An empirical comparison of commercial and open‐source web vulnerability scanners

Web vulnerability scanners (WVSs) are tools that can detect security vulnerabilities in web services. Although both commercial and open-source WVSs exist, their vulnerability detection capability and performance vary. In this article, we report on a comparative study to determine the vulnerability detection capabilities of eight WVSs (both open and commercial) using two vulnerable web applications: WebGoat and Damn vulnerable web application. The eight WVSs studied were: Acunetix; HP WebInspect; IBM AppScan; OWASP ZAP; Skipfish; Arachni; Vega; and Iron WASP. The performance was evaluated using multiple evaluation metrics: precision; recall; Youden index; OWASP web benchmark evaluation; and the web application security scanner evaluation criteria. The experimental results show that, while the commercial scanners are effective in detecting security vulnerabilities, some open-source scanners (such as ZAP and Skipfish) can also be effective. In summary, this study recommends improving the vulnerability detection capabilities of both the open-source and commercial scanners to enhance code coverage and the detection rate, and to reduce the number of false-positives

Escrow: A large-scale web vulnerability assessment tool

The reliance on Web applications has increased rapidly over the years. At the same time, the quantity and impact of application security vulnerabilities have grown as well. Amongst these vulnerabilities, SQL Injection has been classified as the most common, dangerous and prevalent web application flaw. In this paper, we propose Escrow, a large-scale SQL Injection detection tool with an exploitation module that is light-weight, fast and platform-independent. Escrow uses a custom search implementation together with a static code analysis module to find potential target web applications. Additionally, it provides a simple to use graphical user interface (GUI) to navigate through a vulnerable remote database. Escrow is implementation-agnostic, i.e. It can perform analysis on any web application regardless of the server-side implementation (PHP, ASP, etc.). Using our tool, we discovered that it is indeed possible to identify and exploit at least 100 databases per 100 minutes, without prior knowledge of their underlying implementation. We observed that for each query sent, we can scan and detect dozens of vulnerable web applications in a short space of time, while providing a means for exploitation. Finally, we provide recommendations for developers to defend against SQL injection and emphasise the need for proactive assessment and defensive coding practices

Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization

Logs are one of the most fundamental resources to any security professional. It is widely recognized by the government and industry that it is both beneficial and desirable to share logs for the purpose of security research. However, the sharing is not happening or not to the degree or magnitude that is desired. Organizations are reluctant to share logs because of the risk of exposing sensitive information to potential attackers. We believe this reluctance remains high because current anonymization techniques are weak and one-size-fits-all--or better put, one size tries to fit all. We must develop standards and make anonymization available at varying levels, striking a balance between privacy and utility. Organizations have different needs and trust other organizations to different degrees. They must be able to map multiple anonymization levels with defined risks to the trust levels they share with (would-be) receivers. It is not until there are industry standards for multiple levels of anonymization that we will be able to move forward and achieve the goal of widespread sharing of logs for security researchers.Comment: 17 pages, 1 figur

The approaches to quantify web application security scanners quality: A review

The web application security scanner is a computer program that assessed web application security with penetration testing technique. The benefit of automated web application penetration testing is huge, which web application security scanner not only reduced the time, cost, and resource required for web application penetration testing but also eliminate test engineer reliance on human knowledge. Nevertheless, web application security scanners are possessing weaknesses of low test coverage, and the scanners are generating inaccurate test results. Consequently, experimentations are frequently held to quantitatively quantify web application security scanner's quality to investigate the web application security scanner's strengths and limitations. However, there is a discovery that neither a standard methodology nor criterion is available for quantifying the web application security scanner's quality. Hence, in this paper systematic review is conducted and analysed the methodology and criterion used for quantifying web application security scanners' quality. In this survey, the experiment methodologies and criterions that had been used to quantify web application security scanner's quality is classified and review using the preferred reporting items for systematic reviews and meta-analyses (PRISMA) protocol. The objectives are to provide practitioners with the understanding of methodologies and criterions that available for measuring web application security scanners' test coverage, attack coverage, and vulnerability detection rate, while provides the critical hint for development of the next testing framework, model, methodology, or criterions, to measure web application security scanner quality

Classification of logical vulnerability based on group attacking method

New advancement in the field of e-commerce software technology has also brought many benefits, at the same time developing process always face different sort of problems from design phase to implement phase. Software faults and defects increases the issues of reliability and security, that’s reason why a solution of this problem is required to fortify these issues. The paper addresses the problem associated with lack of clear component-based web application related classification of logical vulnerabilities through identifying Attack Group Method by categorizing two different types of vulnerabilities in component-based web applications. A new classification scheme of logical group attack method is proposed and developed by using a Posteriori Empirically methodology

SQLSCAN: A Framework to Check Web Application Vulnerability

Security vulnerabilities in web applications that are being found today are much higher than in any operating systems. So it clearly means that threats intended at web applications are utilizing vulnerabilities at the application. Simultaneously, amount and impact of security vulnerabilities on web applications has increases as well. Almost in all online transactions user access is authorized before providing access to database of application. But organized injection could provide entry to unauthorized users and it almost achieved via SQL injection and Cross-site scripting (XSS). In this article we provide a web vulnerability scanning and analyzing tool of various kinds of SQL injection and Cross Site Scripting (XSS) attacks named as SQLSCAN. Our proposed method will work with web application developed on any technology like PHP, JAVA, ASP .NET. We evaluate our proposed scanner by experiments to calculate its performance. We also evaluate the performance of SQLSCAN with performance of parallel tools in the literature. Keywords: Web Application security, Attack, Injection, SQL, XSS, Vulnerability, Scanner.

Assessing the accuracy of vulnerability scanners and developing a tsunami securaty scanner plug-in

Mestrado em Cibersegurança na Escola Superior de Tecnologia e Gestão do Instituto Politécnico de Viana do CasteloDigital transformation is a key factor for a company's success. Recently this digital transformation was accelerated in many companies due to the Covid-19 pandemic, requiring more changes in people, systems, and data. In some cases, these changes in systems and procedures uncover new vulnerabilities that could be early detected and mitigated. In this context, the vulnerability scanner tools may prevent con guration errors and known vulnerabilities at an early stage. The release of the Tsunami Security Scanner, an open-source vulnerability scanner released by Google, opens the opportunity to analyze and compare the commonly used, free-to-use vulnerability scanners. The wide choice of Vulnerability Scanning Tools can be a time-consuming task for a company that needs to take into consideration complex and numerous variables such as accuracy and precision to be able to choose the right tool. This thesis aims to assess the accuracy of vulnerability scanner tools. In the rst stage resources usage and performance assessment regarding diferent vulnerabilities and systems. In the second stage, a plugin is developed for the Tsunami Security Scanner with the purpose of detecting a speci c vulnerability (CVE-2019-12815). The precision assessment is accomplished by placing multiple virtual machines in a network with different vulnerable scanners and other machines with different vulnerable and non-vulnerable operating systems. This enables the validation that the features and performance of these scanners are different or vary accordingly to the target systems. This work can be particularly helpful to organisations with lower resources such as Small and Medium-sized Enterprises (SMEs) since it reviews a set of these tools that are available for use. The development of the Tsunami Security Scanner plugin is also important as an effort to increase the range of plugins available.A transformação digital é um fator chave para o sucesso das empresas. Recentemente a transformação digital foi acelerada em muitas empresas devido à pandemia de Covid-19, exigindo mudanças de pessoas, sistemas e dados. Em alguns casos, essas mudanças nos sistemas e procedimentos revelam novas vulnerabilidades que devem ser detectadas e mitigadas com antecedência. Neste contexto, as ferramentas de veri ficação de vulnerabilidades podem evitar erros de con figuração e vulnerabilidades conhecidas numa fase antecipada. A disponibilização do Tsunami Security Scanner, um verificador de vulnerabilidades de código aberto lançaado pelo Google, abre a oportunidade de analisar e comparar os verifi cadores de vulnerabilidades comumente usados e gratuitos. A ampla escolha de ferramentas de veri ficação de vulnerabilidades pode ser uma tarefa demorada para uma empresa que precisa levar em consideração variáveis complexas e numerosas, como exatidão e precisão, para poder escolher a ferramenta certa. Esta tese visa avaliar a precisão de ferramentas de veri ficação de vulnerabilidades. Numa primeira fase, avaliação do uso de recursos e desempenho em relação a diferentes vulnerabilidades e sistemas. Numa segunda fase, é desenvolvido um plugin para o Tsunami Security Scanner com o objetivo de detectar uma vulnerabilidade específica (CVE-2019- 12815). A avaliação da precisão das ferramentas é realizada colocando múltiplas máquinas virtuais em uma rede com diferentes veri ficadores de vulnerabilidades e outras máquinas com diferentes sistemas operativos vulneráveis e não vulneráveis. Isso permite validar que as características e desempenho desses verifi cadores são diferentes ou variam de acordo com os sistemas-alvo. Este trabalho pode ser particularmente útil para organizações com recursos mais limitados, já que revê um conjunto dessas ferramentas que estão disponíveis para uso. O desenvolvimento do plugin para o Tsunami Security Scanner também é importante como um esforço para aumentar a gama de plugins disponíveis