Abstract
Today, web applications are becoming the most popular tool that offers a collection of various services to users. However, previous research and study showed that many web applications are deployed with critical vulnerabilities. Penetration testing is one of the well-known techniques that is frequently used for the detection of security vulnerabilities in web application. This technique can be performed either manually or by using automated tools. However, according to previous study, automated black box tools have detected more vulnerability with high false positive rate. Therefore, this paper proposed a framework which combines both automated black box testing and manual penetration testing to achieve the accuracy in vulnerability detecting in web application.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Internet World Stats, Usage and Population Statistics (2013), http://www.internetworldstats.com/stats.htm
X-Force Research and Development Team, IBM X-Force 2012 Trend and Risk Report, Technical Report (March 2012)
Web Application Vulnerability Statistics for 2011-2012, Positive Technology, Technical Report (2012)
Wang, J.A., Guo, M., Wang, H., Xia, M., Zhou, L.: Environmental metrics for software security based on a vulnerability ontology. In: Third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 159–168 (2009)
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 3rd edn. Prentice Hall PTR (2003)
Kim, J.: Injection Attack Detection Using the Removal of SQL Query Attribute Values. In: 2011 International Conference on Information Science and Applications, ICISA, April 26-29, pp. 1–7 (2011)
Zhendong, S., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 372–382 (2006)
Shklar, L., Rosen, R.: Web Application Architecture: Principles, Protocols and Practices, 2nd edn. John Wiley & Sons (2009)
The Open Web Application Security Project: The Ten Most Critical Web Application Security Vulnerabilities, https://www.owasp.org/index.php/Main_Page:OWASP_Top_Ten_Project
Theodoor, S., Davide, B., Engin K.: Have things changed now? An Empirical Study on Input Validation Vulnerabilities in Web Applications (2012), http://iseclab.org/papers/theo-journal.pdf
Ezumalai, R., Aghila, G.: Combinatorial Approach for Preventing SQL Injection Attacks, Advance Computing Conference. IEEE International, IACC (2009)
Justin, C.: SQL Injection Attacks and Defense. Syngress Publishing (2009) ISBN 13: 978-1-59749-424-3
Huang, Y., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing Web Application Code by Static Analysis and Runtime Protection. In: Proceedings of the 12th International World Wide Web Conference, WWW 2004 (May 2004)
Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. Journal of Systems and Software 84, 250–269 (2011) ISSN 0164-1212, 10.1016/j.jss.2010.09.020
Avancini, A.: Security testing of web applications: A research plan. In: 2012 34th International Conference on Software Engineering, ICSE, June 2-9, pp. 1491–1494 (2012)
Bacudio, A.G., Yuan, X., Chu, B.B., Jones, M.: An Overview of Penetration Testing. International Journal of Network Security & Its Applications (IJNSA) (November 2011)
Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: IEEE/IFIP Intl Conf. on Dependable Systems and Networks, DSN (2009)
Nuno, A., Marco, V.: Comparing of Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services. In: 15th IEEE Pacific Rim International Symposium on Dependable Computing (2009)
IBM Security Appscan, http://www-01.ibm.com/software/awdtools/appscan/
Acunetic, http://www.acunetix.com/
HP WebInspect, http://www8.hp.com/my/en/software-solutions/software.html?compURI=1341991
Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting Web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, May 21-24, p. 6 p. 263 (2006)
FORTIFY, http://www.fortifysoftware.com/
Ounce, http://www.ouncelabs.com/
Web Application Security Scanner Evaluation Criteria Version 1.0, http://projects.webappsec.org/w/page/13246986/Web%20Application%20Security%20Scanner%20Evaluation%20Criteria
Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)
Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In: The 13th IEEE Pacific Rim International Symposium on Dependable Computing (December 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Awang, N.F., Manaf, A.A. (2013). Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing. In: Awad, A.I., Hassanien, A.E., Baba, K. (eds) Advances in Security of Information and Communication Networks. SecNet 2013. Communications in Computer and Information Science, vol 381. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40597-6_20
Download citation
DOI: https://doi.org/10.1007/978-3-642-40597-6_20
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40596-9
Online ISBN: 978-3-642-40597-6
eBook Packages: Computer ScienceComputer Science (R0)