See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/305361919

Security Testing and Assessment of Vulnerability Scanners in Quest of Current

Information Security Landscape

Article  in  International Journal of Computer Applications · July 2016

DOI: 10.5120/ijca2016910563

CITATIONS READS

17 2,801

2 authors:

Chanchala Joshi Umesh Kumar Singh

Vikram University Vikram University
24 PUBLICATIONS   192 CITATIONS    76 PUBLICATIONS   359 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Research Scholar View project

Detection and Remediation of Network Security Vulnerabilities for Improved Information Security in Organizational Networks View project

All content following this page was uploaded by Chanchala Joshi on 19 July 2016.

The user has requested enhancement of the downloaded file.

 International Journal of Computer Applications (0975 – 8887)
Volume 145 – No.2, July 2016

Security Testing and Assessment of Vulnerability

Scanners in Quest of Current Information Security
Landscape
Chanchala Joshi Umesh Kumar Singh
Institute of Computer Science Institute of Computer Science
Vikram University, Ujjain, M.P. India Vikram University Ujjain, M.P. India

ABSTRACT available, e.g. Acunetix, Netsparker, Appscan etc. Although

This paper describes a web application intended to be used to these tools are available in the market but question becomes
evaluate the efficiency of Netsparker, Acunetix and Burp how efficient they are to address security concerns in WEB
Suite web application vulnerability scanners. This paper also applications? To compare vulnerability detection rate of
explains the defense measures to secure the application different scanners, it is important to have an independent test
significantly. The results of web application evaluation suite. Web vulnerability scanners are often regarded as an
identify the most challenging vulnerabilities for scanner to easy way to test applications against vulnerabilities. In fact,
detect, and compare the effectiveness of scanners. The vulnerability scanners provide an automatic way to search
assessment results suggest the areas that require further for vulnerabilities avoiding the repetitive and tedious task of
research to improve scanner‟s detection rate. doing hundreds or even thousands of tests by hand for each
vulnerability type. Most of these scanners are commercial
Keywords tools (e.g., IBM Rational AppScan[5] and HP
Vulnerability, Web Application Vulnerability Scanner, WebInspect[6]) but there are also some free application
Security trends scanners (e.g., Acunetix[7], Netsparker[8], Burp Suite[9],
Foundstone WSDigger[10] and Wsfuzzer[11]) with limited
1. INTRODUCTION use, as they lack most of the functionalities of their
The global distribution of web applications makes them commercial counterparts.
prone to attacks that uncover and maliciously exploit a This paper describes a web application, which is intended to
variety of security vulnerabilities [1]. ISO 27005 defines be used to evaluate the efficiency of Netsparker, Burp Suite
vulnerability as “a weakness of an asset or group of assets and Acunetix web application vulnerability scanners. The
that can be exploited by one or more threats where an asset is application implements real life scenarios for OWASP Top
anything that can has value to the organization, its business Ten Security Risks [12]. For several vulnerabilities presented
operations and their continuity, including information in this application, this paper also explains defense measures,
resources that support the organization's mission” [2]. which secure the application significantly.
According to National Vulnerability Database (NVD) [3] the
number of vulnerabilities has approximately three times 1.1 OWASP Web Application Security
increased since 2011. NTA Monitor‟s 2014 Web Application
Security Report demonstrated that Web security had actually Risks
decreased compared to the previous year. In fact, Web The OWASP security community has released its annual
application vulnerabilities represent huge problems for report in 2015 capturing the top risks in web application
companies and organizations. According to WhiteHat development as a combination of the probability of an event
Security‟s most recent Website Security Statistics Report, 63 and its consequence [12].
percent of assessed websites are vulnerable, each having an The list of the top risks in web applications is as follows:
average of six unsolved flaws [4]. These vulnerabilities
create and feed an underground economy based on attacking A1 Injection
and stealing data and resources. Figure shows the A2 Broken Authentication and Session Management (XSS)
vulnerability distribution by severity of the year 2015.
A3 Cross Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
The web application vulnerability scanners help reduce these The two most common risks in the Web environment are
security concerns in Web-based applications. In today's SQL injection, which lets attackers alter SQL queries sent to
market a large number of web application-scanning tools are a database and cross-site scripting (XSS). Injection attacks

1
 International Journal of Computer Applications (0975 – 8887)
Volume 145 – No.2, July 2016

take advantage of improperly coded applications to insert ii. Second he/she selects the product and stores his
and execute attacker-specified commands, enabling access to selection in personal shopping cart.
critical data and resources. XSS vulnerabilities exist when an
application sends user-supplied data to a Web browser iii. Later when the user decides to make the purchase an
without first validating or encoding that content. invoice is placed in queue for further processing.

The web application described in this paper implements iv. In addition to that the user can add reviews to products
OWASP top vulnerabilities A1, A2, A3 and A5. and read other customer‟s opinions, newsletters and
subscribe to mailing list.
In this paper used two free web application vulnerability
scanners to identify security flaws in web application. The 3. METHODOLOGY
main objective is to study the effectiveness of the scanners The “shopatujjain” Web Application is PHP based
and to try to identify common types of vulnerabilities in web application, which is deployed on Apache Tomcat Server. It
application environments. In summary, practical experiment uses database on MySQL to store the data for the web site in
report focuses on the following three questions: its tables. The application uses PHP to present the user
interface. It also uses HTML, CSS, JavaScript, and AJAX
i. What is the coverage of the vulnerability scanners tested technologies. The presence of such technologies as AJAX
when used in a web services environment? and JavaScript in web application gives additional
ii. What is the false-positive rate of the web vulnerability opportunities. JavaScript is widely used in modern web
scanners tested when used in a web services applications and it is important to analyze the behavior of
environment? tools and their ability to parse JavaScript code.

iii. What are the most common types of vulnerabilities in The web application developed is based on OWASP Top Ten
web services environments? report of 2014. This section goes over the characteristics of
vulnerabilities presented in the Web Application.
2. EXPERIMENTAL DETAILS
In Broad, experimental study consisted of five steps: 3.1 SQL Injection Vulnerability
User has provided his/her credentials, username and
2.1.1 Web Application password via web application. Web application has stored
Design a web application that implements all the the user data to the SQL server. An attacker crafts HTTP
vulnerabilities from OWASP Top Ten report also select requests that are sent to the web server to inject commands to
publically available web application services. the SQL server in order to gain system level access [15]. The
vulnerable web application allows this malicious code to be
2.1.2 Vulnerability Scanner placed on an SQL server, thus making it possible for the
Select the free web application vulnerability scanners. attacker to use SQLI commands to get user account
credentials.
2.1.3 Execution
Use the vulnerability scanners to scan the services to identify
potential vulnerabilities.

2.1.4 Verification
Perform manual testing to confirm that the vulnerabilities
identified by the scanners do exist (i.e., are not false
positives).

2.1.5 Analysis
Analyze the results obtained and systematize the lessons
learned.
There are several existing web applications to demonstrate
common web application vulnerabilities such as “HacMe”
series [13] and “WebGoat” [14]. “WebGoat” is mainly used
in educational purposes. But the implementation of OWASP
Top Ten report,is not possible with these web applications.
Because of these drawbacks of available applications, there Figure Hacking Strategy of SQLI
is a need to have an independent Web Application, which
implements OWASP Top Ten vulnerabilities, to be used to
3.1.1 Exploiting SQLI vulnerability
During SQLI Attack, a malicious string is used as an input to
test these web scanners. This paper designs a web application
a function that calls an SQL query, which is executed
(“shopatujjain”) to simulate the steps a regular user goes
immediately. In this way, the injection result is reflected
through while using a dynamic web page and replicates the
right away, thus the vulnerability is called Reflected SQLI
behavior. The availability of source code and the control
vulnerability.
over server results provides better evaluation of web
application scanners. For example, recoverPassword function is intended to
recover the user‟s password based on his/her answer to a
Main functionalities of the application are:
security question.
i. First a user creates an account and provides his/her
String recoverPassword( String emailAddress, String
personal data including shipping address and credit card
answer){
details.

2
 International Journal of Computer Applications (0975 – 8887)
Volume 145 – No.2, July 2016

String query = "SELECT Password FROM v_UserPass iii. The payloads are formed and configured to be used in
WHERE the task.
(v_UserPass.EmailAddress = '" + emailAddress + "' AND iv. The attack begins.
v_UserPass.Answer = '" +
3.3 Cross Site Scripting Vulnerability
answer + "') "; Cross Site Scripting (XSS) vulnerability occurs when there is
} a possibility of injection of malicious code in web
application. Thus, the XSS flaw is as a result of not validated
Payload: or sanitized input parameters. There are three types of XSS:
emailAddress=test%40test.com%27%29 -- Non-Persistent, called Reflected XSS; Persistent or Stored
&answer=anycolor XSS; and Document Object Model (DOM)-based [16].

In recoverPassword function, concatenation is used to create 3.3.1.1 Non-Persistent XSS Vulnerability:

dynamic SQL query. An attacker can easily impersonate a This vulnerability occurs when a web application accepts an
site user and recover a victim‟s password by commenting out attacker‟s malicious request that is then echoed into the
the part of the query using „--‟ single-line comment indicator application's response in an unsafe way.
[15].
3.3.1.2 Persistent XSS Vulnerability:
3.2 Broken Authentication and Session This vulnerability occurs when a web application accepts the
attacker‟s malicious request, stores it in a data source, and
Management Vulnerability later displays the information from the request to a wide
The user authentication on the web typically involves the use range of users.
of a user‟s ID and password. When the authentication
mechanism does not provide enough protection, an attacker 3.3.1.3 DOM-Based XSS Vulnerability:
can try to obtain credentials by using different techniques or This vulnerability doesn‟t involve server validation. The
some other combination. Simple password recovery attack works on a web browser, avoiding the server side [16].
mechanisms can become victims of a social engineer who The DOM „environment‟ in the victim‟s browser is modified
manipulates a user into revealing confidential information. by original client-side script, and as a result of that, the
payload is executed.

Figure: Non-Persistent XSS Vulnerability

3.3.2 Exploiting XSS Vulnerability

XSS vulnerabilities are exploited by using XSS attacks. XSS
Figure: Two ways to bypass Broken Authentication attacks are usually divided into three categories: Non-
Persistent or Reflected XSS Attack; Persistent or Stored XSS
3.2.1 Exploiting Broken Authentication Attack; and DOM-Based XSS Attack [16].
Vulnerability
Non-Persistent or Reflected XSS Attack: User registration
The password recovery mechanism is based on a secret
information is saved in an online store database after
question and answer. A user provides the name of the city,
„creditCardNumber‟ parameter is validated on the server
when he/she was born and his/her password is immediately
side. No input inspection for „firstName‟ parameter is
displayed on a web page without further verifications. Using
performed.
social engineering, an attacker can guess the country. Then
by using a dictionary method, the attacker finds the city and <form action="registrationServlet" method=post>
obtains the victim‟s credentials. Brute force attack is widely
used to obtain log-in credentials, session identifiers, and First Name <input type="text" name="firstName”
credit card information with the help of brute force tools [9]. value="${newUser.firstName}">
Attackers can use these tools and proxy applications such as
BurpSuite to access a user‟s private information. Card number <input type="text"
name="creditCardNumber">
Brute force attack is very simple:
<input type="button" value="Continue">
i. The intercepted request is sent to the Intruder
application </form>
ii. The parameter, which is supposed to be brute forced, is Payload:
selected. firstName=John"'><script>alert("firstName parameter is

3
 International Journal of Computer Applications (0975 – 8887)
Volume 145 – No.2, July 2016

vulnerable")</script>&creditCardNumber=1234 iii. Strong web application architecture helps to enforce

security policies.
If the credit card number is incorrect, „firstName‟ value will
be reflected on the web page. iv. Simple design helps to avoid errors that can be made
during implementation, configuration, and use.
3.4 Security Misconfiguration
v. To simplify the access mechanism, by default the access
Vulnerability is denied. In other words, “Everything not explicitly
This type of vulnerability occurs when application, permitted is forbidden.”
frameworks, application server, web server, database server,
and platform configurations are not securely defined to vi. To continue the ideas in points 4 and 5, the principle of
prevent unintentional leakage of information. For example, a least privilege is introduced, which suggests the
web application can use the GET method in an HTTP request execution of a process using the least set of privileges
for transferring password information. But while using the necessary to complete the job.
GET method, the browser encodes form data into a URL.
vii. Before data is processed, it should be sanitized. The un-
Since form data is in the URL, it is displayed in the browser's
validated data could be the cause of SQL, command, or
address bar, and information leakage occurs.
other injection attacks.
GET
viii. In- depth defense mechanisms help to improve security
http://www.vulnerableApp.com/updateUserPassword?passw
by adding layers of multiple defensive strategies, so that
ord=falsepass HTTP/1.1
if one layer of defense turns out to be inadequate,
Host: vulnerableApp.com another layer of defense can prevent a security flaw
from becoming an exploitable vulnerability, and/or limit
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; the consequences of a successful exploit.
rv:11.0) Gecko/20100101
ix. Quality Assurance is the key point in security of the
Firefox/11.0 software. There are different techniques to improve
Accept: reliability of the application, like using source code
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q analysis tools, penetration testing tools, and independent
=0.8 review of the system.

Accept-Language: en-us,en;q=0.5 x. A secure coding standard should be adopted.

Programmers should develop and/or apply a secure
Accept-Encoding: gzip, deflate coding standard for the target development language
Proxy-Connection: keep-alive and platform.

Referer: http:// vulnerableApp.com/displayAccountPassword With Top 10 Secure Coding Practices for each vulnerability
type, this paper provides the defense mechanism for top four
Cookie: vulnerabilities out of top ten OWASP vulnerabilities.
JSESSIONID=98224C7236B39895384AD3A760E405AB
4.1 SQLI Defense
While using the POST method, form data appears within the Server Side defense using Prepared Statement [18] is the
message body of the HTTP request, not the URL. Thus, most effective way to protect from SQL Injections, because
password information is not revealed. To avoid security it ensures that intent of query is not changed. For example,
misconfiguration vulnerability in the above example, the the insertPassword(User user) function adds a new record to
password should be transferred via POST method. UserPass table in “shopatujjain” application database, when
a new customer is registering his/her account.
4. DEFENSE MECHANISMS
AGAINST WEB VULNERABILITY public static int insertPassword(User user) {
AND SECURE CODING ConnectionPool pool =
TECHNIQUES ConnectionPool.getInstance();
Preventing vulnerabilities in web applications is extremely Connection connection = pool.getConnection();
important due to the high number of attacks. The best way to
prevent vulnerabilities in applications is to write secure code. PreparedStatement ps = null;
According to Computer Emergency Response Team, or ResultSet rs = null;
CERT, at the Software Engineering Institute at Carnegie-
Mellon University, the following Top 10 Secure Coding String query ="INSERT INTO UserPass (EmailAddress,
Practices [17] are vital to security. Password, Answer) VALUES (?, ?, ?)";
i. Proper implementation of Input Validation helps to try {
avoid most of the web application vulnerabilities. But,
ps = connection.prepareStatement(query);
on the other hand, handling each input in isolation to
avoid unexpected command line arguments, user ps.setString(1, user.getEmailAddress());
controlled files, and other suspicious input is a complex
task, and as a result, the validation may be omitted. ps.setString(2, user.getPassword());

ii. Warnings and Error messages can suggest the places of ps.setString(3, user.getAnswer());
possible security flaws for both developers and an return ps.executeUpdate();
attacker. Static and dynamic analysis tools can detect
and eliminate the vulnerabilities. } catch (SQLException e) {

4
 International Journal of Computer Applications (0975 – 8887)
Volume 145 – No.2, July 2016

e.printStackTrace(); rate of discovering application flaws Web Application

Vulnerability Scanners (WAVS) are used. WAVS are tools
return 0; that most closely mimic web application attacks. These tools
} finally { cannot guarantee that their use will eliminate the flaws
completely, but they can make the application more secure.
DBUtil.closeResultSet(rs); Web Application Security Scanner Functional Specification
DBUtil.closePreparedStatement(ps); Version 1.0 [24] in 2008 defined a list of requirements that
all WAVS must provide:
pool.freeConnection(connection);
i. Identify all types of vulnerabilities listed.
}
ii. Report an attack that demonstrates the vulnerability.
}
iii. Specify the attack by providing script location, inputs,
In this example, PreparedStatement object is used with and context.
parameters. Before executing the query, all special characters
will be escaped. All SQL functions, those that are not iv. Identify the vulnerability with a name semantically
intended to be exploited while stress testing [19] the equivalent.
application, are developed using PreparedStatements. v. Be able to authenticate itself to the application and
maintain logged-in state.
4.2 Cross-Site Scripting (XSS) Defense
For prevention code injection attacks, including SQLI and vi. Have an acceptably low False Positive rate.
XSS, all user data should be validated. There are several
In this paper three prominent free Web Application Security
main rules that should be followed to increase security:
Scanners (Acunetix, Netsparker and Burp Suite) are used for
i. Check the data type and set length limits on any form vulnerabilities detection. The scanning results of Web
fields on your site. Application Vulnerability Scanners are as follows:
ii. Encode or escape the data where it is used in your
application to ensure that the browser treats the possibly 5.1 Acunetix
dangerous content as text, and not as active content that Acunetix Web Vulnerability Scanner (WVS) [7] is an
could be executed. automated web application security testing tool that audits
From a security perspective, however, client-side validation web applications by checking for vulnerabilities like SQL
is not effective, because it doesn‟t provide protection for Injections, Cross-Site Scripting and other exploitable hacking
server-side code. An attacker can easily bypass the clientside vulnerabilities. In general, Acunetix WVS scans any website
using proxies. or web application that is accessible via a web browser and
uses the HTTP/HTTPS protocol.
4.3 Security Misconfiguration Defense
Maintaining security settings of the application, frameworks, 5.2 Netsparker
application server, web server, database server, and platform Netsparker does not require a brief knowledge to use the
is a very complex problem. Web servers are frequent targets tool, it has a very good user interface, and it does a decent
of attacks, so when trying to secure web servers, the job detecting the most important vulnerabilities [8]. It has
following aspects should be taken into account [20]: good reporting features that are easy to read and intuitively
designed. Moreover it has ability to confirm detected
i. Configuration vulnerabilities. This feature can be a real time saver as the
ii. Web content and server-side applications tester does not need to validate those vulnerabilities that have
been confirmed by Netsparker.
iii. Operating System
5.3 Burp Suite
iv. Documentation Burp is easy to use and intuitive, allowing new users to begin
Example: working right away. Burp is also highly configurable, and
contains numerous powerful features to assist the most
HTTP server is subject to Slow type HTTP Attack [21]. experienced testers with their work.
There is number of steps to protect against this attack pattern There are some free WAVS available in the market. This
[22]. paper reviewed three of them: Acunetix Web Application
The RequestReadTimeout directive value should be set to Scanner (WAS), Netsparker Web Vulnerability Scanner and
limit the time a client may take to send the request [23]. Burp Suite Web Vulnerability Scanner (WVS). All WAVS
follow the common strategy: firstly they crawl the victim
The implementation of defense mechanisms is an important web site, then they create and insert payloads, and finally
part of the code analysis that is performed to increase the they analyze the response. These scanners are chosen
security of a web application. Some vulnerability can be because they provide the feature that; they identify all types
exploited only if an attacker performs several steps of vulnerabilities listed in OWASP Top Ten report
successively or in specific order.
6. EVALUATION OF WEB
5. OBSERVATIONS APPLICATION VULNERABILITY
A customer cannot feel fully secured while using an
application as long as there is a possibility of losing some SCANNERS
personal information or other confidential data. Firstly, as The results of Web Vulnerability Scanners Acunetix,
many security flaws as possible should be discovered in Netsparker and Burp Suite are shown in Table 1. The Table
order to secure a web application. To improve the success contains the following data:

5
 International Journal of Computer Applications (0975 – 8887)
Volume 145 – No.2, July 2016

i. The first column represents the serial number. 6.1.1 SQL Injection:
ii. The second column represents the vulnerability number Acunetix Scanner is able to discover all SQL Injection
taken from Top Ten OWASP Vulnerabilities. vulnerabilities. But Netsparker and Burp Suite scanners are
failed to find some SQL Injection vulnerabilities, which are
iii. The third column represents the vulnerabilities not executed immediately.
presented in the test suite.
6.1.2 Broken Authentication and Session
iv. The fourth column shows the different types of a
Management
vulnerability presented in the third column.
Both Netsparker and Burp Suite scanners were not able to
v. The fifth column contains the number of vulnerabilities find the vulnerability.
detected by Acunetix WAVS.
6.1.3 Cross-Site Scripting:
vi. The sixth column contains the number of vulnerabilities Acunetix and Netsparker Scanners discovered all
detected by Netsparker WAVS. NonPersistent XSS vulnerabilities. Burp Suite scanner result
is very poor. Most of the Persistent XSS and DOM XSS
vii. The last column represents the number of vulnerabilities vulnerabilities were missed by all scanners.
detected by Burp Suite WAVS.
6.1.4 Security Misconfiguration:
Table: Results of WAVS assessment All the scanners are able to find the vulnerability Password
get via GET Method. Acunetix Scanner missed Sensitive
OWASP
SN report OWASP Vulnera Data Display vulnerability.
Acuneti Netspar Burp
o 2015 Vulnera bility
x ker Suite
bilities Type 7. CONCLUSIONS
Number
This paper described OWASP Top 10 Security Risks
implemented in the web application, which was used as a
1 A1
SQL
15 4 7 testset for evaluation of effectiveness of Acunetix web
Injection application vulnerability scanners, Netsparker web
application vulnerability scanners and Burp Suite web
application vulnerability scanners. The paper choses four
Broken Password
Guessing
5 0 2 vulnerabilities from Top 10 OWASP Security Risks for
Authentic
ation and
evaluation of three prominent Web Application Vulnerability
2 A2 Scanners. The evaluation of three prominent Web
Session
Managem
Brute Application Vulnerability Scanners is done by analyzing the
ent 1 1 0
Force results that is obtained from the execution of web scanners
against the vulnerable web application, then comparing the
number of detected vulnerabilities.
Non-
Persistent 9 9 2
XSS
The comparison of the three chosen scanners shown by the
following graph:
Cross
3 A3 Site Persistent
1 3 1
Scripting XSS
16
14
12
DOM
3 1 0 10
XSS 8
6
4 Acunetix
Password 2
sent via 0
5 5 5 Netsparker
GET
Authentication
SQL Injection

Misconfiguration
XSS

Method Burp Suit

Security
4 A5 Misconfi Web
guration Server 2 0 2
DDoS

Sensitive
Data 0 4 2
display The result show that both Acunetix and Netsparker scanners
able to discover cross site scripting XSS but Burp Suit results
Tot was very poor. For SQL Injection Acunetix detect all the
40 27 18 vulnerabilities. Scan results of Acunetix WAVS for Broken
al
Authentication and Session Management vulnerabilities are
The Table 1 reports the vulnerabilities that were detected by better than other two scanners. But Security
web application scanners. As seen from the Table 1 all the Misconfiguration vulnerabilities are not properly discovered
tool tools missed some weaknesses. The analysis of why the by Acunetix, in this case the result of Netsparker and Burp
scanners missed certain vulnerabilities is as follows Suit Scanners are better.
The results show that the crawling has been significantly
improved, although there are still limitations that affect the
detection rate of such vulnerabilities as SQLI and XSS.

6
 International Journal of Computer Applications (0975 – 8887)
Volume 145 – No.2, July 2016

For several vulnerabilities presented in this application, this [13] Foundstone Hacme Series. McAfee Corp
paper also explains defense measures, which secure the
application significantly. The results of web application [14] WebGoat Project. OWASP.
evaluation identify the most challenging vulnerabilities for http://www.owasp.org/index.php/Category:OWASP
scanner to detect, and compare the effectiveness of scanners. WebGoat Project
The assessment results can suggest areas that require further [15] K. K. Mookhey, Nilesh Burghate, Detection of SQL
research to improve scanner‟s detection rate. Injection and Cross-site Scripting Attacks, Symantec
Connect Community, 02 November 2010
8. REFERENCES
[1] Sarasan S. “Detection and Prevention of Web [16] J. Weinberger, P. Saxena, D. Akhawe, M. Finifter, R.
Application Security Attacks”, International Journal of Shin, and D. Song, “A Systematic Analysis of XSS
Advanced Electrical and Electronics Engineering, Sanitization in Web Application Frameworks”,
(IJAEEE), ISSN (Print) : 2278-8948, Volume-2, Issue- University of California, Berkeley, 2011
3, 2013, pp. 29- 34. [17] The OWASP Foundation, “OWASP Top Ten Web
[2] International Organization for Standardization and Application Security Risks”,
International Electrotechnical Commission. ISO/IEC http://www.owasp.org/index.php/Category:OWASP_To
27001:2005, Information technology – security p_Ten_Project, 2015
techniques – information security management systems [18] Oracle Documentation. “Using Prepared Statements”,
– requirements, 2005. 2011. Retrieved 2012 from:
[3] National Vulnerability Database, http://nvd.nist.gov http://docs.oracle.com/javase/tutorial/jdbc/basics/prepar
ed.html
[4] N. Antunes and M. Vieira, "Enhancing Penetration
Testing with Attack Signatures and Interface [19] Yang Guang, J. J., & Jipeng, H. “System modules
Monitoring for the Detection of Injection interaction based stress testing model”, 2014. The
Vulnerabilities in Web Services," Proc. IEEE Int'l Conf. Second International Conference on Computer
Services Computing (SCC 11), IEEE CS, 2011, pp. 104- Engineering and Applications, (pp. 138-141) Bali Island
111. [20] Neto, A. A., Duraes, J., Vieira, M., & Madeira, H.
[5] IBM Rational AppScan, 2008, http://www- “Assessing and Comparing Security of Web Servers”,
01.ibm.com/software/awdtools/appscan/ 2008. 14th IEEE Pacific International Symposium on
Dependable Computing. IEEE Computer Society
[6] HP WebInspect, 2008, http://www.hp.com
[21] Shekyan, S. Qualys Community. “Identifying Slow
[7] Acunetix Web Vulnerability Scanner, HTTP Attack Vulnerabilities on Web Applications”,
2008,http://www.acunetix.com/vulnerability-scanner/ 2013
[8] Netsparker Web Vulnerability Scanner, 2012, [22] Shekyan, S. Qualys Community. “How to Protect
https://www.netsparker.com/web-vulnerability-scanner/ Against Slow HTTP Attacks”, 2014
[9] Burp Suit Web Vulnerability Scanner, [23] Apache Software Foundation. “Security Tips, V 2.5”,
https://portswigger.net/burp/ 2011. Retrieved 2014, from:
[10] Foundstone WSDigger, 2008, http://httpd.apache.org/docs/2.0/misc/security_tips.html
http://www.foundstone.com/us/resources/proddesc/wsdi [24] Black, P. E., Fong, E., Okun, V., & Gaucher, R.
gger.htm National Institute of Standards and Technology (NIST).
[11] wsfuzzer, 2008, “Software Assurance Tools: Web Application Security
http://www.neurofuzz.com/modules/software/wsfuzzer. Scanner Functional Specification”
php [25] Vieira M, Antunes N, Madeira H. “Using Web Security
[12] https://www.owasp.org/images/0/0f/OWASP_T10_- Scanners to Detect Vulnerabilities in Web Services”,
_2015_rc1.pdf Coimbra - 2015

IJCATM : www.ijcaonline.org
7

View publication stats