Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing

Today, web applications are becoming the most popular tool that offers a collection of various services to users. However, previous research and study showed that many web applications are deployed with critical vulnerabilities. Penetration testing is one of the well-known techniques that is frequently used for the detection of security vulnerabilities in web application. This technique can be performed either manually or by using automated tools. However, according to previous study, automated black box tools have detected more vulnerability with high false positive rate. Therefore, this paper proposed a framework which combines both automated black box testing and manual penetration testing to achieve the accuracy in vulnerability detecting in web application.

[1]  Mohammad Zulkernine,et al.  Taxonomy and classification of automatic monitoring of program security vulnerability exploitations , 2011, J. Syst. Softw..

[2]  Marco Vieira,et al.  Using web security scanners to detect vulnerabilities in web services , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[3]  Andrea Avancini Security testing of web applications: A research plan , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[4]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  Jeom-Goo Kim,et al.  Injection Attack Detection Using the Removal of SQL Query Attribute Values , 2011, 2011 International Conference on Information Science and Applications.

[6]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[7]  Giovanni Vigna,et al.  Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners , 2010, DIMVA.

[8]  G. Aghila,et al.  Combinatorial Approach for Preventing SQL Injection Attacks , 2009, 2009 IEEE International Advance Computing Conference.

[9]  Xiaohong Yuan,et al.  An Overview of Penetration Testing , 2011 .

[10]  Justin Clarke,et al.  SQL Injection Attacks and Defense , 2009 .

[11]  Toshinori Sato,et al.  Power-Performance Trade-Off of a Dependable Multicore Processor , 2007 .

[12]  Engin Kirda,et al.  Have things changed now? An empirical study on input validation vulnerabilities in web applications , 2012, Comput. Secur..

[13]  Hao Wang,et al.  Environmental Metrics for Software Security Based on a Vulnerability Ontology , 2009, 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement.

[14]  Zhendong Su,et al.  The essence of command injection attacks in web applications , 2006, POPL '06.

[15]  Marco Vieira,et al.  Comparing the Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services , 2009, 2009 15th IEEE Pacific Rim International Symposium on Dependable Computing.

[16]  Marco Vieira,et al.  Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks , 2007 .

[17]  Leon Shklar,et al.  Web Application Architecture: Principles, Protocols and Practices , 2003 .

[18]  Pavel Laskov,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment: 19th International Conference, DIMVA 2022, Cagliari, Italy, June 29 –July 1, 2022, Proceedings , 2022, International Conference on Detection of intrusions and malware, and vulnerability assessment.