scholarly journals On Combining Static, Dynamic and Interactive Analysis Security Testing Tools to Improve OWASP Top Ten Security Vulnerability Detection in Web Applications

2020 ◽  
Vol 10 (24) ◽  
pp. 9119
Author(s):  
Francesc Mateo Tudela ◽  
Juan-Ramón Bermejo Higuera ◽  
Javier Bermejo Higuera ◽  
Juan-Antonio Sicilia Montalvo ◽  
Michael I. Argyros
Keyword(s):  
Web Applications ◽  
Security Analysis ◽  
False Positives ◽  
Vulnerability Detection ◽  
Security Testing ◽  
Security Vulnerabilities ◽  
Security Vulnerability ◽  
Interactive Analysis ◽  
Testing Tools ◽  
Analysis Tools

The design of the techniques and algorithms used by the static, dynamic and interactive security testing tools differ. Therefore, each tool detects to a greater or lesser extent each type of vulnerability for which they are designed for. In addition, their different designs mean that they have different percentages of false positives. In order to take advantage of the possible synergies that different analysis tools types may have, this paper combines several static, dynamic and interactive analysis security testing tools—static white box security analysis (SAST), dynamic black box security analysis (DAST) and interactive white box security analysis (IAST), respectively. The aim is to investigate how to improve the effectiveness of security vulnerability detection while reducing the number of false positives. Specifically, two static, two dynamic and two interactive security analysis tools will be combined to study their behavior using a specific benchmark for OWASP Top Ten security vulnerabilities and taking into account various scenarios of different criticality in terms of the applications analyzed. Finally, this study analyzes and discuss the values of the selected metrics applied to the results for each n-tools combination.

scholarly journals Evaluation of SQL Injection Vulnerability Detection Tools

2019 ◽  
Vol 9 (1) ◽  
pp. 1747-1751
Keyword(s):  
Static Analysis ◽  
Web Applications ◽  
Source Code ◽  
False Negative ◽  
Vulnerability Detection ◽  
Sql Injection ◽  
User Input ◽  
Root Cause ◽  
Analysis Tools ◽  
Free Open Source

SQL injection vulnerabilities have been predominant on database-driven web applications since almost one decade. Exploiting such vulnerabilities enables attackers to gain unauthorized access to the back-end databases by altering the original SQL statements through manipulating user input. Testing web applications for identifying SQL injection vulnerabilities before deployment is essential to get rid of them. However, checking such vulnerabilities by hand is very tedious, difficult, and time-consuming. Web vulnerability static analysis tools are software tools for automatically identifying the root cause of SQL injection vulnerabilities in web applications source code. In this paper, we test and evaluate three free/open source static analysis tools using eight web applications with numerous known vulnerabilities, primarily for false negative rates. The evaluation results were compared and analysed, and they indicate a need to improve the tools.

scholarly journals Towards Cross-site Scripting Vulnerability Detection in Mobile Web Applications

2018 ◽  
Vol 7 (4.1) ◽  
pp. 18
Author(s):  
Isatou Hydara ◽  
Abu Bakar Md Sultan ◽  
Hazura Zulzalil ◽  
Novia Admodisastro
Keyword(s):  
Mobile Phones ◽  
Web Applications ◽  
Personal Information ◽  
Denial Of Service ◽  
Vulnerability Detection ◽  
Security Vulnerabilities ◽  
Mobile Web ◽  
The Past ◽  
Web Developers ◽  
Cross Site

Cross-site scripting vulnerabilities are among the top ten security vulnerabilities affecting web applications for the past decade and mobile version web applications more recently. They can cause serious problems for web users such as loss of personal information to web attackers, including financial and health information, denial of service attacks, and exposure to malware and viruses. Most of the proposed solutions focused only on the Desktop versions of web applications and overlooked the mobile versions. Increasing use of mobile phones to access web applications increases the threat of cross-site scripting attacks on mobile phones. This paper presents work in progress on detecting cross-site scripting vulnerabilities in mobile versions of web applications. It proposes an enhanced genetic algorithm-based approach that detects cross-site scripting vulnerabilities in mobile versions of web applications. This approach has been used in our previous work and successfully detected the said vulnerabilities in Desktop web applications. It has been enhanced and is currently being tested in mobile versions of web applications. Preliminary results have indicated success in the mobile versions of web applications also. This approach will enable web developers find cross-site scripting vulnerabilities in the mobile versions of their web applications before their release.  

DETECTING SERVER-SIDE ENDPOINTS IN WEB APPLICATIONS BASED ON STATIC ANALYSIS OF CLIENT-SIDE JavaScript CODE

2021 ◽  
pp. 32-54
Author(s):  
D. A. Sigalov ◽  
◽  
A. A. Khashaev ◽  
D. Yu. Gamayunov ◽  
◽  
...  
Keyword(s):  
Static Analysis ◽  
Web Application ◽  
Web Applications ◽  
Security Analysis ◽  
Endpoint Detection ◽  
Security Testing ◽  
Application Security ◽  
Server Side ◽  
Dynamic Web ◽  
Client Side

The problem of server-side endpoint detection in the context of blackbox security analysis of dynamic web applications is considered. We propose a method to increase coverage of server-side endpoint detection using static analysis of client-side JavaScript code to find functions which generate HTTP requests to the server-side of the application and reconstruct parameters for those functions. In the context of application security testing, static analysis allows to find such functions even in dead or unreachable JavaScript code, which cannot be achieved by dynamic crawling or dynamic code analysis. Evaluation of the proposed method and its implementation has been done using synthetic web application with endpoints vulnerable to SQL injections, and the same application was used to compare the proposed method with existing solutions. Evaluation results show that adding JavaScript static analysis to traditional dynamic crawling of web applications may significantly improve server-side endpoint coverage in blackbox application security analysis.

Vulnerability Model-Based Web Applications Security Testing Approach

2014 ◽  
Vol 678 ◽  
pp. 468-472 ◽  
Author(s):  
Cheng He ◽  
Yan Fei Liu
Keyword(s):  
Web Applications ◽  
Behavioral Model ◽  
Security Testing ◽  
Multiple Objects ◽  
Security Vulnerabilities ◽  
Model Based ◽  
Vulnerability Model ◽  
Depth Analysis ◽  
Testing Approach ◽  
Security Test

This paper combines an analysis of structural modeling on security vulnerabilities and a focused behavioral model examination to develop a vulnerability model to depict and reason about security vulnerabilities. An in-depth analysis of the structural models and the corresponding diagram of the applications come from the investigation of not only multiple vulnerable operations on multiple objects being involved in exploiting vulnerability but also the vulnerability data and corresponding data flow inspections deriving from behavioral modeling of the application. We also propose a vulnerability model-based security testing approach that automatically generates security test sequences from vulnerability model diagram and transforms them into executable tests on the basis of the vulnerable operations and vulnerability data.

scholarly journals Benchmarking Approach to Compare Web Applications Static Analysis Tools Detecting OWASP Top Ten Security Vulnerabilities

2020 ◽  
Vol 64 (3) ◽  
pp. 1555-1577 ◽  
Author(s):  
Juan R. Bermejo Higuera ◽  
Javier Bermejo Higuera ◽  
Juan A. Sicilia Montalvo ◽  
Javier Cubo Villalba ◽  
Juan Jos�Nombela P閞ez
Keyword(s):  
Static Analysis ◽  
Web Applications ◽  
Security Vulnerabilities ◽  
Analysis Tools

Pen Testing for Web Applications

2012 ◽  
Vol 7 (3) ◽  
pp. 1-13 ◽  
Author(s):  
Ahmad Al-Ahmad ◽  
Belal Abu Ata ◽  
Abdullah Wahbeh
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Acceptable Level ◽  
Web Pages ◽  
Test Results ◽  
Security Vulnerabilities ◽  
Testing Tools ◽  
Security Levels

As many Web applications are developed daily and used extensively, it becomes important for developers and testers to improve these application securities. Pen testing is a technique that helps these developers and testers to ensure that the security levels of their Web application are at acceptable level to be used safely. Different tools are available for Pen testing Web applications; in this paper the authors compared six Pen testing tools for Web applications. The main goal of these tests is to check whether there are any security vulnerabilities in Web applications. A list of faults injected into set of Web pages is used in order to check if tools can find them as they are claimed. Test results showed that these tools are not efficient and developers should not depend solely on them.

scholarly journals ПРИМЕНЕНИЕ НЕЙРОСЕТЕЙ ДЛЯ ВЫБОРА ИНСТРУМЕНТАЛЬНЫХ СРЕДСТВ ТЕСТИРОВАНИЯ WEB-ПРИЛОЖЕНИЙ НА ПРОНИКНОВЕНИЕ

2018 ◽  
pp. 86-90
Author(s):  
Артём Григорьевич Тецкий
Keyword(s):  
Neural Networks ◽  
Web Application ◽  
Web Applications ◽  
Data Sets ◽  
Neural Net ◽  
Choice Data ◽  
Security Testing ◽  
Data Set ◽  
Testing Tools ◽  
The One

Penetration testing is conducted to detect and further to fix the security problems of the Web application. During testing, tools are actively used that allows to avoid performing a large number of monotonous operations by the tester. The problem with selecting the tools is that there are a number of similar tools for testing the same class of security problems, and it is not known which tool is most suitable for a particular case. Such a problem is most often found among novice testers, more experienced testers use their own sets of tools to find specific security problems. Such kits are formed during the work, and each tester finds the most suitable tools for him. The goal of the paper is to create a method that will help to choose a tool for a particular case, based on the experience of experts in security testing of Web applications. To achieve the goal, it is proposed to create a Web service that will use the neural net-work to solve the problem of choice. Data for training a neural network in the form of a matrix of tools and their criteria are provided by experts in the field of security testing of Web applications. To find the most suitable tool, a vector of requirements should be formed, i.e. the user of service must specify the criteria for the search. As a result of the search, several most suitable for the request tools are shown to the user. Also, the user can save the result of his choice, if it differs from the proposed one. In this way, a set of learning examples can be extended. It is advisable to have two neural networks, the first one is trained only on data from experts; the second one is trained on data from experts and on data of users who have retained their choice. The usage of neural networks allows to realize correspondence between several input data sets to the one output data set. The described method can be used to select software in various applications.

Analyzing Security Testing Tools for Web Applications

2021 ◽  
pp. 411-419
Author(s):  
Amel F. Aljebry ◽  
Yasmine M. Alqahtani ◽  
Norrozila Sulaiman
Keyword(s):  
Web Applications ◽  
Security Testing ◽  
Testing Tools

scholarly journals MODERN TOOLS FOR SECURITY TESTING FROM OWASP

2020 ◽  
Vol 22 ◽  
pp. 18-22
Author(s):  
M.-V. Lyba ◽  
L. Uhryn
Keyword(s):  
Web Application ◽  
Web Applications ◽  
Security Testing ◽  
Web Application Security ◽  
Practical Result ◽  
Software Products ◽  
Testing Tools ◽  
It Systems ◽  
Security Audits ◽  
The Moment

With the development of information technology, humanity is increasingly delving into the world of gadgets, cloud technology, virtual reality, and artificial intelligence. Through web applications, we receive and distribute information, including confidential. During the pandemic, most people switched to online work and study. As a result, most of the data stored on personal computers, company servers, and cloud storage needs protection from cyberattacks. The problem of cybersecurity at the moment is incredibly relevant due to the hacking of cryptocurrencies, websites of ministries, bitcoin wallets or social network accounts. It is necessary to conduct high-quality testing of developed applications to detect cyber threats, to ensure reliable protection of different information. The article states that when testing applications, it checks for vulnerabilities that could arise as a result of incorrect system setup or due to shortcomings in software products. The use of innovation is necessary to improve quality. Modern realities have become a challenge for the development of cybersecurity products. Improvement of technology requires modern companies to update their IT systems and conduct regular security audits. The research is devoted to the analysis of modern OWASP testing tools that contribute to data security, with a view to their further use. The Open Web Application Security Project is an open security project. The research revealed a list of the most dangerous vectors of attacks on Web-applications, in particular, OWASP ZAP performs analyzes the sent and received data system security scanning at the primary level, MSTG performs security testing of mobile applications iOS and Android mobile devices. The practical result of the work is to test a specially developed web-application and identify vulnerabilities of different levels of criticality.

Sign in / Sign up

Export Citation Format

Share Document