Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2017 (2017), Article ID 6158107, 14 pages
https://doi.org/10.1155/2017/6158107
Research Article

Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners

1King Abdulaziz City for Science and Technology, Riyadh, Saudi Arabia
2College of Computer and Information Sciences, King Saud University, Riyadh, Saudi Arabia

Correspondence should be addressed to Mansour Alsaleh; as.ude.tscak@helaslaam

Received 7 January 2017; Revised 25 March 2017; Accepted 16 April 2017; Published 24 May 2017

Academic Editor: Michele Bugliesi

Copyright © 2017 Mansour Alsaleh et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Linked References

  1. “OWASP: the ten most critical web application security risks,” The Open Web Application Security Project, 2013.
  2. “Internet security threat report,” Tech. Rep., Symantec, 2015.
  3. M. Garnaeva, V. Chebyshev, D. Makrushin, and A. Ivanov, “IT threat evolution in Q1 2015,” Tech. Rep., Kaspersky, 2015. View at Google Scholar
  4. Gartner, “The next three years in security threats,” 2015 http://www.gartner.com/smarterwithgartner/the-next-three-years-in-security-threats/.
  5. A. Doupé, L. Cavedon, C. Kruegel, and G. Vigna, “Enemy of the state: a state-aware black-box web vulnerability scanner,” in Proceedings of the USENIX Security Symposium, pp. 523–538, 2012.
  6. N. Antunes and M. Vieira, “Comparing the effectiveness of penetration testing and static code analysis on the detection of SQL injection vulnerabilities in web services,” in Proceedings of the 15th IEEE Pacific Rim International Symposium on Dependable Computing (PRDC '09), pp. 301–306, November 2009. View at Publisher · View at Google Scholar · View at Scopus
  7. F. Elberzhager, J. Münch, and V. T. N. Nha, “A systematic mapping study on the combination of static and dynamic quality assurance techniques,” Information and Software Technology, vol. 54, no. 1, pp. 1–15, 2012. View at Publisher · View at Google Scholar · View at Scopus
  8. IBM AppScan, 2015 http://www-03.ibm.com/software/products/en/appscan.
  9. HP Web Inspect, 2015 http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/.
  10. Acunetix Web Vulnerability Scanner, 2015 http://www.acunetix.com/vulnerability-scanner/.
  11. K. McQuade, “Open source web vulnerability scanners: the cost effective choice?” in Proceedings of the Conference for Information Systems Applied Research, vol. 2167, p. 1508, 2014.
  12. S. Chen, “SECTOOL Market: price and feature comparison of web application scanners,” 2015 http://goo.gl/ZUKaK8.
  13. D. Geer, “Are companies actually using secure development life cycles?” Computer, vol. 43, no. 6, pp. 12–16, 2010. View at Publisher · View at Google Scholar · View at Scopus
  14. J. Witschey, “Secure development tool adoption in open-source,” in Proceedings of the 2013 Companion Publication for Conference on Systems, Programming, & Applications: Software for Humanity, pp. 105-106, ACM, 2013. View at Publisher · View at Google Scholar · View at Scopus
  15. G. A. Di Lucca and A. R. Fasolino, “Testing Web-based applications: The state of the art and future trends,” Information and Software Technology, vol. 48, no. 12, pp. 1172–1186, 2006. View at Publisher · View at Google Scholar · View at Scopus
  16. E. Fong and V. Okun, “Web application scanners: definitions and functions,” in Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07), January 2007. View at Publisher · View at Google Scholar · View at Scopus
  17. M. Vieira, N. Antunes, and H. Madeira, “Using web security scanners to detect vulnerabilities in web services,” in Proceedings of the IEEE/IFIP International Conference on Dependable Systems & Networks, pp. 566–571, IEEE, 2009. View at Publisher · View at Google Scholar · View at Scopus
  18. J. Fonseca, M. Vieira, and H. Madeira, “Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks,” in Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, pp. 365–372, IEEE, 2007. View at Publisher · View at Google Scholar · View at Scopus
  19. L. Suto, Analyzing the effectiveness and coverage of web application security scanners. San Francisco, October, 2007.
  20. Skipfish scanner, 2012 https://code.google.com/p/skipfish/.
  21. Arachni Web Application Security Scanner Fremework, 2015 http://www.arachni-scanner.com/.
  22. The Web Application Vulnerability Scanners Evaluation Project, 2013 https://code.google.com/p/wavsep/.
  23. Wapiti- web application vulnerability scanner, 2014 http://wapiti.sourceforge.net/.
  24. Vega Vulnerability Scanner, 2014 https://subgraph.com/vega/.
  25. w3af: Open Source Web Application Security Scanner, 2013 http://w3af.org/.
  26. IronWASP, 2014 https://ironwasp.org/.
  27. Web Scanner Test Site, 2015 http://webscantest.com/.
  28. Test Website for Acunetix Web Vulnerability Scanner, 2005 http://testaspnet.vulnweb.com/.
  29. AltoroMutual, 2015 http://demo.testfire.net/.
  30. Web Input Vector Extractor Teaser, 2014 https://github.com/bedirhan/wivet.
  31. N. Antunes and M. Vieira, “Benchmarking vulnerability detection tools for web services,” in Proceedings of the IEEE 8th International Conference on Web Services (ICWS '10), pp. 203–210, IEEE, July 2010. View at Publisher · View at Google Scholar · View at Scopus
  32. A. Doupé, M. Cova, and G. Vigna, “Why Johnny can't pentest: an analysis of black-box web vulnerability scanners,” in Detection of Intrusions and Malware, and Vulnerability Assessment, vol. 6201, pp. 111–131, Springer, 2010. View at Publisher · View at Google Scholar · View at Scopus
  33. Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners List of Scanned Websites, 2016 https://goo.gl/XjlFMl.
  34. GoogleTrends, 2015 https://www.google.com/trends/.
  35. SEOquake Firefox Extension, 2012 http://www.seoquake.com/.
  36. Amazon Elastic Compute Cloud, 2015 http://aws.amazon.com/ec2/.
  37. PuTTY, 2015 http://www.putty.org/.
  38. TightVNC Software, 2014 http://www.tightvnc.com/.
  39. A. Austin and L. Williams, “One technique is not enough: a comparison of vulnerability discovery techniques,” in Proceedings of the International Symposium on Empirical Software Engineering and Measurement (ESEM '11), pp. 97–106, IEEE, 2011. View at Scopus
  40. H.-Z. Shi, B. Chen, and L. Yu, “Analysis of web security comprehensive evaluation tools,” in Proceedings of the 2nd International Conference on Networks Security, Wireless Communications and Trusted Computing (NSWCTC '10), pp. 285–289, April 2010. View at Publisher · View at Google Scholar · View at Scopus
  41. N. F. Awang and A. A. Manaf, “Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing,” in Advances in Security of Information and Communication Networks, vol. 381, pp. 230–239, Springer, 2013. View at Publisher · View at Google Scholar · View at Scopus
  42. V. B. Livshits and M. S. Lam, “Finding security vulnerabilities in java applications with static analysis,” in Proceedings of the 14th Usenix Security Symposium, pp. 271–286, 2005.
  43. Y. Xie and A. Aiken, “Static detection of security vulnerabilities in scripting languages,” in Proceedings of the USENIX Security Symposium, vol. 6, pp. 179–192, 2006.
  44. K. Goseva-Popstojanova and A. Perhinschi, “On the capability of static code analysis to detect security vulnerabilities,” Information and Software Technology, vol. 68, pp. 18–33, 2015. View at Publisher · View at Google Scholar · View at Scopus
  45. G. Díaz and J. R. Bermejo, “Static analysis of source code security: assessment of tools against SAMATE tests,” Information and Software Technology, vol. 55, no. 8, pp. 1462–1476, 2013. View at Publisher · View at Google Scholar · View at Scopus
  46. A. Alarifi, M. Alsaleh, and A. M. Al-Salman, “Security analysis of top visited Arabic Web sites,” in Proceedings of the 15th International Conference on Advanced Communication Technology (ICACT '13), pp. 173–178, IEEE, 2013. View at Scopus
  47. M. Alsaleh and A. Alarifi, “Analysis of web spam for non-english content: toward more effective language-based classifiers,” PLOS ONE, vol. 11, no. 11, Article ID e0164383, 2016. View at Publisher · View at Google Scholar
  48. A. Alarifi and M. Alsaleh, “Web spam: a study of the page language effect on the spam detection features,” in Proceedings of the 11th IEEE International Conference on Machine Learning and Applications (ICMLA '12), vol. 2, pp. 216–221, IEEE, December 2012. View at Publisher · View at Google Scholar · View at Scopus
  49. A. Alarifi, M. Alsaleh, A. Al-Salman, A. Alswayed, and A. Alkhaledi, “Google penguin: evasion in non-english languages and a new classifier,” in Proceedings of the 12th International Conference on Machine Learning and Applications (ICMLA '13), vol. 2, pp. 274–280, IEEE, December 2013. View at Publisher · View at Google Scholar · View at Scopus
  50. M. R. Stytz and S. B. Banks, “Dynamic software security testing,” IEEE Security & Privacy, no. 3, pp. 77–79, 2006. View at Google Scholar
  51. M. Alsaleh, A. Alqahtani, A. Alarifi, and A. Al-Salman, “Visualizing PHPIDS log files for better understanding of web server attacks,” in Proceedings of the 10th Workshop on Visualization for Cyber Security (VizSec '13), pp. 1–8, October 2013. View at Publisher · View at Google Scholar · View at Scopus
  52. M. Alsaleh, A. Alarifi, A. Alqahtani, and A. Al-Salman, “Visualizing web server attacks: patterns in PHPIDS logs,” Security and Communication Networks, vol. 8, no. 11, pp. 1991–2003, 2015. View at Publisher · View at Google Scholar · View at Scopus
  53. M. Curphey and R. Arawo, “Web application security assessment tools,” IEEE Security & Privacy, vol. 4, no. 4, pp. 32–41, 2006. View at Publisher · View at Google Scholar · View at Scopus
  54. Z. Alshaikh, A. Alarifi, and M. Alsaleh, “Christopher Alexander's fifteen properties: toward developing evaluation metrics for security visualizations,” in Proceedings of the 11th IEEE International Conference on Intelligence and Security Informatics (IEEE ISI '13), pp. 295–300, IEEE, June 2013. View at Publisher · View at Google Scholar · View at Scopus
  55. N. Alomar, M. Alsaleh, and A. Alarifi, “Social authentication applications, attacks, defense strategies and future research directions: a systematic review,” IEEE Communications Surveys & Tutorials, vol. PP, no. 99, 2017. View at Publisher · View at Google Scholar
  56. B. Arkin, S. Stender, and G. McGraw, “Software penetration testing,” IEEE Security & Privacy, vol. 3, no. 1, pp. 84–87, 2005. View at Publisher · View at Google Scholar · View at Scopus
  57. J. Bau, E. Bursztein, D. Gupta, and J. Mitchell, “State of the art: automated black-box web application vulnerability testing,” in add Proceedings of the 31st IEEE Symposium on Security and Privacy (SP '10), pp. 332–345, IEEE, May 2010. View at Publisher · View at Google Scholar · View at Scopus
  58. N. Suteva, D. Zlatkovski, and A. Mileva, “Evaluation and testing of several free/open source web vulnerability scanners,” in Proceedings of the 10th Conference for Informatics and Information Technology (CIIT ’13), pp. 221–224, 2013.
  59. A. Austin, C. Holmgreen, and L. Williams, “A comparison of the efficiency and effectiveness of vulnerability discovery techniques,” Information and Software Technology, vol. 55, no. 7, pp. 1279–1288, 2013. View at Publisher · View at Google Scholar · View at Scopus
  60. V. Felmetsger, L. Cavedon, C. Kruegel, and G. Vigna, “Toward automated detection of logic vulnerabilities in web applications,” in Proceedings of the USENIX Security Symposium, pp. 143–160, 2010.
  61. Y.-W. Huang, C.-H. Tsai, T.-P. Lin, S.-K. Huang, D. T. Lee, and S.-Y. Kuo, “A testing framework for Web application security assessment,” Computer Networks, vol. 48, no. 5, pp. 739–761, 2005. View at Publisher · View at Google Scholar · View at Scopus
  62. M. Finifter and D. Wagner, “Exploring the relationship between Web application development tools and security,” in Proceedings of the USENIX Conference on Web Application Development, 2011.
  63. J. Fonseca and M. Vieira, “Mapping software faults with web security vulnerabilities,” in Proceedings of the IEEE International Conference on Dependable Systems and Networks with FTCS and DCC, pp. 257–266, IEEE, June 2008. View at Publisher · View at Google Scholar · View at Scopus
  64. K. Soska and N. Christin, “Automatically detecting vulnerable websites before they turn malicious,” in Proceedings of the USENIX Security, 2014.
  65. R. Sekar, “An efficient black-box technique for defeating web application attacks,” in Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS '09), 2009.
  66. A. Alarifi, M. Alsaleh, and N. Alomar, “A model for evaluating the security and usability of e-banking platforms,” Computing, vol. 99, no. 5, pp. 519–535, 2017. View at Publisher · View at Google Scholar · View at MathSciNet