Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing

  • Nor Fatimah Awang
  • Azizah Abd Manaf
Part of the Communications in Computer and Information Science book series (CCIS, volume 381)


Today, web applications are becoming the most popular tool that offers a collection of various services to users. However, previous research and study showed that many web applications are deployed with critical vulnerabilities. Penetration testing is one of the well-known techniques that is frequently used for the detection of security vulnerabilities in web application. This technique can be performed either manually or by using automated tools. However, according to previous study, automated black box tools have detected more vulnerability with high false positive rate. Therefore, this paper proposed a framework which combines both automated black box testing and manual penetration testing to achieve the accuracy in vulnerability detecting in web application.


Static Code Analysis Cross Site Script Hyper Text Transfer Protocol High Severity Level Malicious Input 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Internet World Stats, Usage and Population Statistics (2013),
  2. 2.
    X-Force Research and Development Team, IBM X-Force 2012 Trend and Risk Report, Technical Report (March 2012)Google Scholar
  3. 3.
    Web Application Vulnerability Statistics for 2011-2012, Positive Technology, Technical Report (2012)Google Scholar
  4. 4.
    Wang, J.A., Guo, M., Wang, H., Xia, M., Zhou, L.: Environmental metrics for software security based on a vulnerability ontology. In: Third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 159–168 (2009)Google Scholar
  5. 5.
    Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 3rd edn. Prentice Hall PTR (2003)Google Scholar
  6. 6.
    Kim, J.: Injection Attack Detection Using the Removal of SQL Query Attribute Values. In: 2011 International Conference on Information Science and Applications, ICISA, April 26-29, pp. 1–7 (2011)Google Scholar
  7. 7.
    Zhendong, S., Wassermann, G.: The Essence of Command Injection Attacks in Web Applications. In: Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 372–382 (2006)Google Scholar
  8. 8.
    Shklar, L., Rosen, R.: Web Application Architecture: Principles, Protocols and Practices, 2nd edn. John Wiley & Sons (2009)Google Scholar
  9. 9.
    The Open Web Application Security Project: The Ten Most Critical Web Application Security Vulnerabilities,
  10. 10.
    Theodoor, S., Davide, B., Engin K.: Have things changed now? An Empirical Study on Input Validation Vulnerabilities in Web Applications (2012),
  11. 11.
    Ezumalai, R., Aghila, G.: Combinatorial Approach for Preventing SQL Injection Attacks, Advance Computing Conference. IEEE International, IACC (2009)Google Scholar
  12. 12.
    Justin, C.: SQL Injection Attacks and Defense. Syngress Publishing (2009) ISBN 13: 978-1-59749-424-3 Google Scholar
  13. 13.
    Huang, Y., Yu, F., Hang, C., Tsai, C.H., Lee, D.T., Kuo, S.Y.: Securing Web Application Code by Static Analysis and Runtime Protection. In: Proceedings of the 12th International World Wide Web Conference, WWW 2004 (May 2004)Google Scholar
  14. 14.
    Shahriar, H., Zulkernine, M.: Taxonomy and classification of automatic monitoring of program security vulnerability exploitations. Journal of Systems and Software 84, 250–269 (2011) ISSN 0164-1212, 10.1016/j.jss.2010.09.020CrossRefGoogle Scholar
  15. 15.
    Avancini, A.: Security testing of web applications: A research plan. In: 2012 34th International Conference on Software Engineering, ICSE, June 2-9, pp. 1491–1494 (2012)Google Scholar
  16. 16.
    Bacudio, A.G., Yuan, X., Chu, B.B., Jones, M.: An Overview of Penetration Testing. International Journal of Network Security & Its Applications (IJNSA) (November 2011)Google Scholar
  17. 17.
    Vieira, M., Antunes, N., Madeira, H.: Using Web Security Scanners to Detect Vulnerabilities in Web Services. In: IEEE/IFIP Intl Conf. on Dependable Systems and Networks, DSN (2009)Google Scholar
  18. 18.
    Nuno, A., Marco, V.: Comparing of Effectiveness of Penetration Testing and Static Code Analysis on the Detection of SQL Injection Vulnerabilities in Web Services. In: 15th IEEE Pacific Rim International Symposium on Dependable Computing (2009)Google Scholar
  19. 19.
  20. 20.
  21. 21.
  22. 22.
    Jovanovic, N., Kruegel, C., Kirda, E.: Pixy: a static analysis tool for detecting Web application vulnerabilities. In: 2006 IEEE Symposium on Security and Privacy, May 21-24, p. 6 p. 263 (2006)Google Scholar
  23. 23.
  24. 24.
  25. 25.
  26. 26.
    Doupé, A., Cova, M., Vigna, G.: Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In: Kreibich, C., Jahnke, M. (eds.) DIMVA 2010. LNCS, vol. 6201, pp. 111–131. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  27. 27.
    Fonseca, J., Vieira, M., Madeira, H.: Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks. In: The 13th IEEE Pacific Rim International Symposium on Dependable Computing (December 2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Nor Fatimah Awang
    • 1
  • Azizah Abd Manaf
    • 1
  1. 1.Advanced Informatics School (UTM AIS), UTM International CampusKuala LumpurMalaysia

Personalised recommendations