CFP last date
20 January 2025
Reseach Article

Performance Evaluation of Open Source Web Application Vulnerability Scanners based on OWASP Benchmark

by Pious Akwasi Sarpong, Lawrence Sakyi Larbi, Daniel Paa Korsah, Issah Bala Abdulai, Richard Amankwah, Akwasi Amponsah
International Journal of Computer Applications
Foundation of Computer Science (FCS), NY, USA
Volume 174 - Number 18
Year of Publication: 2021
Authors: Pious Akwasi Sarpong, Lawrence Sakyi Larbi, Daniel Paa Korsah, Issah Bala Abdulai, Richard Amankwah, Akwasi Amponsah
10.5120/ijca2021921070

Pious Akwasi Sarpong, Lawrence Sakyi Larbi, Daniel Paa Korsah, Issah Bala Abdulai, Richard Amankwah, Akwasi Amponsah . Performance Evaluation of Open Source Web Application Vulnerability Scanners based on OWASP Benchmark. International Journal of Computer Applications. 174, 18 ( Feb 2021), 15-22. DOI=10.5120/ijca2021921070

@article{ 10.5120/ijca2021921070,
author = { Pious Akwasi Sarpong, Lawrence Sakyi Larbi, Daniel Paa Korsah, Issah Bala Abdulai, Richard Amankwah, Akwasi Amponsah },
title = { Performance Evaluation of Open Source Web Application Vulnerability Scanners based on OWASP Benchmark },
journal = { International Journal of Computer Applications },
issue_date = { Feb 2021 },
volume = { 174 },
number = { 18 },
month = { Feb },
year = { 2021 },
issn = { 0975-8887 },
pages = { 15-22 },
numpages = {9},
url = { https://ijcaonline.org/archives/volume174/number18/31776-2021921070/ },
doi = { 10.5120/ijca2021921070 },
publisher = {Foundation of Computer Science (FCS), NY, USA},
address = {New York, USA}
}
%0 Journal Article
%1 2024-02-07T00:22:27.845967+05:30
%A Pious Akwasi Sarpong
%A Lawrence Sakyi Larbi
%A Daniel Paa Korsah
%A Issah Bala Abdulai
%A Richard Amankwah
%A Akwasi Amponsah
%T Performance Evaluation of Open Source Web Application Vulnerability Scanners based on OWASP Benchmark
%J International Journal of Computer Applications
%@ 0975-8887
%V 174
%N 18
%P 15-22
%D 2021
%I Foundation of Computer Science (FCS), NY, USA
Abstract

The use of web application has become a critical component in our daily routine work due to its enormous benefits. Unfortunately, most of the web application deployed are not totally devoid of bugs which makes them vulnerable to attacks. Web application scanners are tools that detect security vulnerability in web application. Although there are several commercial and open-source web application vulnerability scanners proposed in literature, the performance of these scanners varies in relation to their detection capabilities. The aim of this paper is to assess and compare the vulnerability detection capabilities of five open-source web application vulnerability scanners (WAVS), namely, ZAP, Skipfish, Arachni, IronWASP and Vega by executing them against two vulnerable web applications, damn vulnerable web application (DVWA) and WebGoat. Furthermore, we evaluate the performance of the scanner results using the OWASP benchmark metric. The experimental results show that ZAP, Skipfish and Vega are very efficient for detecting the most common web vulnerabilities, such as Command Execution Cross-Site Scripting and SQL injection. The findings further show Skipfish obtained the highest Youden index of 0.7 and 0.6 in DVWA and WebGoat, which makes the scanner superior than all the studied tools. Based on our evaluation results, we make some valuable recommendations since software security is a very fast-growing domain.

References
  1. D. Sagar, S. Kukreja, J. Brahma, S. Tyagi, and P. Jain, "Studying open source vulnerability scanners for vulnerabilities in web applications," Institute of Integrative Omics and Applied Biotechnology Journal, vol. 9, pp. 43-49, 2018.
  2. P. Baral, "Web application scanners: a review of related articles [Essay]," IEEE Potentials, vol. 30, pp. 10-14, 2011.
  3. N. Antunes and M. Vieira, "Benchmarking vulnerability detection tools for web services," in Proceedings of the 2010 IEEE International Conference on Web Services (ICWS), 2010, pp. 203-210.
  4. M. Vieira, N. Antunes, and H. Madeira, "Using web security scanners to detect vulnerabilities in web services," in Proceedings of the IEEE/IFIP International Conference on Dependable Systems & Networks 2009, pp. 566-571.
  5. M. Zalewski, N. Heinen, and S. Roschke, "Skipfish-web application security scanner," ed: URL: http://code. google. com/p/skipfish/(visited on 06/03/2012), 2011.
  6. I. M. Babincev and D. V. Vuletić, "Web application security analysis using the kali linux operating system," Vojnotehnički glasnik, vol. 64, pp. 513-531, 2016.
  7. N. Suteva, D. Zlatkovski, and A. Mileva, "Evaluation and testing of several free/open source web vulnerability scanners," Proceedings of the 10th Conference for Informatics and Information Technology (CIIT 2013), 2013.
  8. Y.-H. Tung, S.-S. Tseng, J.-F. Shih, and H.-L. Shan, "A cost-effective approach to evaluating security vulnerability scanner," in Proceedings of the 15th Asia-Pacific Symposium on Network Operations and Management (APNOMS), 2013 2013, pp. 1-3.
  9. N. Antunes and M. Vieira, "Detecting SQL injection vulnerabilities in web services," in Proceedings of the Fourth Symposium on Dependable Computing 2009, pp. 17-24.
  10. Y. Makino and V. Klyuev, "Evaluation of web vulnerability scanners," in Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS),
  11. Proceedings of 2015 IEEE 8th International Conference on 2015, 2015, pp. 399-402.
  12. M. Parvez, P. Zavarsky, and N. Khoury, "Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities," in Proceedings of the 10th International Conference on Internet Technology and Secured Transactions (ICITST), 2015, pp. 186-191.
  13. J. Fonseca, M. Vieira, and H. Madeira, "Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks," in Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), 2007, pp. 365-372.
  14. J. Fonseca, M. Vieira, and H. Madeira, "Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks," in 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), 2007, pp. 365-372.
  15. L. Suto, "Analyzing the accuracy and time costs of web application security scanners," San Francisco, February, 2010.
  16. J. Fonseca, M. Vieira, and H. Madeira, "Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks," in Proceedings of 13th Pacific Rim International Symposium on Dependable Computing (PRDC 2007), 2007, pp. 365-372.
  17. Y. Makino and V. Klyuev, "Evaluation of web vulnerability scanners," in Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, 2015, pp. 399-402.
  18. N. I. Daud, K. A. A. Bakar, and M. S. M. Hasan, "A case study on web application vulnerability scanning tools," in 2014 Science and Information Conference, 2014, pp. 595-600.
  19. "https://www.owasp.org/index.php/Benchmark."
  20. A. Baratloo, M. Hosseini, A. Negida, and G. El Ashal, "Part 1: simple definition and calculation of accuracy, sensitivity and specificity," 2015.
  21. C. J. Van Rijsbergen, "A non-classical logic for information retrieval," The computer journal, vol. 29, pp. 481-485, 1986.
  22. M. Alsaleh, N. Alomar, M. Alshreef, A. Alarifi, and A. Al-Salman, "Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners," Security and Communication Networks, vol. 2017, 2017.
  23. S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "Secubat: a web vulnerability scanner," in Proceedings of the 15th International Conference on World Wide Web, 2006, pp. 247-256.
  24. C. Ghezzi, M. Jazayeri, and D. Mandrioli, Fundamentals of Software Engineering: Prentice Hall PTR, 2002.
  25. M. Sutton, A. Greene, and P. Amini, Fuzzing: brute force vulnerability discovery: Pearson Education, 2007.
  26. E. F. R. G. V. Okun, P. E. Black, and E. Dalci, "Building a Test Suite for Web Application Scanners."
  27. O. Hamed and N. Kafri, "Performance Prediction of Web Based Application Architectures Case Study: .NET vs. Java EE," International Journal of Web Applications, vol. 1, 2009.
  28. J. C. Fonseca, M. Vieira, and H. Madeira, "Correlating security vulnerabilities with software faults," 2007.
  29. H. Le and P. Loh, "Unified approach to vulnerability analysis of web applications," in AIP Conference Proceedings, 2008, pp. 155-159.
  30. P. E. Black and E. Fong, "Proceedings of Defining the State of the Art in Software Security Tools Workshop," NIST Special Publication, vol. 500, p. 264, 2005.
  31. S. Panguluri, W. Phillips, and P. Ellis, "Cyber security: protecting water and wastewater infrastructure," in Handbook of water and wastewater systems protection, ed: Springer, 2011, pp. 285-318.
  32. S. Zhang, D. Caragea, and X. Ou, "An empirical study on using the national vulnerability database to predict software vulnerabilities," in Proceedings of the International Conference on Database and Expert Systems Applications, 2011, pp. 217-231.
  33. M. Abedin, S. Nessa, E. Al-Shaer, and L. Khan, "Vulnerability analysis for evaluating quality of protection of security policies," in Proceedings of the 2nd ACM Workshop on Quality of Protection, 2006, pp. 49-52.
  34. J. A. Wang and M. Guo, "Vulnerability categorization using Bayesian networks," in Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, 2010, p. 29.
  35. P. Anbalagan and M. Vouk, "On mining data across software repositories," in Proceedings of the 6th IEEE International Working Conference on Mining Software Repositories, 2009. MSR'09. , 2009, pp. 171-174.
  36. S. Evans, "Securing WebGoat using ModSecurity, summer of code 2008," OWASP beta level, OWASP Foundation, 2008.
  37. R. Mohammed, "Assessment of Web Scanner Tools," International Journal of Computer Applications (0975-8887), vol. 133, 2016.
  38. K. McQuade, "Open source web vulnerability scanners: the cost effective choice," in Proceedings of the Conference for Information Systems Applied Research ISSN, 2014, p. 1508.
  39. N. Teodoro and C. Serrão, "Automating Web Applications Security Assessments through Scanners," Web Application Security, p. 48.
  40. N. Suteva, D. Zlatkovski, and A. Mileva, "Evaluation and testing of several free/open source web vulnerability scanners," 2013.
  41. " OWASP. OWASP Benchmark. Available: https://www.owasp.org/index.php/Benchmark, 2017.," pp. 1-6.
  42. B. Mburano and W. Si, "Evaluation of Web Vulnerability Scanners Based on OWASP Benchmark," in Proceedings of the 26th International Conference on Systems Engineering (ICSEng), 2018, pp. 1-6.
  43. E. n. İ. Tatli and B. r. Urgun, "WIVET—benchmarking coverage qualities of web crawlers," The Computer Journal, vol. 60, pp. 555-572, 2017.
  44. N. A. Aziz, S. N. Z. Shamsuddin, and N. A. Hassan, "Inculcating Secure Coding for beginners," in Proceedings of the International Conference on Informatics and Computing (ICIC), , 2016, pp. 164-168.
  45. Y. Makino and V. Klyuev, "Evaluation of web vulnerability scanners," in Proceedings of the 8th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015, 2015, pp. 399-402.
  46. M. El, E. McMahon, S. Samtani, M. Patton, and H. Chen, "Benchmarking vulnerability scanners: An experiment on SCADA devices and scientific instruments," in Proceedings of the 2017 IEEE International Conference on Intelligence and Security Informatics (ISI), 2017, pp. 83-88.
  47. S. Idrissi, N. Berbiche, F. Guerouate, and M. Shibi, "Performance evaluation of web application security scanners for prevention and protection against vulnerabilities," International Journal of Applied Engineering Research, vol. 12, pp. 11068-11076, 2017.
  48. Y.-H. Tung, S.-S. Tseng, J.-F. Shih, and H.-L. Shan, "W-VST: A Testbed for Evaluating Web Vulnerability Scanner," in Proceeding of the 14th International Conference on Quality Software, 2014, pp. 228-233
  49. W. J. Youden, "Index for rating diagnostic tests," Cancer, vol. 3, pp. 32-35, 1950.
  50. H. Holm, T. Sommestad, J. Almroth, and M. Persson, "A quantitative evaluation of vulnerability scanning," Information Management & Computer Security, vol. 19, pp. 231-247, 2011
  51. J. Akosa, "Predictive accuracy: a misleading performance measure for highly imbalanced data," in Proceedings of the SAS Global Forum, 2017, pp. 2-5.
  52. N. Antunes and M. Vieira, "On the metrics for benchmarking vulnerability detection tools," in Proceedings of the 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2015, pp. 505-516.
Index Terms

Computer Science
Information Sciences

Keywords

Web vulnerability scanner web application damn vulnerable web application open-source scanners