One Unwanted Feature of Many Web Vulnerability Scanners

Suteva, Natasa and Anastasov, Dragan and Mileva, Aleksandra (2015) One Unwanted Feature of Many Web Vulnerability Scanners. In: 11th International Conference for Informatics and Information Technology (CIIT 2014), 11-13 Apr 2014, Bitola, Macedonia.

[thumbnail of NSDAAM_CiiT2014Final.pdf]

Download (1MB) | Preview


Security experts, web developers, hackers sometimes use Web Vulnerability Scanners (WVSs) for identifying vulnerabilities in web applications. There are commercial and free/open source WVSs, and nowadays, many companies offer WVSs as services. In this paper, we test and evaluate 3 free/open source WVSs and 4 free, trial or regular editions of commercial WVSs using two versions of our one
created trading web application. One version has SQL injection and XSS vulnerabilities as critical, and the other version is free from these vulnerabilities. Results are showing that most of the scanners pollute the backend database with many garbage records using user input fields for obtaining user’s opinion, comments, rating, etc., independently of the presence or absence of given critical vulnerabilities. In our experiment, garbage records were injected as comments for ads, and the magnitude of
pollution goes more than 50 times the number of ads in the
database in the worst case. Also, some scanners manage to find the implemented vulnerabilities without producing garbage records.

Item Type: Conference or Workshop Item (Paper)
Subjects: Natural sciences > Computer and information sciences
Divisions: Faculty of Computer Science
Depositing User: Aleksandra Mileva
Date Deposited: 09 May 2016 08:57
Last Modified: 09 May 2016 08:57

Actions (login required)

View Item View Item