Skip to main content
SpringerLink
Log in

Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners

  • Conference paper
Book cover Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6201))

Abstract

Black-box web vulnerability scanners are a class of tools that can be used to identify security issues in web applications. These tools are often marketed as “point-and-click pentesting” tools that automatically evaluate the security of web applications with little or no human support. These tools access a web application in the same way users do, and, therefore, have the advantage of being independent of the particular technology used to implement the web application. However, these tools need to be able to access and test the application’s various components, which are often hidden behind forms, JavaScript-generated links, and Flash applications.

This paper presents an evaluation of eleven black-box web vulnerability scanners, both commercial and open-source. The evaluation composes different types of vulnerabilities with different challenges to the crawling capabilities of the tools. These tests are integrated in a realistic web application. The results of the evaluation show that crawling is a task that is as critical and challenging to the overall ability to detect vulnerabilities as the vulnerability detection techniques themselves, and that many classes of vulnerabilities are completely overlooked by these tools, and thus research is required to improve the automated detection of these flaws.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AnantaSec: Web Vulnerability Scanners Evaluation (January 2009), http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html

  2. Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-module Vulnerability Analysis of Web-based Applications. In: Proceedings of the ACM conference on Computer and Communications Security (CCS), pp. 25–35 (2007)

    Google Scholar 

  3. Curphey, M., Araujo, R.: Web Application Security Assessment Tools. IEEE Security and Privacy 4(4), 32–41 (2006)

    Article  Google Scholar 

  4. CVE: Common Vulnerabilities and Exposures, http://www.cve.mitre.org

  5. Foundstone: Hacme Bank v2.0 (May 2006), http://www.foundstone.com/us/resources/proddesc/hacmebank.htm

  6. Grossman, J.: Challenges of Automated Web Application Scanning. In: BlackHat Windows Security Conference (2004)

    Google Scholar 

  7. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: Proceedings of the International World Wide Web Conference (2006)

    Google Scholar 

  8. McAllister, S., Kruegel, C., Kirda, E.: Leveraging User Interactions for In-Depth Testing of Web Applications. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection (2008)

    Google Scholar 

  9. Open Security Foundation: OSF DataLossDB: Data Loss News, Statistics, and Research, http://datalossdb.org/

  10. Open Web Application Security Project (OWASP): OWASP SiteGenerator, http://www.owasp.org/index.php/OWASP_SiteGenerator

  11. Open Web Application Security Project (OWASP): OWASP WebGoat Project, http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

  12. Open Web Application Security Project (OWASP): Web Input Vector Extractor Teaser, http://code.google.com/p/wivet/

  13. Open Web Application Security Project (OWASP): OWASP Top Ten Project (2010), http://www.owasp.org/index.php/Top_10

  14. OpenID Foundation: OpenID, http://openid.net/

  15. PCI Security Standards Council: PCI DDS Requirements and Security Assessment Procedures, v1.2 (October 2008)

    Google Scholar 

  16. Peine, H.: Security Test Tools for Web Applications. Tech. Rep. 048.06, Fraunhofer IESE (January 2006)

    Google Scholar 

  17. Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All Your iFRAMEs Point to Us. In: Proceedings of the USENIX Security Symposium, pp. 1–16 (2008)

    Google Scholar 

  18. RSnake: Sql injection cheat sheet, http://ha.ckers.org/sqlinjection/

  19. RSnake: XSS (Cross Site Scripting) Cheat Sheet, http://ha.ckers.org/xss.html

  20. Small, S., Mason, J., Monrose, F., Provos, N., Stubblefield, A.: To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads. In: Proceedings of the USENIX Security Symposium (2008)

    Google Scholar 

  21. Suto, L.: Analyzing the Effectiveness and Coverage of Web Application Security Scanners (October 2007) (case Study)

    Google Scholar 

  22. Suto, L.: Analyzing the Accuracy and Time Costs of Web Application Security Scanners (Feburary 2010)

    Google Scholar 

  23. Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: Proceedings of the Conference on Dependable Systems and Networks (2009)

    Google Scholar 

  24. Wiegenstein, A., Weidemann, F., Schumacher, M., Schinzel, S.: Web Application Vulnerability Scanners—a Benchmark. Tech. rep., Virtual Forge GmbH (October 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Santa Barbara

    Adam Doupé, Marco Cova & Giovanni Vigna

Authors
  1. Adam Doupé
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marco Cova
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Giovanni Vigna
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. International Computer Science Institute, Berkeley, USA

    Christian Kreibich

  2. Research Establishment for Applied Science (FGAN), Research Institute for Communication, Information Processing and Ergonomics (FKIE), Wachtberg, Germany

    Marko Jahnke

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Doupé, A., Cova, M., Vigna, G. (2010). Why Johnny Can’t Pentest: An Analysis of Black-Box Web Vulnerability Scanners. In: Kreibich, C., Jahnke, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2010. Lecture Notes in Computer Science, vol 6201. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14215-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14215-4_7

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14214-7

  • Online ISBN: 978-3-642-14215-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation