Skip to main content
SpringerLink
Log in

An automated framework for evaluating open-source web scanner vulnerability severity

  • Original Research Paper
  • Published:
Service Oriented Computing and Applications Aims and scope Submit manuscript

Abstract

The inevitable use of web applications has resulted in increased exposure to security vulnerabilities which are exploited by attackers each passing day. Fixing these vulnerabilities requires a great deal of effort and time, hence developers need to prioritize and channel their resources to the most severe vulnerabilities to curtail further exploitation. The common vulnerability scoring system (CVSS) is the de-facto standard for characterizing and measuring the severity of security vulnerabilities. However, the efficiency of the CVSS metric has been challenged in previous studies, leading to varied vulnerability scoring metrics. This paper proposes an automated framework for evaluating open-source Web scanner vulnerability severity using a Web vulnerability detection scanner called zed attach proxy to detect vulnerabilities in a damn vulnerable web application. Additionally, we use the OWASP 2017 top ten selection and prioritization scheme as our benchmark for the severity measure and ranking. The preliminary result shows that the most frequent vulnerabilities in Web applications, such as SQL injection and cross-site scripting are of medium severe with a severity score of 8.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

Similar content being viewed by others

References

  1. Keramati M (2016) New vulnerability scoring system for dynamic security evaluation. In: Proceedings of the 8th international symposium on telecommunications (IST), pp 746–751

  2. Dobrovoljc A, Trček D, Likar B (2017) Predicting exploitations of information systems vulnerabilities through attackers’ characteristics. IEEE Access 5:26063–26075

    Article  Google Scholar 

  3. Liu Q, Zhang Y (2011) VRSS: a new system for rating and scoring vulnerabilities. Comput Commun 34:264–273

    Article  Google Scholar 

  4. Younis A, Malaiya YK, Ray I (2016) Evaluating CVSS base score using vulnerability rewards programs. In: Proceedings of the international conference on ICT systems security and privacy protection, pp 62–75

  5. Keramati M (2016) New vulnerability scoring system for dynamic security evaluation. In Proceedings of the 8th international symposium on telecommunications (IST), pp 746–751

  6. Booth H, Rike D, Witte G (2013) The national vulnerability database (NVD): overview. National Institute of Standards and Technology, Gaithersburg

    Google Scholar 

  7. Mburano B, Si W (2018) Evaluation of web vulnerability scanners based on OWASP benchmark. In: Proceeding of the 26th international conference on systems engineering (ICSEng), pp 1–6

  8. Ghezzi C, Jazayeri M, Mandrioli D (2002) Fundamentals of software engineering. Prentice Hall PTR, Upper Saddle River

    MATH  Google Scholar 

  9. Mell P, Scarfone K, Romanosky S (2006) Common vulnerability scoring system. IEEE Secur Privacy 4:85–89

    Article  Google Scholar 

  10. Mell P, Scarfone K, Romanosky S (2007) A complete guide to the common vulnerability scoring system version 2.0. FIRST-Forum of Incident Response and Security Teams, p 23

  11. Scarfone K, Mell P (2009) An analysis of CVSS version 2 vulnerability scoring. In: Proceedings of the 3rd international symposium on empirical software engineering and measurement, pp 516–525

  12. Ali A, Beg MR, Ahmad S, Ali A (2012) Evaluation of security risk associated with different network layers. Int J Sci Eng Res 3(8):1–9

    Google Scholar 

  13. Wang Y, Yang Y (2012) PVL: a novel metric for single vulnerability rating and its application in IMS. J Comput Inf Syst 8:579–590

    Google Scholar 

  14. Hamid T, Maple C, Sant P (2012) Methodologies to develop quantitative risk evaluation metrics. Int J Comput Appl 48(14):17–24

    Google Scholar 

  15. Allodi L, Massacci F (2012) A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets. In: Proceedings of the 2012 ACM workshop on building analysis datasets and gathering experience returns for security, pp 17–24

  16. Zhang S, Ou X, Caragea D (2015) Predicting cyber risks through the national vulnerability database. Inf Secur J Glob Perspect 24:194–206

    Article  Google Scholar 

  17. Holm H, Afridi KK (2015) An expert-based investigation of the common vulnerability scoring system. Comput Secur 53:18–30

    Article  Google Scholar 

  18. Johnson P, Lagerström R, Ekstedt M, Franke U (2016) Can the common vulnerability scoring system be trusted? A bayesian analysis. IEEE Trans Depend Secure Comput 15:1002–1015

    Article  Google Scholar 

  19. Makino Y, Klyuev V (2015) Evaluation of web vulnerability scanners. In: Proceedings of the 8th IEEE international conference on intelligent data acquisition and advanced computing systems: technology and applications (IDAACS), pp 399–402

  20. Porter AA, Votta LG Jr, Basili VR (1995) Comparing detection methods for software requirements inspections: a replicated experiment. IEEE Trans Softw Eng 21:563–575

    Article  Google Scholar 

  21. Sutton M, Greene A, Amini P (2007) Fuzzing: brute force vulnerability discovery. Pearson Education, London

    Google Scholar 

  22. Joh H, Malaiya YK (2011) Defining and assessing quantitative security risk measures using vulnerability lifecycle and CVSS metrics. In: Proceedings of the 2011 international conference on security and management (SAM), pp 10–16

  23. Schiffman M, Cisco C (2005) A complete guide to the common vulnerability scoring system (cvss). In: White paper. Identification of basic measurable security components in software intensive systems

  24. Scarfone K, Mell P (2007) Guide to intrusion detection and prevention systems (IDPS). NIST Special Publ 800:94

    Google Scholar 

  25. Younis A, Malaiya YK, Ray I (2016) Assessing vulnerability exploitability risk using software properties. Softw Qual J 24:159–202

    Article  Google Scholar 

  26. Cadariu M, Bouwers E, Visser J, van Deursen A (2015) Tracking known security vulnerabilities in proprietary software systems. In: Proceedings of the 22nd IEEE international conference on software analysis, evolution, and reengineering (SANER), pp 516–519

  27. Alessandri D, Cachin C, Dacier M, Deak O, Julisch K, Randell B et al (2001) Towards a taxonomy of intrusion detection systems and attacks. In: MAFTIA deliverable D, vol 3

  28. Owasp T (2013) 10 2017: The ten most critical web application security risks. The OWASP Foundation, Sl

    Google Scholar 

  29. Woo DH, Lee H (2007) Analyzing performance vulnerability due to resource denial of service attack on chip multiprocessors. In: Proceedings of the workshop on chip multiprocessor memory systems and interconnects

  30. Du W, Mathur AP (1998) Vulnerability testing of software system using fault injection. Technique report. Purdue University, West Lafayette, pp 98–02

  31. Haugh E, Bishop M (2003) Testing C programs for buffer overflow vulnerabilities. In: NDSS

  32. Whalen S, Bishop M, Engle S (2005) Protocol vulnerability analysis. Technical report CSE-2005-04. Department of Computer Science, University of California, Davis

  33. Kals S, Kirda E, Kruegel C, Jovanovic N (2006) Secubat: a web vulnerability scanner. In: Proceedings of the 15th international conference on world wide web, pp 247–256

  34. Calzavara S, Conti M, Focardi R, Rabitti A, Tolomei G (2019) Mitch: a machine learning approach to the black-box detection of CSRF vulnerabilities. In: Proceedings of IEEE European symposium on security and privacy (EuroS&P), pp 528–543

  35. Ibrahim AB, Kant S (2018) Penetration testing using SQL injection to recognize the vulnerable point on web pages. Int J Appl Eng Res 13:5935–5942

    Google Scholar 

  36. Hassan MM, Bhuyian T, Sohel MK, Sharif MH, Biswas S (2018) SAISAN: an automated local file inclusion vulnerability detection model. Int J Eng Technol 7:4

    Article  Google Scholar 

  37. Sharma P, Johari R, Sarma S (2012) Integrated approach to prevent SQL injection attack and reflected cross-site scripting attack. Int J Syst Assur Eng Manag 3:343–351

    Article  Google Scholar 

  38. Deepa G, Thilagam PS (2016) Securing web applications from injection and logic vulnerabilities: approaches and challenges. Inf Softw Technol 74:160–180

    Article  Google Scholar 

  39. Deepa G, Thilagam PS, Praseed A, Pais AR (2018) DetLogic: a black-box approach for detecting logic vulnerabilities in web applications. J Netw Comput Appl 109:89–109

    Article  Google Scholar 

  40. Alenezi M, Zarour M (2018) Software vulnerabilities detection based on security metrics at the design and code levels: empirical findings. J Eng Technol 6:570–583

    Google Scholar 

  41. Woo DH, Lee H (2007) Analyzing performance vulnerability due to resource denial of service attack on chip multiprocessors. In: Workshop on chip multiprocessor memory systems and interconnects

  42. Zhang S, Caragea D, Ou X (2011) An empirical study on using the national vulnerability database to predict software vulnerabilities. In: Proceeding of the international conference on database and expert systems applications, pp 217–231

  43. Huang S, Tang H, Zhang M, Tian J (2010) Text clustering on national vulnerability database. In: Second international conference on computer engineering and applications, pp 295–299

  44. Byers R, Waltermire D, Turner C (2020) National vulnerability database (NVD) metadata submission guidelines for common vulnerabilities and exposures (CVE) numbering authorities (CNAs) and authorized data publishers. National Institute of Standards and Technology

  45. Zhang S, Caragea D, Ou X (2011) An empirical study on using the national vulnerability database to predict software vulnerabilities. In: International conference on database and expert systems applications, pp 217–231

  46. Abedin M, Nessa S, Al-Shaer E, Khan L (2006) Vulnerability analysis for evaluating quality of protection of security policies. In: Proceedings of the 2nd ACM workshop on quality of protection, pp 49–52

  47. Wang JA, Guo M (2010) Vulnerability categorization using Bayesian networks. In: Proceedings of the sixth annual workshop on cyber security and information intelligence research, p 29

  48. Anbalagan P, Vouk M (2009) On mining data across software repositories. In: Proceedings of the 6th IEEE international working conference on mining software repositories. MSR’09, pp 171–174

  49. Makino Y, Klyuev V (2015) Evaluation of web vulnerability scanners. In: IEEE 8th international conference on intelligent data acquisition and advanced computing systems: technology and applications (IDAACS), pp 399–402

  50. Evans S (2008) Securing WebGoat using ModSecurity, summer of code 2008. In: OWASP beta level. OWASP Foundation

  51. Kudjo PK, Chen J, Mensah S, Amankwah R (2018) Predicting vulnerable software components via bellwethers. Communications in computer and information science, Springer, Singapore, pp 389–407

  52. Tripathi A, Singh UK (2011) On prioritization of vulnerability categories based on CVSS scores. In: Proceedings of the 6th international conference on computer sciences and convergence information technology (ICCIT), pp 692–697

  53. Kudjo PK, Chen J, Zhou M, Mensah S, Huang R (2019) Improving the accuracy of vulnerability report classification using term frequency-inverse gravity moment. In: Proceedings of the 19th IEEE international conference on software quality, reliability and security (QRS), pp 248–259

  54. Elizabeth F, Vadim O (2007) Web application scanners: definitions and functions. HICSS 2007:280b–280b

    Google Scholar 

  55. Khan ME (2010) Different forms of software testing techniques for finding errors. Int J Comput Sci Issues 7:24

    Google Scholar 

  56. Fink S, Haviv YA, Hay R, Pistoia M, Segal O, Sharabani A et al (2017) Simulating black box test results using information from white box testing. Google Patents

  57. Nidhra S, Dondeti J (2012) Black box and white box testing techniques-a literature review. Int J Embedded Syst Appl (IJESA) 2:29–50

    Article  Google Scholar 

  58. Slaby J, Strejcek J, Trtık M (2013) ÐÙÖ: classified bug-reports database tool for developers of program analysis tools. In: Proceedings of 14th international conference on verification, model checking, and abstract interpretation. VMCAI, Rome, Italy, January 20–22, 2013, p 268

  59. OWASP Benchmark Project (2016) https://www.owasp.org/index.php/Benchmark (visited 2016-06-2), pp 1–6

Download references

Acknowledgement

This work is partly supported by the National Natural Science Foundation of China (NSFC Grant Numbers: U1836116, 61762040 and 61872167), the project of Jiangsu provincial Six Talent Peaks (Grant Numbers: XYDXXJS-016), and the Graduate Research Innovation Project of Jiangsu Province (Grant Numbers: KYCX17_1807).

Author information

Authors and Affiliations

  1. School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang, 212013, China

    Richard Amankwah, Jinfu Chen & Alfred Adutwum Amponsah

  2. University of Professional Studies, 233, Accra, Ghana

    Patrick Kwaku Kudjo

  3. Presbyterian College of Education, Akropong-Akuapem, 233, Accra, Ghana

    Richard Amankwah & Beatrice Korkor Agyemang

Authors
  1. Richard Amankwah
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jinfu Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Patrick Kwaku Kudjo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Beatrice Korkor Agyemang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Alfred Adutwum Amponsah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Richard Amankwah.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Amankwah, R., Chen, J., Kudjo, P.K. et al. An automated framework for evaluating open-source web scanner vulnerability severity. SOCA 14, 297–307 (2020). https://doi.org/10.1007/s11761-020-00296-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11761-020-00296-9

Keywords

Search

Navigation