Abstract
This chapter presents a methodology to evaluate and benchmark web application vulnerability scanners using software fault injection techniques. The most common software faults are injected in the web application source code, which is then checked by the scanners. Using this procedure, we evaluated three leading commercial scanners, which are often regarded as an easy way to test the security of web applications, including critical vulnerabilities such as XSS and SQL Injection. Our idea consists of providing the scanners with the input they are supposed to handle, which is a web application with software faults and possible vulnerabilities originated by such faults. The results of the scanners are compared evaluating the efficiency in identifying the potential vulnerabilities created by the injected fault, their coverage of vulnerability detection and false positives. However, the results show that the coverage of these tools is low and the percentage of false positives is very high.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Acunetix: Acunetix Web Security Survey Report, Acunetix (2007). http://www.acunetix.com/news/security-audit-results.htm
Ananta Security: Web Vulnerability Scanners Comparison (2009). http://anantasec.blogspot.com/2009/01/web-vulnerability-scanners-comparison.html
CodeCharge: Online Bookstore Web Appplication. http://www.gotocode.com/apps.asp?app_id=3
Durães, J., Madeira, H.: Emulation of software faults: a field data study and a practical approach, IEEE. Trans. Softw. Eng. 32(11), 849–867 (2006)
Gordon, L.A., Loeb, M.P., Lucyshyn, W., Richardson, R.: CSI Computer Crime & Security Survey, Computer Security Institute (2006)
McGraw, G.: Software [In]security: Software Security Demand Rising, InformIT (2008). http://www.informit.com/articles/article.aspx?p=1237978
MITRE Corporation: Common Vulnerabilities and Exposures (2012). http://cve.mitre.org/
OWASP Foundation: OWASP Top 10—2010, OWASP Foundation (2010)
Winkler, I.: Justifying IT Security Managing Risk & Keeping Your Network Secure. Qualys Inc., Redwood City (2010)
YesSoftware: CodeCharge Studio 4.2 (2009). http://www.yessoftware.com/products/product_detail.php?product_id=1
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Italia
About this chapter
Cite this chapter
Fonseca, J., Matarese, F. (2013). Using Vulnerability Injection to Improve Web Security. In: Cotroneo, D. (eds) Innovative Technologies for Dependable OTS-Based Critical Systems. Springer, Milano. https://doi.org/10.1007/978-88-470-2772-5_11
Download citation
DOI: https://doi.org/10.1007/978-88-470-2772-5_11
Published:
Publisher Name: Springer, Milano
Print ISBN: 978-88-470-2771-8
Online ISBN: 978-88-470-2772-5
eBook Packages: Computer ScienceComputer Science (R0)