Cardiff University | Prifysgol Caerdydd ORCA
Online Research @ Cardiff 
WelshClear Cookie - decide language by browser settings

Evaluation of black-box web application security scanners in detecting injection vulnerabilities

Althunayyan, Muzun, Saxena, Neetesh ORCID: https://orcid.org/0000-0002-6437-0807, Li, Shancang and Gope, P 2022. Evaluation of black-box web application security scanners in detecting injection vulnerabilities. Electronics 11 (13) , 2049. 10.3390/electronics11132049

[thumbnail of electronics-11-02049-v2.pdf] PDF - Published Version
Available under License Creative Commons Attribution.

Download (747kB)

Abstract

With the Internet’s meteoric rise in popularity and usage over the years, there has been a significant increase in the number of web applications. Nearly all organisations use them for various purposes, such as e-commerce, e-banking, e-learning, and social networking. More importantly, web applications have become increasingly vulnerable to malicious attack. To find web vulnerabilities before an attacker, security experts use black-box web application vulnerability scanners to check for security vulnerabilities in web applications. Most studies have evaluated these black-box scanners against various vulnerable web applications. However, most tested applications are traditional (non-dynamic) and do not reflect current web. This study evaluates the detection accuracy of five black-box web application vulnerability scanners against one of the most modern and sophisticated insecure web applications, representing a real-life e-commerce. The tested vulnerabilities are injection vulnerabilities, in particular, structured query language (SQLi) injection, not only SQL (NoSQL), and server-side template injection (SSTI). We also tested the black-box scanners in four modes to identify their limitations. The findings show that the black-box scanners overlook most vulnerabilities in almost all modes and some scanners missed all the vulnerabilities.

Item Type: Article
Date Type: Published Online
Status: Published
Schools: Computer Science & Informatics
Additional Information: This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited
Publisher: MDPI
ISSN: 2079-9292
Date of First Compliant Deposit: 22 July 2022
Date of Acceptance: 26 June 2022
Last Modified: 10 Nov 2022 11:37
URI: https://orca.cardiff.ac.uk/id/eprint/151240

Actions (repository staff only)

Edit Item Edit Item

Downloads

Downloads per month over past year

View more statistics