Evaluation of Open Source Web Application Vulnerability Scanners
Keywords:Web Application Security, Open Web Application Security Project (OWASP), Vulnerability Scanner, Penetration Testing.
Nowadays, web applications are essential part of our lives. Web applications are used by people for information gathering, communication, e-commerce and variety of other activities. Since they contain valuable and sensitive information, the attacks against them have increased in order to find vulnerabilities and steal information. For this reason, it is essential to check web application vulnerabilities to ensure that it is secure. However, checking the vulnerabilities manually is a tedious and time-consuming job. Therefore, there is an exigent need for web application vulnerability scanners. In this study, we evaluate two open source web application vulnerability scanners Paros and OWASP Zed Attack Proxy (OWASP ZAP) by testing them against two vulnerable web applications buggy web application (bWAPP) and Damn Vulnerable Web Application (DVWA).
2. Farah T., Shojol M., Hassan M. & Alam D. (2016). Assessment of vulnerabilities of web applications of Bangladesh: A case study of XSS & CSRF. Sixth International Conference on Digital Information and Communication Technology and its Applications (DICTAP), Konya, 2016, (pp. 74-78).
3. OWASP. (2018).The Open Web Application Security Project. Retrieved from https://www.owasp.org/
4. Makino Y. & Klyuev V. (2015). Evaluation of web vulnerability scanners. Intelligent Data Acquisition and Advanced Computing Systems:Technology and Applications (IDAACS), IEEE 8th InternationalConference vol. 1. IEEE, 2015, (pp. 399–402).
5. Nagpure S. & Kurkure S. (2017). Vulnerability Assessment and Penetration Testing of Web Application. International Conference on Computing, Communication, Control and Automation (ICCUBEA), Pune, 2017, (pp. 1-6).
6. Srinivasan S. & Sangwan R. (2017). Web App Security: A Comparison and Categorization of Testing Frameworks. IEEE Software, vol. 34, no. 1, IEEE, 2017, (pp. 99-102).
7. Suteva N., Zlatkovski D. & Mileva A. (2013). Evaluation and testing of several free/open source web vulnerability scanners, 10th Conference for Informatics and Information Technology, Bitola, Macedonia, 2013.
8. Jiménez R. (2016). Pentesting on web applications using ethical - hacking. IEEE 36th Central American and Panama Convention (CONCAPAN XXXVI), San Jose, 2016, (pp. 1-6).
9. BWAPP. (2018). A buggy Web Application. Retrieved from http://itsecgames.com/
10. Gaddam R. & Nandhini M. (2017). An analysis of various snort based techniques to detect and prevent intrusions in networks proposal with code refactoring snort tool in Kali Linux environment. International Conference on Inventive Communication and Computational Technologies (ICICCT), Coimbatore, 2017 (pp. 10-15).
11. Denis M., Zena C. & Hayajneh T. (2016). Penetration testing: Concepts, attack methods, and defense strategies. IEEE Long Island Systems, Applications and Technology Conference (LISAT), Farmingdale, NY, 2016 (pp. 1-6).
12. Daud N.,Bakar K. & Hasan M. (2014) .A case study on web application vulnerability scanning tools. Science and Information Conference, London, 2014 (pp. 595-600).
13. OWASP ZAP. (2018). Zed Attack Proxy Project - OWASP. Retrieved from https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
14. Engebretson P. (2013). The Basics of Hacking and Penetration Testing. Waltham, MA: Syngress.
15. Goel J., Asghar M., Kumar V. & Pandey S. (2016). Ensemble based approach to increase vulnerability assessment and penetration testing accuracy. International Conference on Innovation and Challenges in Cyber Security (ICICCS-INBUSH), Noida, 2016 (pp. 330-335).
How to Cite
Authors retain copyright
The use of a Creative Commons License enables authors/editors to retain copyright to their work. Publications can be reused and redistributed as long as the original author is correctly attributed.
- The researcher(s), whether a single or joint research paper, must sell and transfer to the publisher (the Academic Journal of Nawroz University) through all the duration of the publication which starts from the date of entering this Agreement into force, the exclusive rights of the research paper/article. These rights include the translation, reuse of papers/articles, transmit or distribute, or use the material or parts(s) contained therein to be published in scientific, academic, technical, professional journals or any other periodicals including any other works derived from them, all over the world, in English and Arabic, whether in print or in electronic edition of such journals and periodicals in all types of media or formats now or that may exist in the future. Rights also include giving license (or granting permission) to a third party to use the materials and any other works derived from them and publish them in such journals and periodicals all over the world. Transfer right under this Agreement includes the right to modify such materials to be used with computer systems and software, or to reproduce or publish it in e-formats and also to incorporate them into retrieval systems.
- Reproduction, reference, transmission, distribution or any other use of the content, or any parts of the subjects included in that content in any manner permitted by this Agreement, must be accompanied by mentioning the source which is (the Academic Journal of Nawroz University) and the publisher in addition to the title of the article, the name of the author (or co-authors), journal’s name, volume or issue, publisher's copyright, and publication year.
- The Academic Journal of Nawroz University reserves all rights to publish research papers/articles issued under a “Creative Commons License (CC BY-NC-ND 4.0) which permits unrestricted use, distribution, and reproduction of the paper/article by any means, provided that the original work is correctly cited.
- Reservation of Rights
The researcher(s) preserves all intellectual property rights (except for the one transferred to the publisher under this Agreement).
- Researcher’s guarantee
The researcher(s) hereby guarantees that the content of the paper/article is original. It has been submitted only to the Academic Journal of Nawroz University and has not been previously published by any other party.
In the event that the paper/article is written jointly with other researchers, the researcher guarantees that he/she has informed the other co-authors about the terms of this agreement, as well as obtaining their signature or written permission to sign on their behalf.
The author further guarantees:
- The research paper/article does not contain any defamatory statements or illegal comments.
- The research paper/article does not violate other's rights (including but not limited to copyright, patent, and trademark rights).
This research paper/article does not contain any facts or instructions that could cause damages or harm to others, and publishing it does not lead to disclosure of any confidential information.