Evaluation of Open Source Web Application Vulnerability Scanners
Nowadays, web applications are essential part of our lives. Web applications are used by people for information gathering, communication, e-commerce and variety of other activities. Since they contain valuable and sensitive information, the attacks against them have increased in order to find vulnerabilities and steal information. For this reason, it is essential to check web application vulnerabilities to ensure that it is secure. However, checking the vulnerabilities manually is a tedious and time-consuming job. Therefore, there is an exigent need for web application vulnerability scanners. In this study, we evaluate two open source web application vulnerability scanners Paros and OWASP Zed Attack Proxy (OWASP ZAP) by testing them against two vulnerable web applications buggy web application (bWAPP) and Damn Vulnerable Web Application (DVWA).
2. Farah T., Shojol M., Hassan M. & Alam D. (2016). Assessment of vulnerabilities of web applications of Bangladesh: A case study of XSS & CSRF. Sixth International Conference on Digital Information and Communication Technology and its Applications (DICTAP), Konya, 2016, (pp. 74-78).
3. OWASP. (2018).The Open Web Application Security Project. Retrieved from https://www.owasp.org/
4. Makino Y. & Klyuev V. (2015). Evaluation of web vulnerability scanners. Intelligent Data Acquisition and Advanced Computing Systems:Technology and Applications (IDAACS), IEEE 8th InternationalConference vol. 1. IEEE, 2015, (pp. 399–402).
5. Nagpure S. & Kurkure S. (2017). Vulnerability Assessment and Penetration Testing of Web Application. International Conference on Computing, Communication, Control and Automation (ICCUBEA), Pune, 2017, (pp. 1-6).
6. Srinivasan S. & Sangwan R. (2017). Web App Security: A Comparison and Categorization of Testing Frameworks. IEEE Software, vol. 34, no. 1, IEEE, 2017, (pp. 99-102).
7. Suteva N., Zlatkovski D. & Mileva A. (2013). Evaluation and testing of several free/open source web vulnerability scanners, 10th Conference for Informatics and Information Technology, Bitola, Macedonia, 2013.
8. Jiménez R. (2016). Pentesting on web applications using ethical - hacking. IEEE 36th Central American and Panama Convention (CONCAPAN XXXVI), San Jose, 2016, (pp. 1-6).
9. BWAPP. (2018). A buggy Web Application. Retrieved from http://itsecgames.com/
10. Gaddam R. & Nandhini M. (2017). An analysis of various snort based techniques to detect and prevent intrusions in networks proposal with code refactoring snort tool in Kali Linux environment. International Conference on Inventive Communication and Computational Technologies (ICICCT), Coimbatore, 2017 (pp. 10-15).
11. Denis M., Zena C. & Hayajneh T. (2016). Penetration testing: Concepts, attack methods, and defense strategies. IEEE Long Island Systems, Applications and Technology Conference (LISAT), Farmingdale, NY, 2016 (pp. 1-6).
12. Daud N.,Bakar K. & Hasan M. (2014) .A case study on web application vulnerability scanning tools. Science and Information Conference, London, 2014 (pp. 595-600).
13. OWASP ZAP. (2018). Zed Attack Proxy Project - OWASP. Retrieved from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
14. Engebretson P. (2013). The Basics of Hacking and Penetration Testing. Waltham, MA: Syngress.
15. Goel J., Asghar M., Kumar V. & Pandey S. (2016). Ensemble based approach to increase vulnerability assessment and penetration testing accuracy. International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH), Noida, 2016 (pp. 330-335).
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Authors who publish with this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License [CC BY-NC-ND 4.0] that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See The Effect of Open Access).
AJNU is committed to protecting the privacy of the users of this journal website. The names, personal particulars and e-mail addresses entered in this website will be used only for the stated purposes of this journal and will not be made available to third parties without the user's permission or due process. Users consent to receive communication from the AJNU for the stated purposes of the journal. Queries with regard to privacy may be directed to firstname.lastname@example.org.