Enhancing the Performance of Web Application Security Testing: An In-Depth Analysis and Optimization of Web Vulnerability Scanners
Alazmi, Suliman. (2023-12). Enhancing the Performance of Web Application Security Testing: An In-Depth Analysis and Optimization of Web Vulnerability Scanners. Theses and Dissertations Collection, University of Idaho Library Digital Collections. https://www.lib.uidaho.edu/digital/etd/items/alazmi_idaho_0089e_12724.html
- Title:
- Enhancing the Performance of Web Application Security Testing: An In-Depth Analysis and Optimization of Web Vulnerability Scanners
- Author:
- Alazmi, Suliman
- Date:
- 2023-12
- Embargo Remove Date:
- 2024-12-18
- Program:
- Computer Science
- Subject Category:
- Computer science
- Abstract:
-
Web applications have become an indispensable part of our lives today. Meanwhile, hackers' exploitation of web application vulnerabilities is increasing, and the damages caused are devastating. Web application vulnerability scanners (WVS's) are tools have been considered to remediate this situation. However, these tools are different in their effectiveness and their quality of use. In this dissertation we provided four contributions:
Firstly, we conducted a Systematic Literature Review (SLR) on the most frequently used WVS's. A total of 90 research papers were carefully evaluated. Thirty (30) WVS's were collected and reported, with only 12 having at least one quantitative assessment of effectiveness. These 12 WVS's were evaluated by 15 original evaluation studies. We found that these evaluations tested mostly only two of the Open Web Application Security Project (OWASP) Top Ten vulnerability types: SQL injection (SQLi) (13/15) and Cross-Site Scripting (XSS) (8/15). We also found that the reported detection rates were highly dissimilar between these 15 evaluations.
Secondly, we evaluated the performance of four well known web vulnerability scanners (Burp Suite Pro, OWASP ZAP, Arachni and Wapiti) in detecting the OWASP Top Ten vulnerability types by running them against three benchmark web applications (Mutillidae, bWAPP, WebGoat). Our comparative results showed that web vulnerability scanners, were effective detecting only a very few of the OWASP Top Ten vulnerability types.
Thirdly, we conducted a statistical study to measure the quality of use of four web vulnerability scanners. The quality of use was measured using the Software Usability Measurement Inventory (SUMI). The results suggested that OWASP ZAP and Burp Suite Pro were more positively perceived by the participants in terms of their Affect and Learnability, while Wapiti was less positively perceived by the participants in terms of their Efficiency, Affect and Controllability.
Fourthly, we proposed a new set of scanning rules that helps improve the detection capability of OWASP ZAP for SQL injection attacks. The proposed rules have been tested on a set of benchmark vulnerable web applications and have been shown to significantly improve the detection of SQL injection attacks by OWASP ZAP.
- Description:
- doctoral, Ph.D., Computer Science -- University of Idaho - College of Graduate Studies, 2023-12
- Major Professor:
- Conte de Leon, Danil
- Committee:
- Song, Jia; Sarathchandra, Dilshani; Steiner, Stu; Soule, Terence
- Defense Date:
- 2023-12
- Identifier:
- Alazmi_idaho_0089E_12724
- Type:
- Text
- Format Original:
- Format:
- application/pdf
- Rights:
- In Copyright - Educational Use Permitted. For more information, please contact University of Idaho Library Special Collections and Archives Department at libspec@uidaho.edu.
- Standardized Rights:
- http://rightsstatements.org/vocab/InC-EDU/1.0/