Pen Testing for Web Applications

As many Web applications are developed daily and used extensively, it becomes important for developers and testers to improve these application securities. Pen testing is a technique that helps these developers and testers to ensure that the security levels of their Web application are at acceptable level to be used safely. Different tools are available for Pen testing Web applications; in this paper the authors compared six Pen testing tools for Web applications. The main goal of these tests is to check whether there are any security vulnerabilities in Web applications. A list of faults injected into set of Web pages is used in order to check if tools can find them as they are claimed. Test results showed that these tools are not efficient and developers should not depend solely on them.

[1]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[2]  Mohammad Zulkernine,et al.  Automatic Testing of Program Security Vulnerabilities , 2009, 2009 33rd Annual IEEE International Computer Software and Applications Conference.

[3]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[4]  Yang Yu,et al.  Automated and safe vulnerability assessment , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[5]  Eliane Martins,et al.  Mapping Web-Based Applications Failures to Faults , 2009, 2009 Fourth Latin-American Symposium on Dependable Computing.

[6]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[7]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[8]  Mei Junjin,et al.  An Approach for SQL Injection Vulnerability Detection , 2009, 2009 Sixth International Conference on Information Technology: New Generations.

[9]  Marco Vieira,et al.  Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[10]  Marco Vieira,et al.  Detecting SQL Injection Vulnerabilities in Web Services , 2009, 2009 Fourth Latin-American Symposium on Dependable Computing.

[11]  Toshinori Sato,et al.  Power-Performance Trade-Off of a Dependable Multicore Processor , 2007 .

[12]  Weihua Li,et al.  A Penetration Testing Method for E-Commerce Authentication System Security , 2009, 2009 International Conference on Management of e-Commerce and e-Government.

[13]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[14]  Heejo Lee,et al.  HackSim: An Automation of Penetration Testing for Remote Buffer Overflow Vulnerabilities , 2005, ICOIN.

[15]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[16]  Hua Chen,et al.  An Heuristic Method for Web-Service Program Security Testing , 2009, 2009 Fourth ChinaGrid Annual Conference.

[17]  D. T. Lee,et al.  Non-detrimental Web application security scanning , 2004, 15th International Symposium on Software Reliability Engineering.

[18]  Úlfar Erlingsson,et al.  End-to-End Web Application Security , 2007, HotOS.

[19]  Michael D. Ernst,et al.  Automatic creation of SQL Injection and cross-site scripting attacks , 2009, 2009 IEEE 31st International Conference on Software Engineering.