Althunayyan, Muzun, Saxena, Neetesh  ORCID: https://orcid.org/0000-0002-6437-0807, Li, Shancang and Gope, P
2022.
Evaluation of black-box web application security scanners in detecting injection vulnerabilities.
Electronics
11
(13)
, 2049.
10.3390/electronics11132049
|
![[thumbnail of electronics-11-02049-v2.pdf]](https://orca.cardiff.ac.uk/style/images/fileicons/application_pdf.png) |
PDF
- Published Version
Available under License Creative Commons Attribution. Download (747kB) |
Abstract
With the Internet’s meteoric rise in popularity and usage over the years, there has been a significant increase in the number of web applications. Nearly all organisations use them for various purposes, such as e-commerce, e-banking, e-learning, and social networking. More importantly, web applications have become increasingly vulnerable to malicious attack. To find web vulnerabilities before an attacker, security experts use black-box web application vulnerability scanners to check for security vulnerabilities in web applications. Most studies have evaluated these black-box scanners against various vulnerable web applications. However, most tested applications are traditional (non-dynamic) and do not reflect current web. This study evaluates the detection accuracy of five black-box web application vulnerability scanners against one of the most modern and sophisticated insecure web applications, representing a real-life e-commerce. The tested vulnerabilities are injection vulnerabilities, in particular, structured query language (SQLi) injection, not only SQL (NoSQL), and server-side template injection (SSTI). We also tested the black-box scanners in four modes to identify their limitations. The findings show that the black-box scanners overlook most vulnerabilities in almost all modes and some scanners missed all the vulnerabilities.
| Item Type: | Article |
|---|---|
| Date Type: | Published Online |
| Status: | Published |
| Schools: | Computer Science & Informatics |
| Additional Information: | This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited |
| Publisher: | MDPI |
| ISSN: | 2079-9292 |
| Date of First Compliant Deposit: | 22 July 2022 |
| Date of Acceptance: | 26 June 2022 |
| Last Modified: | 29 Sep 2023 22:04 |
| URI: | https://orca.cardiff.ac.uk/id/eprint/151240 |
Citation Data
Cited 2 times in Scopus. View in Scopus. Powered By Scopus® Data
Actions (repository staff only)
 |
Edit Item |
Altmetric
Altmetric
Cardiff University Information Services