Please use this identifier to cite or link to this item:
https://doi.org/10.21256/zhaw-17956Full metadata record
| DC Field | Value | Language |
|---|---|---|
| dc.contributor.author | Rennhard, Marc | - |
| dc.contributor.author | Esposito, Damiano | - |
| dc.contributor.author | Ruf, Lukas | - |
| dc.contributor.author | Wagner, Arno | - |
| dc.date.accessioned | 2019-08-22T11:11:55Z | - |
| dc.date.available | 2019-08-22T11:11:55Z | - |
| dc.date.issued | 2019-07 | - |
| dc.identifier.issn | 1942-2652 | de_CH |
| dc.identifier.uri | https://digitalcollection.zhaw.ch/handle/11475/17956 | - |
| dc.description.abstract | Using web application vulnerability scanners is very appealing as they promise to detect vulnerabilities with minimal configuration effort. However, using them effectively in practice is often difficult. Two of the main reasons for this are limitations with respect to crawling capabilities and problems to perform authenticated scans. In this paper, we present JARVIS, which provides technical solutions that can be applied to a wide range of vulnerability scanners to overcome these limitations and to significantly improve their effectiveness. To evaluate JARVIS, we applied it to five freely available vulnerability scanners and tested the vulnerability detection performance in the context of seven deliberately insecure web applications. A first general evaluation showed that by using the scanners with JARVIS, the number of detected vulnerabilities can be increased by more than 100% on average compared to using the scanners without JARVIS. A significant fraction of the additionally detected vulnerabilities is security-critical, which means that JARVIS provides a true security benefit. A second, more detailed evaluation focusing on SQL injection and cross-site scripting vulnerabilities revealed that JARVIS improves the vulnerability detection performance of the scanners by 167% on average, without increasing the fraction of reported false positives. This demonstrates that JARVIS not only manages to greatly improve the vulnerability detection rate of these two highly security-critical types of vulnerabilities, but also that JARVIS is very usable in practice by keeping the false positives reasonably low. Finally, as the configuration effort to use JARVIS is small and as the configuration is scanner- independent, JARVIS also supports using multiple scanners in parallel in an efficient way. In an additional evaluation, we therefore analyzed the potential and limitations of using multiple scanners in parallel. This revealed that using multiple scanners in a reasonable way is indeed beneficial as it further increases the number of detected vulnerabilities without a significant negative impact on the reported false positives. | de_CH |
| dc.language.iso | en | de_CH |
| dc.publisher | IARIA | de_CH |
| dc.relation.ispartof | International Journal on Advances in Internet Technology | de_CH |
| dc.rights | Licence according to publishing contract | de_CH |
| dc.subject | Web application security | de_CH |
| dc.subject | Vulnerability scanning | de_CH |
| dc.subject | Vulnerability detection performance | de_CH |
| dc.subject | Authenticated scanning | de_CH |
| dc.subject | Combining multiple scanners | de_CH |
| dc.subject.ddc | 004: Informatik | de_CH |
| dc.title | Improving the effectiveness of web application vulnerability scanning | de_CH |
| dc.type | Beitrag in wissenschaftlicher Zeitschrift | de_CH |
| dcterms.type | Text | de_CH |
| zhaw.departement | School of Engineering | de_CH |
| zhaw.organisationalunit | Institut für Informatik (InIT) | de_CH |
| dc.identifier.doi | 10.21256/zhaw-17956 | - |
| zhaw.funding.eu | No | de_CH |
| zhaw.issue | 1/2 | de_CH |
| zhaw.originated.zhaw | Yes | de_CH |
| zhaw.pages.end | 27 | de_CH |
| zhaw.pages.start | 12 | de_CH |
| zhaw.publication.status | publishedVersion | de_CH |
| zhaw.volume | 12 | de_CH |
| zhaw.publication.review | Peer review (Publikation) | de_CH |
| zhaw.webfeed | Information Security | de_CH |
| zhaw.funding.zhaw | ASAP: Plattform für die automatisierte Sicherheitsanalyse von IT-Systemen | de_CH |
| zhaw.author.additional | No | de_CH |
| Appears in collections: | Publikationen School of Engineering | |
Files in This Item:
| File | Description | Size | Format | |
|---|---|---|---|---|
| webappscan-journal.pdf | 561.87 kB | Adobe PDF |  View/Open |
Show simple item record
Rennhard, M., Esposito, D., Ruf, L., & Wagner, A. (2019). Improving the effectiveness of web application vulnerability scanning. International Journal on Advances in Internet Technology, 12(1/2), 12–27. https://doi.org/10.21256/zhaw-17956
Rennhard, M. et al. (2019) ‘Improving the effectiveness of web application vulnerability scanning’, International Journal on Advances in Internet Technology, 12(1/2), pp. 12–27. Available at: https://doi.org/10.21256/zhaw-17956.
M. Rennhard, D. Esposito, L. Ruf, and A. Wagner, “Improving the effectiveness of web application vulnerability scanning,” International Journal on Advances in Internet Technology, vol. 12, no. 1/2, pp. 12–27, Jul. 2019, doi: 10.21256/zhaw-17956.
RENNHARD, Marc, Damiano ESPOSITO, Lukas RUF und Arno WAGNER, 2019. Improving the effectiveness of web application vulnerability scanning. International Journal on Advances in Internet Technology. Juli 2019. Bd. 12, Nr. 1/2, S. 12–27. DOI 10.21256/zhaw-17956
Rennhard, Marc, Damiano Esposito, Lukas Ruf, and Arno Wagner. 2019. “Improving the Effectiveness of Web Application Vulnerability Scanning.” International Journal on Advances in Internet Technology 12 (1/2): 12–27. https://doi.org/10.21256/zhaw-17956.
Rennhard, Marc, et al. “Improving the Effectiveness of Web Application Vulnerability Scanning.” International Journal on Advances in Internet Technology, vol. 12, no. 1/2, July 2019, pp. 12–27, https://doi.org/10.21256/zhaw-17956.
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.