Enlargement of vulnerable web applications for testing

  • Fernando Román Muñoz
  • Iván Israel Sabido Cortes
  • Luis Javier García Villalba


There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and where vulnerabilities are detected, and often mended, such as online banking systems, newspaper sites, or any other Web site. On the other hand, vulnerable by design web applications are developed for proper evaluation of web vulnerability scanners and for training in detecting web vulnerabilities. The main drawback of vulnerable by design web applications is that they used to include just a short set of well-known types of vulnerabilities, usually from famous classifications like the OWASP Top Ten. They do not include most of the types of web vulnerabilities. In this paper, an analysis and assessment of vulnerable web applications is conducted in order to select the applications that include the larger set of types of vulnerabilities. Then those applications are enlarged with more types of web vulnerabilities that vulnerable web applications do not include. Lastly, the new vulnerable web applications have been analyzed to check whether web vulnerability scanners are able to detect the new added vulnerabilities, those vulnerabilities that vulnerable by design web applications do not include. The results show that the tools are not very successful in detecting those vulnerabilities, less than well-known vulnerabilities.


Vulnerability scanner Vulnerable web applications Web security Web vulnerabilities 



This work was funded by the European Commission Horizon 2020 Programme under Grant Agreement No. H2020-FCT-2015/700326-RAMSES (Internet Forensic Platform for Tracking the Money Flow of Financially-Motivated Malware).  Open image in new window


  1. 1.
    Martirosyan J (2012) Evaluation of web application security vulnerability scanners’ strengths and limitations using custom web application. Thesis, California State University - East Bay.
  2. 2.
    National Institute of Standards and Technology (NIST) (2004) Engineering Principles for Information Technology Security (A Baseline for Achieving Security) NIST SP 800-27, Revision AGoogle Scholar
  3. 3.
    Doupé A, Cova M, Giovanni Vigna G (2010) Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’10). Berlin, Heidelberg, pp 111–131Google Scholar
  4. 4.
    Roman F, Garcia LJ (2016) An algorithm to find relationships between web vulnerabilities. J Supercomput. doi: 10.1007/s11227-016-1770-3 Google Scholar
  5. 5.
    Gupta S, Sharma L (2011) Analysis and assessment of web application security testing tools. In: Proceedings of the 5th National ConferenceGoogle Scholar
  6. 6.
    Saeed FA (2014) Using wassec to evaluate commercial web application security scanners. Int J Soft Comput Eng (IJSCE) 4(1):177–181MathSciNetGoogle Scholar
  7. 7.
    National Institute of Standards and Technology: Software assurance tools: web application security scanner functional specification version 1.0. NIST special publication 500-269Google Scholar
  8. 8.
    Fong E, Okun V (2007) Web application scanners: definitions and functions. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, HICSS ’07, p 280b. IEEE Computer Society, Washington, DCGoogle Scholar
  9. 9.
    Black PE, Kass M (2005) Software security assurance tools, techniques and metrics (SSATTM). In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE ’05, New York, pp 461–461Google Scholar
  10. 10.
    Assad RE, Katter T, Ferraz F, de Lemos Meira S (2010) Security quality assurance on web-based application through security requirements tests based on owasp test document: elaboration, execution and automation. In: Proceedings of the 2nd OWASP Ibero-American Web Applications Security ConferenceGoogle Scholar
  11. 11.
    Ferreira AM, Klepee H (2011) Effectiveness of automated application penetration testing tools. Cees de Laat. System and Network Engineering Lab Informatics Institute, Faculty of Science. University of Amsterdam. Accessed 10 Nov 2016
  12. 12.
    Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp 332–345. doi: 10.1109/SP.2010.27
  13. 13.
    Fonseca J, Vieira M, Madeira H (2007) Testing and comparing web vulnerability scanning tools for SQL injection and xss attacks. In: Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC ’07. IEEE Computer Society, Washington, DC, pp 365–372Google Scholar
  14. 14.
    Fonseca J, Vieira M, Madeira H (2014) Evaluation of web security mechanisms using vulnerability & attack injection. IEEE Trans Dependable Secur Comput 11(5):440–453CrossRefGoogle Scholar
  15. 15.
    Tripp O,Weisman O, Guy L (2013) Finding your way in the testing jungle: a learning approach to web security testing. In: Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, New York, pp 347–357Google Scholar
  16. 16.
    Doupé A, Cavedon L, Kruegel C, Vigna G (2012) Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security’ 12. USENIX Association, Berkeley, p 26Google Scholar
  17. 17.
    Khalili A, Sami A, Ghiasi M, Moshtari S, Salehi Z, Azimi M (2014) Software engineering issues regarding securing ICS: an industrial case study. In: Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation, MoSEMInA 2014, New York, pp 1–6Google Scholar
  18. 18.
    Demchenko Y, Gommans L, de Laat C, Oudenaarde B (2005) Web services and grid security vulnerabilities and threats analysis and model. In: Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing, GRID ’05. IEEE Computer Society, Washington, DC, pp 262–267Google Scholar
  19. 19.
    Akowuah F, Lake J, Yuan X, Nuakoh E, Yu H (2015) Testing the security vulnerabilities of openEMR 4.1.1: a case study. J Comput Sci Coll 30(3):26–35Google Scholar
  20. 20.
    Austin A, Smith B, Williams L (2010) Towards improved security criteria for certification of electronic health record systems. In: Proceedings of the 2010 ICSE Workshop on Software Engineering in Health Care, SEHC ’10, New York, pp 68–73Google Scholar
  21. 21.
    Mcquade K (2014) Open source web vulnerability scanners: the cost effective choice? In: Proceedings of the Conference for Information Systems Applied Research, BaltimoreGoogle Scholar
  22. 22.
    Parmar S (2015) Vulnerability checker for infosecurity. Int J Sci Res (IJSR) 4(3):1593–1596Google Scholar
  23. 23.
    Nuno Teodoro CS (2010) Automating web applications security assessments through scanners. In: Proceedings of the OWASP Ibero-American Web Applications Security ConferenceGoogle Scholar
  24. 24.
    Chen S (2012) General features comparison—web application scanners.
  25. 25.
    Suto L (2010) Analyzing the accuracy and time costs of web application security scanners. In: Beyond TrustGoogle Scholar
  26. 26.
    Fong E et al (2008), Building a test suite for web application scanners. Hawaii International Conference on System Sciences. In: Proceedings of the 41st Annual, Waikoloa, HI, 2008, pp. 478–478. doi: 10.1109/HICSS.2008.79
  27. 27.
    Roman F, Garcia LJ (2015) Web from preprocessor for crawling. Multimed Tools Appl 74(19):8559–8570. doi: 10.1007/s11042-013-1460-6 CrossRefGoogle Scholar
  28. 28.
    Román Muñoz F, García Villalba LJ (2013) Methods to testweb applications scanners. Amman, JordanGoogle Scholar
  29. 29.
    Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. SIGSOFT Softw Eng Notes 30(4):1–7CrossRefGoogle Scholar
  30. 30.
    Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems—Building Trustworthy Applications, SESS ’05, New York, pp 1–7Google Scholar

Copyright information

© Springer Science+Business Media New York 2017

Authors and Affiliations

  • Fernando Román Muñoz
    • 1
  • Iván Israel Sabido Cortes
    • 1
  • Luis Javier García Villalba
    • 1
  1. 1.Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431Universidad Complutense de Madrid (UCM)MadridSpain

Personalised recommendations