Abstract
There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and where vulnerabilities are detected, and often mended, such as online banking systems, newspaper sites, or any other Web site. On the other hand, vulnerable by design web applications are developed for proper evaluation of web vulnerability scanners and for training in detecting web vulnerabilities. The main drawback of vulnerable by design web applications is that they used to include just a short set of well-known types of vulnerabilities, usually from famous classifications like the OWASP Top Ten. They do not include most of the types of web vulnerabilities. In this paper, an analysis and assessment of vulnerable web applications is conducted in order to select the applications that include the larger set of types of vulnerabilities. Then those applications are enlarged with more types of web vulnerabilities that vulnerable web applications do not include. Lastly, the new vulnerable web applications have been analyzed to check whether web vulnerability scanners are able to detect the new added vulnerabilities, those vulnerabilities that vulnerable by design web applications do not include. The results show that the tools are not very successful in detecting those vulnerabilities, less than well-known vulnerabilities.
Similar content being viewed by others
References
Martirosyan J (2012) Evaluation of web application security vulnerability scanners’ strengths and limitations using custom web application. Thesis, California State University - East Bay. http://www.mcs.csueastbay.edu/~lertaul/YulianaThesis_V8.pdf
National Institute of Standards and Technology (NIST) (2004) Engineering Principles for Information Technology Security (A Baseline for Achieving Security) NIST SP 800-27, Revision A
Doupé A, Cova M, Giovanni Vigna G (2010) Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’10). Berlin, Heidelberg, pp 111–131
Roman F, Garcia LJ (2016) An algorithm to find relationships between web vulnerabilities. J Supercomput. doi:10.1007/s11227-016-1770-3
Gupta S, Sharma L (2011) Analysis and assessment of web application security testing tools. In: Proceedings of the 5th National Conference
Saeed FA (2014) Using wassec to evaluate commercial web application security scanners. Int J Soft Comput Eng (IJSCE) 4(1):177–181
National Institute of Standards and Technology: Software assurance tools: web application security scanner functional specification version 1.0. NIST special publication 500-269
Fong E, Okun V (2007) Web application scanners: definitions and functions. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, HICSS ’07, p 280b. IEEE Computer Society, Washington, DC
Black PE, Kass M (2005) Software security assurance tools, techniques and metrics (SSATTM). In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE ’05, New York, pp 461–461
Assad RE, Katter T, Ferraz F, de Lemos Meira S (2010) Security quality assurance on web-based application through security requirements tests based on owasp test document: elaboration, execution and automation. In: Proceedings of the 2nd OWASP Ibero-American Web Applications Security Conference
Ferreira AM, Klepee H (2011) Effectiveness of automated application penetration testing tools. Cees de Laat. System and Network Engineering Lab Informatics Institute, Faculty of Science. University of Amsterdam. http://www.delaat.net/rp/2010-2011/p27/report.pdf. Accessed 10 Nov 2016
Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp 332–345. doi:10.1109/SP.2010.27
Fonseca J, Vieira M, Madeira H (2007) Testing and comparing web vulnerability scanning tools for SQL injection and xss attacks. In: Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC ’07. IEEE Computer Society, Washington, DC, pp 365–372
Fonseca J, Vieira M, Madeira H (2014) Evaluation of web security mechanisms using vulnerability & attack injection. IEEE Trans Dependable Secur Comput 11(5):440–453
Tripp O,Weisman O, Guy L (2013) Finding your way in the testing jungle: a learning approach to web security testing. In: Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, New York, pp 347–357
Doupé A, Cavedon L, Kruegel C, Vigna G (2012) Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security’ 12. USENIX Association, Berkeley, p 26
Khalili A, Sami A, Ghiasi M, Moshtari S, Salehi Z, Azimi M (2014) Software engineering issues regarding securing ICS: an industrial case study. In: Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation, MoSEMInA 2014, New York, pp 1–6
Demchenko Y, Gommans L, de Laat C, Oudenaarde B (2005) Web services and grid security vulnerabilities and threats analysis and model. In: Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing, GRID ’05. IEEE Computer Society, Washington, DC, pp 262–267
Akowuah F, Lake J, Yuan X, Nuakoh E, Yu H (2015) Testing the security vulnerabilities of openEMR 4.1.1: a case study. J Comput Sci Coll 30(3):26–35
Austin A, Smith B, Williams L (2010) Towards improved security criteria for certification of electronic health record systems. In: Proceedings of the 2010 ICSE Workshop on Software Engineering in Health Care, SEHC ’10, New York, pp 68–73
Mcquade K (2014) Open source web vulnerability scanners: the cost effective choice? In: Proceedings of the Conference for Information Systems Applied Research, Baltimore
Parmar S (2015) Vulnerability checker for infosecurity. Int J Sci Res (IJSR) 4(3):1593–1596
Nuno Teodoro CS (2010) Automating web applications security assessments through scanners. In: Proceedings of the OWASP Ibero-American Web Applications Security Conference
Chen S (2012) General features comparison—web application scanners. http://www.sectoolmarket.com
Suto L (2010) Analyzing the accuracy and time costs of web application security scanners. In: Beyond Trust
Fong E et al (2008), Building a test suite for web application scanners. Hawaii International Conference on System Sciences. In: Proceedings of the 41st Annual, Waikoloa, HI, 2008, pp. 478–478. doi:10.1109/HICSS.2008.79
Roman F, Garcia LJ (2015) Web from preprocessor for crawling. Multimed Tools Appl 74(19):8559–8570. doi:10.1007/s11042-013-1460-6
Román Muñoz F, García Villalba LJ (2013) Methods to testweb applications scanners. Amman, Jordan
Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. SIGSOFT Softw Eng Notes 30(4):1–7
Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems—Building Trustworthy Applications, SESS ’05, New York, pp 1–7
Acknowledgements
This work was funded by the European Commission Horizon 2020 Programme under Grant Agreement No. H2020-FCT-2015/700326-RAMSES (Internet Forensic Platform for Tracking the Money Flow of Financially-Motivated Malware).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Román Muñoz, F., Sabido Cortes, I.I. & García Villalba, L.J. Enlargement of vulnerable web applications for testing. J Supercomput 74, 6598–6617 (2018). https://doi.org/10.1007/s11227-017-1981-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-017-1981-2