Why Johnny can't pentest: An analysis of black-box web vulnerability scanners

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 6201 LNCS, Issue , 2010, Pages 111-131

  Doupé, Adam ^a   Cova, Marco ^a   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

AUTOMATED DETECTION; BLACK BOXES; HUMAN SUPPORT; JAVASCRIPT; OPEN-SOURCE; SECURITY ISSUES; VULNERABILITY DETECTION; VULNERABILITY SCANNER; WEB APPLICATION;

COMPUTER CRIME; SCANNING; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 77955036132     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-642-14215-4_7     Document Type: Conference Paper

References (24)

1. AnantaSec: Web Vulnerability Scanners Evaluation (January 2009), http://anantasec.blogspot.com/2009/01/web-vulnerabilityscanners- comparison.html
2. Balzarotti, D., Cova, M., Felmetsger, V., Vigna, G.: Multi-module Vulnerability Analysis of Web-based Applications. In: Proceedings of the ACM conference on Computer and Communications Security (CCS), pp. 25-35 (2007)
3. Curphey, M., Araujo, R.: Web Application Security Assessment Tools. IEEE Security and Privacy 4(4), 32-41 (2006)
4. CVE: Common Vulnerabilities and Exposures, http://www.cve.mitre.org
5. Foundstone: Hacme Bank v2.0 (May 2006), http://www.foundstone.com/us/ resources/proddesc/hacmebank.htm
6. Grossman, J.: Challenges of Automated Web Application Scanning. In: BlackHat Windows Security Conference (2004)
7. Kals, S., Kirda, E., Kruegel, C., Jovanovic, N.: SecuBat: A Web Vulnerability Scanner. In: Proceedings of the International World Wide Web Conference (2006)
8. McAllister, S., Kruegel, C., Kirda, E.: Leveraging User Interactions for In-Depth Testing of Web Applications. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection (2008)
9. Open Security Foundation: OSF DataLossDB: Data Loss News, Statistics, and Research, http://datalossdb.org/
10. Open Web Application Security Project (OWASP): OWASP SiteGenerator, http://www.owasp.org/index.php/OWASP-SiteGenerator
11. Open Web Application Security Project (OWASP): OWASPWebGoat Project, http://www.owasp.org/index.php/Category:OWASP-WebGoat-Project
12. Open Web Application Security Project (OWASP): Web Input Vector Extractor Teaser, http://code.google.com/p/wivet/
13. Open Web Application Security Project (OWASP): OWASP Top Ten Project (2010), http://www.owasp.org/index.php/Top-10
14. OpenID Foundation: OpenID, http://openid.net/
15. PCI Security Standards Council: PCI DDS Requirements and Security Assessment Procedures, v1.2 (October 2008)
16. Peine, H.: Security Test Tools for Web Applications. Tech. Rep. 048.06, Fraunhofer IESE (January 2006)
17. Provos, N., Mavrommatis, P., Rajab, M., Monrose, F.: All Your iFRAMEs Point to Us. In: Proceedings of the USENIX Security Symposium, pp. 1-16 (2008)
18. RSnake: Sql injection cheat sheet, http://ha.ckers.org/sqlinjection/
19. RSnake: XSS (Cross Site Scripting) Cheat Sheet, http://ha.ckers.org/xss. html
20. Small, S., Mason, J., Monrose, F., Provos, N., Stubblefield, A.: To Catch a Predator: A Natural Language Approach for Eliciting Malicious Payloads. In: Proceedings of the USENIX Security Symposium (2008)
21. Suto, L.: Analyzing the Effectiveness and Coverage of Web Application Security Scanners (October 2007) (case Study)
22. Suto, L.: Analyzing the Accuracy and Time Costs of Web Application Security Scanners (Feburary 2010)
23. Vieira,M., Antunes, N.,Madeira, H.: UsingWeb Security Scanners to Detect Vulnerabilities in Web Services. In: Proceedings of the Conference on Dependable Systems and Networks (2009)
24. Wiegenstein, A., Weidemann, F., Schumacher, M., Schinzel, S.: Web Application Vulnerability Scanners-a Benchmark. Tech. rep., Virtual Forge GmbH (October 2006)