A Semi Automated Approach to Assess Web Vulnerability Scanner Tools Effectiveness
Resumo
Nowadays, software products are developed with security vulnerabilities due to bad coding. Vulnerability scanner tools automatically detect security vulnerabilities in web applications; thus, trustworthiness on the results of these tools is essential and, sometimes, the evaluation of their results is done manually or even empirically. This work presents a semi automated approach, based on fault injection techniques, to assess the efficacy of these tools. Three scanner tools were assessed with the presence of realistic software faults responsible for security vulnerabilities in web applications. Results show that the approach is effective and has the advantage of predicting security vulnerabilities through the fault injection techniques.Referências
Acunetix Web Security Scanner (2013). Available: http://www.acunetix.com/. Accessed: 07-mar-2013.
Basso, T.; Moraes, R.; Sanches, B.; Jino, M. (2009). “An Investigation of Java Faults Operators Derived from a Field Data Study on Java Software Faults”. In: Workshop de Testes e Tolerância a Falhas - WTF, Brazil, pp. 1-13.
Bau, J.; Bursztein, E.; Gupta, D.; Mitchell, J.(2010). “State of the Art: Automated Black-Box Web Application Vulnerability Testing”. In. IEEE Symposium on Security and Privacy, Oakland, USA. p. 332-345.
Chen, J.-M.; Wu, C.-L. (2010). “An automated vulnerability scanner for injection attack based on injection point”. International Computer Symposium (ICS), p. 113-118.
CSRF (2013). “The Cross-Site Request Forgery (CSRF/XSRF) FAQ”. Available: http://www.cgisecurity.com/csrf-faq.html. Accessed: 07-jun-2013.
Fernandes, P. C. S.; Basso, T.; Moraes, R. (2011). “J-Attack - Injetor de Ataques para Avaliação de Segurança de Aplicações Web”. XXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - Workshop de Testes e Tolerância a Falhas, Campo Grande, Brasil.
Fernandes, P. C.; Basso, T.; Moraes, R.; Jino, M. (2010). “Attack Trees Modeling for Security Tests in Web Applications”, 4th. Brazilian Workshop on Systematic and Automated Software Testing (SAST). Natal - RN, Brasil.
Fonseca, J. and Vieira, M. (2008) “Mapping software faults with web security vulnerability”. IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN), Anchorage, USA, p. 257-266
Fonseca, J.; Vieira, M.; Madeira, H. (2007). “Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks”, in 13th Pacific Rim International Symposium on Dependable Computing - PRDC, p. 365-372.
Fonseca, J.; Vieira, M.; Madeira, H. (2009). “Vulnerability & attack injection for web applications”, in IEEE/IFIP International Conference on Dependable Systems Networks - DSN, p. 93-102.
Galán, E.; Alcaide, E.A.; Orfila, A.; Blasco, J. (2010). “A multi-agent scanner to detect stored-XSS vulnerabilities”. International Conference for Internet Technology and Secured Transactions (ICITST), p. 1-6.
Gilman, N. (2009). “Hacking goes pro”. Engineering Technology, vol. 4, nº 3, p. 26-29.
Halfond, W. G.; Viegas, J.; Orso, A. (2006) “A Classification of SQL-Injection Attacks and Countermeasures”, In Proceedings of the International Symposium on Secure Software Engineering - ISSSE, Arlington, Virginia.
HP WebInspect (2013). Available: [link]. Accessed: 07-jul-2013.
Hsueh, M. C.; Tsai, T. K.; Iyer, R. K. (1997). “Fault injection techniques and tools”, Computer, vol. 30, no. 4, p. 75–82.
IBM Security AppScan (2013). Available: http://www-01.ibm.com/software/awdtools/appscan/. Accessed: 07-jul-2013.
Lin, X., Zavarsky, P., Ruhl, R., and Lindskog, D. (2009) “Threat Modeling for CSRF Attacks.” Proceedings of the 2009 international Conference on Computational Science and Engineering, pp 486-491.
Lyu, M. R. and others (1996). “Handbook of software reliability engineering”, vol. 3. IEEE Computer Society Press CA.
Moraes, R. (2013). Available: http://www.ft.unicamp.br/~regina. Accessed: 09-apr-2013.
Musa, J. D. (1996). “Software reliability-engineered testing”, Computer, vol. 29, no. 11, p. 61–68.
OWASP (2010). “The Open Web Application Security Project”. TOP 10 2010. Available: https://www.owasp.org/index.php/Top_10_2010-Main. Accessed: 07-jun-2013.
OWASP (2013). “The Open Web Application Security Project”. TOP 10 2013. Available: https://www.owasp.org/index.php/Top_10_2013-T10. Accessed: 07-jun-2013.
Sanches, B.; Basso, T.; Moraes, R. (2011) “J-SWFIT: A Java Software Fault Injection Tool”. Fifth Latin-American Symposium on Dependable Computing - LADC. São Paulo, Brazil, pp.106-115.
Schneier, B. (1999) “Attack Trees: Modeling Security Threats”, Dr. Dobb’s Journal. Uto, N., Melo, S.P. (2009). “Vulnerabilidades em Aplicações Web e Mecanismos de Proteção”. Minicursos SBSeg 2009. IX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, 2009.
Basso, T.; Moraes, R.; Sanches, B.; Jino, M. (2009). “An Investigation of Java Faults Operators Derived from a Field Data Study on Java Software Faults”. In: Workshop de Testes e Tolerância a Falhas - WTF, Brazil, pp. 1-13.
Bau, J.; Bursztein, E.; Gupta, D.; Mitchell, J.(2010). “State of the Art: Automated Black-Box Web Application Vulnerability Testing”. In. IEEE Symposium on Security and Privacy, Oakland, USA. p. 332-345.
Chen, J.-M.; Wu, C.-L. (2010). “An automated vulnerability scanner for injection attack based on injection point”. International Computer Symposium (ICS), p. 113-118.
CSRF (2013). “The Cross-Site Request Forgery (CSRF/XSRF) FAQ”. Available: http://www.cgisecurity.com/csrf-faq.html. Accessed: 07-jun-2013.
Fernandes, P. C. S.; Basso, T.; Moraes, R. (2011). “J-Attack - Injetor de Ataques para Avaliação de Segurança de Aplicações Web”. XXIX Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos - Workshop de Testes e Tolerância a Falhas, Campo Grande, Brasil.
Fernandes, P. C.; Basso, T.; Moraes, R.; Jino, M. (2010). “Attack Trees Modeling for Security Tests in Web Applications”, 4th. Brazilian Workshop on Systematic and Automated Software Testing (SAST). Natal - RN, Brasil.
Fonseca, J. and Vieira, M. (2008) “Mapping software faults with web security vulnerability”. IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN), Anchorage, USA, p. 257-266
Fonseca, J.; Vieira, M.; Madeira, H. (2007). “Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks”, in 13th Pacific Rim International Symposium on Dependable Computing - PRDC, p. 365-372.
Fonseca, J.; Vieira, M.; Madeira, H. (2009). “Vulnerability & attack injection for web applications”, in IEEE/IFIP International Conference on Dependable Systems Networks - DSN, p. 93-102.
Galán, E.; Alcaide, E.A.; Orfila, A.; Blasco, J. (2010). “A multi-agent scanner to detect stored-XSS vulnerabilities”. International Conference for Internet Technology and Secured Transactions (ICITST), p. 1-6.
Gilman, N. (2009). “Hacking goes pro”. Engineering Technology, vol. 4, nº 3, p. 26-29.
Halfond, W. G.; Viegas, J.; Orso, A. (2006) “A Classification of SQL-Injection Attacks and Countermeasures”, In Proceedings of the International Symposium on Secure Software Engineering - ISSSE, Arlington, Virginia.
HP WebInspect (2013). Available: [link]. Accessed: 07-jul-2013.
Hsueh, M. C.; Tsai, T. K.; Iyer, R. K. (1997). “Fault injection techniques and tools”, Computer, vol. 30, no. 4, p. 75–82.
IBM Security AppScan (2013). Available: http://www-01.ibm.com/software/awdtools/appscan/. Accessed: 07-jul-2013.
Lin, X., Zavarsky, P., Ruhl, R., and Lindskog, D. (2009) “Threat Modeling for CSRF Attacks.” Proceedings of the 2009 international Conference on Computational Science and Engineering, pp 486-491.
Lyu, M. R. and others (1996). “Handbook of software reliability engineering”, vol. 3. IEEE Computer Society Press CA.
Moraes, R. (2013). Available: http://www.ft.unicamp.br/~regina. Accessed: 09-apr-2013.
Musa, J. D. (1996). “Software reliability-engineered testing”, Computer, vol. 29, no. 11, p. 61–68.
OWASP (2010). “The Open Web Application Security Project”. TOP 10 2010. Available: https://www.owasp.org/index.php/Top_10_2010-Main. Accessed: 07-jun-2013.
OWASP (2013). “The Open Web Application Security Project”. TOP 10 2013. Available: https://www.owasp.org/index.php/Top_10_2013-T10. Accessed: 07-jun-2013.
Sanches, B.; Basso, T.; Moraes, R. (2011) “J-SWFIT: A Java Software Fault Injection Tool”. Fifth Latin-American Symposium on Dependable Computing - LADC. São Paulo, Brazil, pp.106-115.
Schneier, B. (1999) “Attack Trees: Modeling Security Threats”, Dr. Dobb’s Journal. Uto, N., Melo, S.P. (2009). “Vulnerabilidades em Aplicações Web e Mecanismos de Proteção”. Minicursos SBSeg 2009. IX Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais, 2009.
Publicado
11/11/2013
Como Citar
BASSO, Tania; MORAES, Regina L. O.; JINO, Mario.
A Semi Automated Approach to Assess Web Vulnerability Scanner Tools Effectiveness. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 13. , 2013, Manaus.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2013
.
p. 72-85.
DOI: https://doi.org/10.5753/sbseg.2013.19537.