2 ( Jul 2016), 1-7. DOI=10.5120/ijca2016910563

@article{ 10.5120/ijca2016910563,
author = { Chanchala Joshi, Umesh Kumar Singh },
title = { Security Testing and Assessment of Vulnerability Scanners in Quest of Current Information Security Landscape },
journal = { International Journal of Computer Applications },
issue_date = { Jul 2016 },
volume = { 145 },
number = { 2 },
month = { Jul },
year = { 2016 },
issn = { 0975-8887 },
pages = { 1-7 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume145/number2/25247-2016910563/ },
doi = { 10.5120/ijca2016910563 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-06T23:47:41.118559+05:30
%A Chanchala Joshi
%A Umesh Kumar Singh
%T Security Testing and Assessment of Vulnerability Scanners in Quest of Current Information Security Landscape
%J International Journal of Computer Applications
%@ 0975-8887
%V 145
%N 2
%P 1-7
%D 2016
%I Foundation of Computer Science (FCS), NY, USA
Abstract

This paper describes a web application intended to be used to evaluate the efficiency of Netsparker, Acunetix and Burp Suite web application vulnerability scanners. This paper also explains the defense measures to secure the application significantly. The results of web application evaluation identify the most challenging vulnerabilities for scanner to detect, and compare the effectiveness of scanners. The assessment results suggest the areas that require further research to improve scanner’s detection rate.

References
  1. Sarasan S. “Detection and Prevention of Web Application Security Attacks”, International Journal of Advanced Electrical and Electronics Engineering, (IJAEEE), ISSN (Print) : 2278-8948, Volume-2, Issue-3, 2013, pp. 29- 34.
  2. International Organization for Standardization and International Electrotechnical Commission. ISO/IEC 27001:2005, Information technology – security techniques – information security management systems – requirements, 2005.
  3. National Vulnerability Database, http://nvd.nist.gov
  4. N. Antunes and M. Vieira, "Enhancing Penetration Testing with Attack Signatures and Interface Monitoring for the Detection of Injection Vulnerabilities in Web Services," Proc. IEEE Int'l Conf. Services Computing (SCC 11), IEEE CS, 2011, pp. 104-111.
  5. IBM Rational AppScan, 2008, http://www-01.ibm.com/software/awdtools/appscan/
  6. HP WebInspect, 2008, http://www.hp.com
  7. Acunetix Web Vulnerability Scanner, 2008,http://www.acunetix.com/vulnerability-scanner/
  8. Netsparker Web Vulnerability Scanner, 2012, https://www.netsparker.com/web-vulnerability-scanner/
  9. Burp Suit Web Vulnerability Scanner, https://portswigger.net/burp/
  10. Foundstone WSDigger, 2008, http://www.foundstone.com/us/resources/proddesc/wsdigger.htm
  11. wsfuzzer, 2008, http://www.neurofuzz.com/modules/software/wsfuzzer.php
  12. https://www.owasp.org/images/0/0f/OWASP_T10_-_2015_rc1.pdf
  13. Foundstone Hacme Series. McAfee Corp
  14. WebGoat Project. OWASP. http://www.owasp.org/index.php/Category:OWASP WebGoat Project
  15. K. K. Mookhey, Nilesh Burghate, Detection of SQL Injection and Cross-site Scripting Attacks, Symantec Connect Community, 02 November 2010
  16. J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R. Shin, and D. Song, “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, University of California, Berkeley, 2011
  17. The OWASP Foundation, “OWASP Top Ten Web Application Security Risks”, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project, 2015
  18. Oracle Documentation. “Using Prepared Statements”, 2011. Retrieved 2012 from: http://docs.oracle.com/javase/tutorial/jdbc/basics/prepared.html
  19. Yang Guang, J. J., & Jipeng, H. “System modules interaction based stress testing model”, 2014. The Second International Conference on Computer Engineering and Applications, (pp. 138-141) Bali Island
  20. Neto, A. A., Duraes, J., Vieira, M., & Madeira, H. “Assessing and Comparing Security of Web Servers”, 2008. 14th IEEE Pacific International Symposium on Dependable Computing. IEEE Computer Society
  21. Shekyan, S. Qualys Community. “Identifying Slow HTTP Attack Vulnerabilities on Web Applications”, 2013
  22. Shekyan, S. Qualys Community. “How to Protect Against Slow HTTP Attacks”, 2014
  23. Apache Software Foundation. “Security Tips, V 2.5”, 2011. Retrieved 2014, from: http://httpd.apache.org/docs/2.0/misc/security_tips.html
  24. Black, P. E., Fong, E., Okun, V., & Gaucher, R. National Institute of Standards and Technology (NIST). “Software Assurance Tools: Web Application Security Scanner Functional Specification”
  25. Vieira M, Antunes N, Madeira H. “Using Web Security Scanners to Detect Vulnerabilities in Web Services”, Coimbra - 2015
Index Terms

Computer Science
Information Sciences

Keywords

Vulnerability Web Application Vulnerability Scanner Security trends