Segurança na Web: análise black-box de scanners de vulnerabilidades
Resumo
Os scanners de vulnerabilidades são ferramentas essenciais para mo- nitorar riscos de segurança eminentes em sistemas Web. Diferentemente da literatura existente, este trabalho apresenta uma análise black-box detalhada de um conjunto significativo de scanners de vulnerabilidades gratuitos. Os resultados permitem identificar as principais diferenças entre scanners existentes, contribuindo para uma melhor seleção dessas importantes ferramentas na hora de realizar varreduras de vulnerabilidades em sistemas Web.
Referências
Bau, J., Bursztein, E., Gupta, D., and Mitchell, J. (2010). State of the art: Automated black-box web application vulnerability testing. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 332–345. IEEE.
Doupé, A., Cova, M., and Vigna, G. (2010). Why johnny can’t pentest: An analysis of black-box web vulnerability scanners. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 111–131. Springer.
Fong, E., Gaucher, R., Okun, V., Black, P. E., and Dalci, E. (2008). Building a test suite for web application scanners. In Hawaii International Conference on System Sciences, Proceedings of the 41st Annual, pages 478–478. IEEE.
Fong, E. and Okun, V. (2007). Web application scanners: definitions and functions. In System Sciences, 2007. HICSS 2007. 40th Annual Hawaii International Conference on, pages 280b–280b. IEEE.
INFOSEC (2017). 14 best open source web application vulnerability scanners. https://goo.gl/DknrqB.
Kreutz, D., Malichevskyy, O., Feitosa, E., Cunha, H., da Rosa Righi, R., and de Macedo, D. D. (2016). A cyber-resilient architecture for critical security services. Journal of Network and Computer Applications, 63(Supplement C):173 – 189. Mundo Hacker (2017). Ferramentas para scan de vulnerabilidades web. https://goo.gl/VNVcnP.
Offensive Security (2017). Kali tools - web applications. https://goo.gl/QfvN4u.
OWASP (2016). Broken web applications project. https://goo.gl/NScjJ.
OWASP (2017). Top ten 2017 project. https://goo.gl/snkFmd.
Perlman, R., Kaufman, C., and Speciner, M. (2016). Network security: private communication in a public world. Pearson Education India.
Rocha, D., Kreutz, D., and Turchetti, R. (2012). A free and extensible tool to detect vulnerabilities in web systems. In Information Systems and Technologies (CISTI), 2012 7th Iberian Conference on, pages 1–6. IEEE.
Terminal Root (2017). 100 melhores ferramentas open source de seguranc¸a. https://goo.gl/9ksoXR.
Viegas, J. (2016). Por que o número de ataques virtuais aumentou e como evitá-los. https://goo.gl/zkNahP.
Vieira, M., Antunes, N., and Madeira, H. (2009). Using web security scanners to detect vulnerabilities in web services. In Dependable Systems & Networks, 2009. DSN’09. IEEE/IFIP International Conference on, pages 566–571. IEEE.