Estudo comparativo do módulo rastreador de scanners de vulnerabilidade web de código aberto
Resumo
Scanners de vulnerabilidades web auxiliam na detecção de vulnerabilidades em sistemas web de forma automatizada. Um scanner de vulnerabilidade web é dividido em três módulos: módulo rastreador, módulo atacante e módulo analisador. O módulo rastreador é um dos principais limitadores da eficácia apresentado pelos scanners, pois, se a ferramenta não é capaz de acessar todas as funcionalidades de um sistema web, muitas páginas vulneráveis não serão testadas. Este trabalho apresenta um estudo comparativo do módulo rastreador de scanners de código aberto, sugerindo adaptações para que sejam atingidos melhores resultados.Referências
Alsaleh, M., Alomar, N., Alshreef, M., Alarifi, A., and Al-Salman, A. (2017). Performance-based comparative assessment of open source web vulnerability scanners. Security and Communication Networks, 2017:1–14.
Dalalana Bertoglio, D. and Zorzo, A. F. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society.
Deepa, G., Thilagam, P. S., Khan, F. A., Praseed, A., Pais, A. R., and Palsetia, N. (2018). Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. International Journal of Information Security, 17.
Doupé, A., Cova, M., and Vigna, G. (2010). Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In LNCS (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics).
Doupé, A., Cova, M., and Vigna, G. (2019). Wackopicko. Last accessed 14 October 2019. https://github.com/adamdoupe/WackoPicko.
Idrissi, S., Berbiche, N., Guerouate, F., and Shibi, M. (2017). Performance evaluation of web application security scanners for prevention and protection against vulnerabilities. International Journal of Applied Engineering Research, 12(21):11068–11076.
Li, X. and Xue, Y. (2011). BLOCK: A Black-bOx approach for detection of state violation attacks towards web applications. In ACM International Conf. Proceeding Series.
Mallawaarachchi, V., Meegahapola, L., Madhushanka, R., Heshan, E., Meedeniya, D., and Jayarathna, S. (2020). Change Detection and Notification of Web Pages: A Survey. ACM Computing Surveys (CSUR), 53(1):1–35.
Mburano, B. and Si, W. (2018). Evaluation of web vulnerability scanners based on owasp benchmark. In 2018 26th International Conference on Systems Engineering (ICSEng), pages 1–6.
Salas, M. I. P. and Martins, E. (2015). A Black-Box Approach to Detect Vulnerabilities in Web Services Using Penetration Testing. IEEE Latin America Transactions, 13(3).
Sun, Y., Zhuang, Z., and Giles, C. L. (2007). A large-scale study of robots.txt. In Proceedings of the 16th International Conference on World Wide Web, WWW ’07, page 1123–1124, New York, NY, USA. Association for Computing Machinery.
Tunggal, A. T. (2020). UpGuard – The 36 Biggest Data Breaches [Updated for 2020]. Last accessed 27 July 2020. https://www.upguard.com/blog/ biggest-data-breaches.
Wazlawick, R. S. (2017). Metodologia de pesquisa para ciência da computação. Elsevier, 3 edition.
Dalalana Bertoglio, D. and Zorzo, A. F. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society.
Deepa, G., Thilagam, P. S., Khan, F. A., Praseed, A., Pais, A. R., and Palsetia, N. (2018). Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. International Journal of Information Security, 17.
Doupé, A., Cova, M., and Vigna, G. (2010). Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In LNCS (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics).
Doupé, A., Cova, M., and Vigna, G. (2019). Wackopicko. Last accessed 14 October 2019. https://github.com/adamdoupe/WackoPicko.
Idrissi, S., Berbiche, N., Guerouate, F., and Shibi, M. (2017). Performance evaluation of web application security scanners for prevention and protection against vulnerabilities. International Journal of Applied Engineering Research, 12(21):11068–11076.
Li, X. and Xue, Y. (2011). BLOCK: A Black-bOx approach for detection of state violation attacks towards web applications. In ACM International Conf. Proceeding Series.
Mallawaarachchi, V., Meegahapola, L., Madhushanka, R., Heshan, E., Meedeniya, D., and Jayarathna, S. (2020). Change Detection and Notification of Web Pages: A Survey. ACM Computing Surveys (CSUR), 53(1):1–35.
Mburano, B. and Si, W. (2018). Evaluation of web vulnerability scanners based on owasp benchmark. In 2018 26th International Conference on Systems Engineering (ICSEng), pages 1–6.
Salas, M. I. P. and Martins, E. (2015). A Black-Box Approach to Detect Vulnerabilities in Web Services Using Penetration Testing. IEEE Latin America Transactions, 13(3).
Sun, Y., Zhuang, Z., and Giles, C. L. (2007). A large-scale study of robots.txt. In Proceedings of the 16th International Conference on World Wide Web, WWW ’07, page 1123–1124, New York, NY, USA. Association for Computing Machinery.
Tunggal, A. T. (2020). UpGuard – The 36 Biggest Data Breaches [Updated for 2020]. Last accessed 27 July 2020. https://www.upguard.com/blog/ biggest-data-breaches.
Wazlawick, R. S. (2017). Metodologia de pesquisa para ciência da computação. Elsevier, 3 edition.
Publicado
25/11/2020
Como Citar
ESCUDERO, Danilo Pereira; R. ANDRADE, Ewerton; TERADA, Routo.
Estudo comparativo do módulo rastreador de scanners de vulnerabilidade web de código aberto. In: ESCOLA REGIONAL DE REDES DE COMPUTADORES (ERRC), 18. , 2020, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 154-160.
DOI: https://doi.org/10.5753/errc.2020.15205.