Empirical and Comparative Analysis of Vulnerability Scanning Tools in Web Applications Using OWASP BWA and Juice Shop
Abstract
In this article, we conduct an empirical and comparative analysis of the vulnerability scanning tools GoLismero, Nikto, Nuclei, OpenVAS, SecretScanner, Wapiti, and ZAP, using the recognized OWASP Broken Web Applications (BWA) and Juice Shop as test environments. Our objective was to evaluate the effectiveness and scope of vulnerability coverage provided by each tool. The results indicate that combining multiple tools is essential to achieve broader and more efficient coverage, offering greater protection against vulnerabilities and cyber threats.
Keywords:
Web Application, Vulnerabilities, Scanning Tools, OWASP Top 10
References
Sampaio, F. F. Uma análise prática das principais vulnerabilidades em aplicações web baseado no top 10 OWASP, 2021.
Nagpure, S.; Kurkure, S. Vulnerability assessment and penetration testing of web application. In: IEEE. 2017 International Conference on Computing, Communication, Control and Automation (ICCUBEA). 2017. P. 1–6.
Appiah, V. et al. Survey of websites and web application security threats using vulnerability assessment. Journal of Computer Science, v. 15, n. 10, p. 1341–1354, 2018.
Ravindran, U.; Potukuchi, R. V. A Review on Web Application Vulnerability Assessment and Penetration Testing. Review of Computer Engineering Studies, v. 9, n. 1, 2022.
Curphey, M.; Arawo, R. Web application security assessment tools. IEEE Security & Privacy, v. 4, n. 4, p. 32–41, 2006. DOI: 10.1109/MSP.2006.108.
Khalid, M. N.; Rasheed, K.; Abid, M. M. et al.Web vulnerability finder (WVF): automated black-box web vulnerability scanner. Int J Inf Technol Comput Sci, v. 12, n. 4, p. 38–46, 2020.
Bertoglio, D. D. et al.Weasels e a construção de conhecimento em Segurança Ofensiva. In: SBC. ANAIS do II Simpósio Brasileiro de Educação em Computação. 2022. P. 109–117.
Holík, F.; Neradova, S. Vulnerabilities of modern web applications. In: IEEE. 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). 2017. P. 1256–1261.
Althunayyan, M. et al. Evaluation of black-box web application security scanners in detecting injection vulnerabilities. Electronics, MDPI, v. 11, n. 13, p. 2049, 2022.
Alazmi, S.; De Leon, D. C. A systematic literature review on the characteristics and effectiveness of web application vulnerability scanners. IEEE Access, IEEE, v. 10, p. 33200–33219, 2022.
Altulaihan, E. A.; Alismail, A.; Frikha, M. A survey on web application penetration testing. Electronics, MDPI, v. 12, n. 5, p. 1229, 2023.
Lakh, Y. et al. Investigation of the Broken Authentication Vulnerability in Web Applications. In: IEEE. 2021 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). 2021. v. 2, p. 928–931.
Sinha, S. Bug Bounty Hunting for Web Security. Springer, 2019.
Pradhana, B. S. Website Security Analysis Using the OWASP10 Method (Case Study: almumtazparfumebatam. store). Jurnal Kewarganegaraan, v. 8, n. 1, p. 588–605, 2024.
Kritikos, K. et al. A survey on vulnerability assessment tools and databases for cloud-based web applications. Array, Elsevier, v. 3, p. 100011, 2019.
Nirmal, K.; Janet, B.; Kumar, R. Web application vulnerabilities-the hacker’s treasure. In: IEEE. 2018 International Conference on Inventive Research in Computing Applications (ICIRCA). 2018. P. 58–62.
Amaral, É. et al. Unihacker: fundamentos da segurança I, 2021.
Alencar, I. D. d. et al. AuDiNoMiC: um gerenciador autonômico para auditorias em segurança ofensiva. Universidade Federal de Alagoas, 2019.
OWASP. Vulnerability Scanning Tools. 2024. [link].
OWASP. OWASP Top Ten. 2024. [link].
Lazarov, W. et al. Penterep: Comprehensive Penetration Testing with Interactive Checklists. Available at SSRN 4743158.
Nagpure, S.; Kurkure, S. Vulnerability assessment and penetration testing of web application. In: IEEE. 2017 International Conference on Computing, Communication, Control and Automation (ICCUBEA). 2017. P. 1–6.
Appiah, V. et al. Survey of websites and web application security threats using vulnerability assessment. Journal of Computer Science, v. 15, n. 10, p. 1341–1354, 2018.
Ravindran, U.; Potukuchi, R. V. A Review on Web Application Vulnerability Assessment and Penetration Testing. Review of Computer Engineering Studies, v. 9, n. 1, 2022.
Curphey, M.; Arawo, R. Web application security assessment tools. IEEE Security & Privacy, v. 4, n. 4, p. 32–41, 2006. DOI: 10.1109/MSP.2006.108.
Khalid, M. N.; Rasheed, K.; Abid, M. M. et al.Web vulnerability finder (WVF): automated black-box web vulnerability scanner. Int J Inf Technol Comput Sci, v. 12, n. 4, p. 38–46, 2020.
Bertoglio, D. D. et al.Weasels e a construção de conhecimento em Segurança Ofensiva. In: SBC. ANAIS do II Simpósio Brasileiro de Educação em Computação. 2022. P. 109–117.
Holík, F.; Neradova, S. Vulnerabilities of modern web applications. In: IEEE. 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO). 2017. P. 1256–1261.
Althunayyan, M. et al. Evaluation of black-box web application security scanners in detecting injection vulnerabilities. Electronics, MDPI, v. 11, n. 13, p. 2049, 2022.
Alazmi, S.; De Leon, D. C. A systematic literature review on the characteristics and effectiveness of web application vulnerability scanners. IEEE Access, IEEE, v. 10, p. 33200–33219, 2022.
Altulaihan, E. A.; Alismail, A.; Frikha, M. A survey on web application penetration testing. Electronics, MDPI, v. 12, n. 5, p. 1229, 2023.
Lakh, Y. et al. Investigation of the Broken Authentication Vulnerability in Web Applications. In: IEEE. 2021 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). 2021. v. 2, p. 928–931.
Sinha, S. Bug Bounty Hunting for Web Security. Springer, 2019.
Pradhana, B. S. Website Security Analysis Using the OWASP10 Method (Case Study: almumtazparfumebatam. store). Jurnal Kewarganegaraan, v. 8, n. 1, p. 588–605, 2024.
Kritikos, K. et al. A survey on vulnerability assessment tools and databases for cloud-based web applications. Array, Elsevier, v. 3, p. 100011, 2019.
Nirmal, K.; Janet, B.; Kumar, R. Web application vulnerabilities-the hacker’s treasure. In: IEEE. 2018 International Conference on Inventive Research in Computing Applications (ICIRCA). 2018. P. 58–62.
Amaral, É. et al. Unihacker: fundamentos da segurança I, 2021.
Alencar, I. D. d. et al. AuDiNoMiC: um gerenciador autonômico para auditorias em segurança ofensiva. Universidade Federal de Alagoas, 2019.
OWASP. Vulnerability Scanning Tools. 2024. [link].
OWASP. OWASP Top Ten. 2024. [link].
Lazarov, W. et al. Penterep: Comprehensive Penetration Testing with Interactive Checklists. Available at SSRN 4743158.
Published
2024-11-27
How to Cite
ROSA, Ricardo; KREUTZ, Diego; GARCIA, Marcelino; PEREIRA, Santiago; MANSILHA, Rodrigo.
Empirical and Comparative Analysis of Vulnerability Scanning Tools in Web Applications Using OWASP BWA and Juice Shop. In: REGIONAL SCHOOL OF COMPUTER NETWORKS (ERRC), 21. , 2024, Rio Grande/RS.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 183-188.
DOI: https://doi.org/10.5753/errc.2024.4689.
