Building a test suite for web application scanners

Proceedings of the Annual Hawaii International Conference on System Sciences

Volumn , Issue , 2008, Pages

  Fong, Elizabeth ^a   Gaucher, Romain ^a   Okun, Vadim ^a   Black, Paul E ^a   Dalci, Eric ^b  

^a NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY   (United States)

^b Cigital   (United States)

Author keywords

Black box testing; Software assurance; Software security; Vulnerability; Web application; Web application scanners

Indexed keywords

APPLICATIONS; COMPUTER NETWORKS; WORLD WIDE WEB;

BLACK BOX TESTING; SOFTWARE ASSURANCE; SOFTWARE SECURITY; VULNERABILITY; WEB APPLICATION; WEB APPLICATION SCANNERS;

SCANNING;

EID: 51449121189     PISSN: 15301605     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/HICSS.2008.79     Document Type: Conference Paper

References (26)

1. 4th language in the TPCI, March 2007 http://www.tiobe.com/tpci.htm
2. Acunetix Web Vulnerability Scanner, http://www.acunetix.com/
3. Ajax Technologies, http://adaptivepath.com/publications/essays/archives/ 000385.php
4. Ajax Worms, http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
5. Sean Barnum, Amit Sethi, Attack Pattern Glossary, in Build Security In. https://buildsecurityin.uscert.gov/daisy/bsi/articles/knowledge/attack/590.pdf
6. Cenzic Hailstorm http://www.cenzic.com/products_services/ cenzic_hailstorm.php
7. Chinotec Technology Company, Paros for Web Application Security Assessment, http://parosproxy.org/index.shtml
8. Steve Christey, "Vulnerability Type Distributions in CVE," http://cwe.mitre.org/documents/vulntrends.html, Oct. 2006
9. Common Attack Pattern Enumeration and Classification (CAPEC) http://capec.mitre.org/
10. E. Fong and V. Okun, "Web Application Scanners: Definitions and Functions," in Proceedings of HICSS-40 Conference, Jan 3-6, 2007, Hawaii, USA.
11. Jeremiah Grossman, The Five Myths of Web Application Security, WhiteHat Security, Inc, 2005.
12. Shanit Gupta, Foundstone Hacme Bank v. 2.0 Software Security Training Application, April 2006, http://www.foundstone.com/resources/whitepapers/ hacmebank_userguide2.pdf
13. Robert Hansen, Cross Site Scripting Cheating Sheet, http://ha.ckers.org/ xss.html
14. G. McGraw, "Software Security: Building Security In", Addison-Wesley Software Security Series, 2006
15. National Vulnerability Database (NVD), http://nvd.nist.gov/
16. National Institute of Standards and Technology (NIST), "quot;Engineering Principles for Information Technology Security (A Baseline for Achieving Security)"quot;, NIST SP 800-27, Revision A, June 2004, http://csrc.nist.gov/publications/nistpubs/
17. OWASP, Top Ten Project, http://www.owasp.org/index.php/ OWASP_Top_Ten_Project
18. OWASP, Pantera Web Assessment Studio Project, http://www.owasp.org/index. php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
19. OWASP Site Generator Project, http://www.owasp.org/index.php/ Owasp_SiteGenerator
20. OWASP, WebGoat Project, http://www.owasp.org/software/webgoat.html.
21. Prescatore, John, Gartner, quoted in Computerworld, Feb 25, 2005. http://www.computerworld.com/printhis/2005/0,4814,99981,00.html
22. SAMATE Reference Dataset, http://samate.nist.gov/SRD/
23. SAMATE project Web Application Scanners, http://samate.nist.gov/index. php/Web_Application_Vulnerability_Scanners
24. SpiDynamics, WebInspect http://www.spidynamics.com/products/webinspect/ index.html
25. Web Application Security Consortium, WASC, "Threat Classification," http://www.webappsec.org/projects/threat/
26. Watchfire, AppScan http://www.watchfire.com/products/appscan/default.aspx