Bitte benutzen Sie diese Kennung, um auf die Ressource zu verweisen:
https://doi.org/10.21256/zhaw-17956| Publikationstyp: | Beitrag in wissenschaftlicher Zeitschrift |
| Art der Begutachtung: | Peer review (Publikation) |
| Titel: | Improving the effectiveness of web application vulnerability scanning |
| Autor/-in: | Rennhard, Marc Esposito, Damiano Ruf, Lukas Wagner, Arno |
| et. al: | No |
| DOI: | 10.21256/zhaw-17956 |
| Erschienen in: | International Journal on Advances in Internet Technology |
| Band(Heft): | 12 |
| Heft: | 1/2 |
| Seite(n): | 12 |
| Seiten bis: | 27 |
| Erscheinungsdatum: | Jul-2019 |
| Verlag / Hrsg. Institution: | IARIA |
| ISSN: | 1942-2652 |
| Sprache: | Englisch |
| Schlagwörter: | Web application security; Vulnerability scanning; Vulnerability detection performance; Authenticated scanning; Combining multiple scanners |
| Fachgebiet (DDC): | 004: Informatik |
| Zusammenfassung: | Using web application vulnerability scanners is very appealing as they promise to detect vulnerabilities with minimal configuration effort. However, using them effectively in practice is often difficult. Two of the main reasons for this are limitations with respect to crawling capabilities and problems to perform authenticated scans. In this paper, we present JARVIS, which provides technical solutions that can be applied to a wide range of vulnerability scanners to overcome these limitations and to significantly improve their effectiveness. To evaluate JARVIS, we applied it to five freely available vulnerability scanners and tested the vulnerability detection performance in the context of seven deliberately insecure web applications. A first general evaluation showed that by using the scanners with JARVIS, the number of detected vulnerabilities can be increased by more than 100% on average compared to using the scanners without JARVIS. A significant fraction of the additionally detected vulnerabilities is security-critical, which means that JARVIS provides a true security benefit. A second, more detailed evaluation focusing on SQL injection and cross-site scripting vulnerabilities revealed that JARVIS improves the vulnerability detection performance of the scanners by 167% on average, without increasing the fraction of reported false positives. This demonstrates that JARVIS not only manages to greatly improve the vulnerability detection rate of these two highly security-critical types of vulnerabilities, but also that JARVIS is very usable in practice by keeping the false positives reasonably low. Finally, as the configuration effort to use JARVIS is small and as the configuration is scanner- independent, JARVIS also supports using multiple scanners in parallel in an efficient way. In an additional evaluation, we therefore analyzed the potential and limitations of using multiple scanners in parallel. This revealed that using multiple scanners in a reasonable way is indeed beneficial as it further increases the number of detected vulnerabilities without a significant negative impact on the reported false positives. |
| URI: | https://digitalcollection.zhaw.ch/handle/11475/17956 |
| Volltext Version: | Publizierte Version |
| Lizenz (gemäss Verlagsvertrag): | Lizenz gemäss Verlagsvertrag |
| Departement: | School of Engineering |
| Organisationseinheit: | Institut für Informatik (InIT) |
| Publiziert im Rahmen des ZHAW-Projekts: | ASAP: Plattform für die automatisierte Sicherheitsanalyse von IT-Systemen |
| Enthalten in den Sammlungen: | Publikationen School of Engineering |
Dateien zu dieser Ressource:
| Datei | Beschreibung | Größe | Format | |
|---|---|---|---|---|
| webappscan-journal.pdf | 561.87 kB | Adobe PDF |  Öffnen/Anzeigen |
Zur Langanzeige
Rennhard, M., Esposito, D., Ruf, L., & Wagner, A. (2019). Improving the effectiveness of web application vulnerability scanning. International Journal on Advances in Internet Technology, 12(1/2), 12–27. https://doi.org/10.21256/zhaw-17956
Rennhard, M. et al. (2019) ‘Improving the effectiveness of web application vulnerability scanning’, International Journal on Advances in Internet Technology, 12(1/2), pp. 12–27. Available at: https://doi.org/10.21256/zhaw-17956.
M. Rennhard, D. Esposito, L. Ruf, and A. Wagner, “Improving the effectiveness of web application vulnerability scanning,” International Journal on Advances in Internet Technology, vol. 12, no. 1/2, pp. 12–27, Jul. 2019, doi: 10.21256/zhaw-17956.
RENNHARD, Marc, Damiano ESPOSITO, Lukas RUF und Arno WAGNER, 2019. Improving the effectiveness of web application vulnerability scanning. International Journal on Advances in Internet Technology. Juli 2019. Bd. 12, Nr. 1/2, S. 12–27. DOI 10.21256/zhaw-17956
Rennhard, Marc, Damiano Esposito, Lukas Ruf, and Arno Wagner. 2019. “Improving the Effectiveness of Web Application Vulnerability Scanning.” International Journal on Advances in Internet Technology 12 (1/2): 12–27. https://doi.org/10.21256/zhaw-17956.
Rennhard, Marc, et al. “Improving the Effectiveness of Web Application Vulnerability Scanning.” International Journal on Advances in Internet Technology, vol. 12, no. 1/2, July 2019, pp. 12–27, https://doi.org/10.21256/zhaw-17956.
Alle Ressourcen in diesem Repository sind urheberrechtlich geschützt, soweit nicht anderweitig angezeigt.