theme image
State of the art automated black-box web application vulnerability testingState of the art automated black-box web application vulnerability testing
  1. publications
  2. web security

State of the art automated black-box web application vulnerability testing

Available Media

Publication (Pdf)

Slides (pdf)

ConferenceSecurity and Privacy (S&P) - 2010
AuthorsJason Bau , Elie Bursztein , Divij Gupta ,
Citation

Bibtex Citation

@inproceedings{ BAU2010STATE,title = {State of the art automated black-box web application vulnerability testing},author = {"Jason, Bau" and "Elie, Bursztein" and "Divij, Gupta" and "John C., Mitchell"},booktitle = {Security and Privacy},year = {2010},organization = {IEEE}}

Black-box web application vulnerability scanners are automated tools that probe web applications for security vulnerabilities. In order to assess the current state of the art, we obtained access to eight leading tools and carried out a study of: (i) the class of vulnerabilities tested by these scanners, (ii) their effectiveness against target vulnerabilities, and (iii) the relevance of the target vulnerabilities to vulnerabilities found in the wild. To conduct our study we used a custom web application vulnerable to known and projected vulnerabilities, and previous versions of widely used web applications containing known vulnerabilities. Our results show the promise and effectiveness of automated tools, as a group, and also some limitations. In particular, “stored” forms of Cross Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities are not currently found by many tools. Because our goal is to assess the potential of future research, not to evaluate specific vendors, we do not report comparative data or make any recommendations about purchase of specific tools.

Recent

newsletter signup slide

Get cutting edge research directly in your inbox.

newsletter signup slide

Get cutting edge research directly in your inbox.