An empirical comparison of commercial and open‐source web vulnerability scanners

Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open-source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open-source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false-positives

Enhancing web application security through automated penetration testing with multiple vulnerability scanners.

Penetration testers have increasingly adopted multiple penetration testing scanners to ensure the robustness of web applications. However, a notable limitation of many scanning techniques is their susceptibility to producing false positives. This paper presents a novel framework designed to automate the operation of multiple Web Application Vulnerability Scanners (WAVS) within a single platform. The framework generates a combined vulnerabilities report using two algorithms: an automation algorithm and a novel combination algorithm that produces comprehensive lists of detected vulnerabilities. The framework leverages the capabilities of two web vulnerability scanners, Arachni and OWASP ZAP. The study begins with an extensive review of the existing scientific literature, focusing on open-source WAVS and exploring the OWASP 2021 guidelines. Following this, the framework development phase addresses the challenge of varying results obtained from different WAVS. This framework’s core objective is to combine the results of multiple WAVS into a consolidated vulnerability report, ultimately improving detection rates and overall security. The study demonstrates that the combined outcomes produced by the proposed framework exhibit greater accuracy compared to individual scanning results obtained from Arachni and OWASP ZAP. In summary, the study reveals that the Union List outperforms individual scanners, particularly regarding recall and F-measure. Consequently, adopting multiple vulnerability scanners is recommended as an effective strategy to bolster vulnerability detection in web applications

Assessing the accuracy of vulnerability scanners and developing a tsunami securaty scanner plug-in

Mestrado em Cibersegurança na Escola Superior de Tecnologia e Gestão do Instituto Politécnico de Viana do CasteloDigital transformation is a key factor for a company's success. Recently this digital transformation was accelerated in many companies due to the Covid-19 pandemic, requiring more changes in people, systems, and data. In some cases, these changes in systems and procedures uncover new vulnerabilities that could be early detected and mitigated. In this context, the vulnerability scanner tools may prevent con guration errors and known vulnerabilities at an early stage. The release of the Tsunami Security Scanner, an open-source vulnerability scanner released by Google, opens the opportunity to analyze and compare the commonly used, free-to-use vulnerability scanners. The wide choice of Vulnerability Scanning Tools can be a time-consuming task for a company that needs to take into consideration complex and numerous variables such as accuracy and precision to be able to choose the right tool. This thesis aims to assess the accuracy of vulnerability scanner tools. In the rst stage resources usage and performance assessment regarding diferent vulnerabilities and systems. In the second stage, a plugin is developed for the Tsunami Security Scanner with the purpose of detecting a speci c vulnerability (CVE-2019-12815). The precision assessment is accomplished by placing multiple virtual machines in a network with different vulnerable scanners and other machines with different vulnerable and non-vulnerable operating systems. This enables the validation that the features and performance of these scanners are different or vary accordingly to the target systems. This work can be particularly helpful to organisations with lower resources such as Small and Medium-sized Enterprises (SMEs) since it reviews a set of these tools that are available for use. The development of the Tsunami Security Scanner plugin is also important as an effort to increase the range of plugins available.A transformação digital é um fator chave para o sucesso das empresas. Recentemente a transformação digital foi acelerada em muitas empresas devido à pandemia de Covid-19, exigindo mudanças de pessoas, sistemas e dados. Em alguns casos, essas mudanças nos sistemas e procedimentos revelam novas vulnerabilidades que devem ser detectadas e mitigadas com antecedência. Neste contexto, as ferramentas de veri ficação de vulnerabilidades podem evitar erros de con figuração e vulnerabilidades conhecidas numa fase antecipada. A disponibilização do Tsunami Security Scanner, um verificador de vulnerabilidades de código aberto lançaado pelo Google, abre a oportunidade de analisar e comparar os verifi cadores de vulnerabilidades comumente usados e gratuitos. A ampla escolha de ferramentas de veri ficação de vulnerabilidades pode ser uma tarefa demorada para uma empresa que precisa levar em consideração variáveis complexas e numerosas, como exatidão e precisão, para poder escolher a ferramenta certa. Esta tese visa avaliar a precisão de ferramentas de veri ficação de vulnerabilidades. Numa primeira fase, avaliação do uso de recursos e desempenho em relação a diferentes vulnerabilidades e sistemas. Numa segunda fase, é desenvolvido um plugin para o Tsunami Security Scanner com o objetivo de detectar uma vulnerabilidade específica (CVE-2019- 12815). A avaliação da precisão das ferramentas é realizada colocando múltiplas máquinas virtuais em uma rede com diferentes veri ficadores de vulnerabilidades e outras máquinas com diferentes sistemas operativos vulneráveis e não vulneráveis. Isso permite validar que as características e desempenho desses verifi cadores são diferentes ou variam de acordo com os sistemas-alvo. Este trabalho pode ser particularmente útil para organizações com recursos mais limitados, já que revê um conjunto dessas ferramentas que estão disponíveis para uso. O desenvolvimento do plugin para o Tsunami Security Scanner também é importante como um esforço para aumentar a gama de plugins disponíveis

OWASP ZAP vs Snort for SQLi Vulnerability Scanning

Web applications are important to protect from threats that will compromise sensitive information. Web vulnerability scanners are a prominent tool for this purpose, as they can be utilized to find vulnerabilities in a web application to be rectified. Two popular open-source tools were compared head-to-head, OWASP ZAP and Snort. The performance metrics evaluated were SQLi attacks detected, false positives, false negatives, processing time, and memory usage. OWASP ZAP yielded fewer false positives and had less processing time. Snort used significantly fewer memory resources. The internal workings of ZAP’s Active Scan feature and Snort’s implementation of the Boyer-Moore and Aho-Corasick algorithms were identified as the main processes responsible for the results. Based on the research, a set of future working recommendations were proposed to improve web vulnerability scanning methods

Developing an in house vulnerability scanner for detecting Template Injection, XSS, and DOM-XSS vulnerabilities

Web applications are becoming an essential part of today's digital world. However, with the increase in the usage of web applications, security threats have also become more prevalent. Cyber attackers can exploit vulnerabilities in web applications to steal sensitive information or take control of the system. To prevent these attacks, web application security must be given due consideration. Existing vulnerability scanners fail to detect Template Injection, XSS, and DOM-XSS vulnerabilities effectively. To bridge this gap in web application security, a customized in-house scanner is needed to quickly and accurately identify these vulnerabilities, enhancing manual security assessments of web applications. This thesis focused on developing a modular and extensible vulnerability scanner to detect Template Injection, XSS, and DOM-based XSS vulnerabilities in web applications. Testing the scanner against other free and open-source solutions on the market showed that it outperformed them on Template injection vulnerabilities and nearly all on XSS-type vulnerabilities. While the scanner has limitations, focusing on specific injection vulnerabilities can result in better performance

The approaches to quantify web application security scanners quality: A review

The web application security scanner is a computer program that assessed web application security with penetration testing technique. The benefit of automated web application penetration testing is huge, which web application security scanner not only reduced the time, cost, and resource required for web application penetration testing but also eliminate test engineer reliance on human knowledge. Nevertheless, web application security scanners are possessing weaknesses of low test coverage, and the scanners are generating inaccurate test results. Consequently, experimentations are frequently held to quantitatively quantify web application security scanner's quality to investigate the web application security scanner's strengths and limitations. However, there is a discovery that neither a standard methodology nor criterion is available for quantifying the web application security scanner's quality. Hence, in this paper systematic review is conducted and analysed the methodology and criterion used for quantifying web application security scanners' quality. In this survey, the experiment methodologies and criterions that had been used to quantify web application security scanner's quality is classified and review using the preferred reporting items for systematic reviews and meta-analyses (PRISMA) protocol. The objectives are to provide practitioners with the understanding of methodologies and criterions that available for measuring web application security scanners' test coverage, attack coverage, and vulnerability detection rate, while provides the critical hint for development of the next testing framework, model, methodology, or criterions, to measure web application security scanner quality

Improving internal vulnerability scanning and optimal positioning of the vulnerability scanner in the internal network

The art of vulnerability scanning is an integral part of any organization's internal network security, and it cannot be underestimated. It is vital to use a dependable vulnerability scanner and carefully select the most appropriate one for the task. This thesis seeks to gain a profound understanding of Sanoma Media's internal network and subsequently enhance its vulnerability scanning capabilities by first comprehending the different Tenable products. After acquiring a firm understanding of the various products, the Nessus Scanner was chosen based on Sanoma's business requirements. With the scanner in hand, the optimal location for it had to be carefully determined. To achieve this, several scenarios were developed, and a combination of factors from the business, technical, and financial perspectives were used to select the most effective scenario for implementation within the internal network. The implementation of the selected scenario involved meticulous setup of the scanner, from both a hardware and software perspective. This thesis also presents an analysis of the Host Discovery Scan and Basic Network Scan results, alongside a security analysis of the Basic Network Scan. Furthermore, it offers a detailed explanation of the selected scenario, including the parameters that were carefully determined before the implementation process commenced. Finally, the thesis outlines future work that needs to be undertaken, including the challenges that were encountered during the practical portion of the study