State of the art: Automated black-box web application vulnerability testing

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2010, Pages 332-345

  Bau, Jason ^a   Bursztein, Elie ^a   Gupta, Divij ^a   Mitchell, John ^a  

^a STANFORD UNIVERSITY   (United States)

Author keywords

Black box testing; Security standards compliance; Vulnerability detection; Web application security

Indexed keywords

AUTOMATED TOOLS; BLACK BOXES; BLACK-BOX TESTING; COMPARATIVE DATA; CROSS-SITE SCRIPTING; SECURITY STANDARDS; SECURITY VULNERABILITIES; SPECIFIC TOOL; SQL INJECTION; STATE OF THE ART; VULNERABILITY DETECTION; WEB APPLICATION; WEB APPLICATION SECURITY; WEB APPLICATION VULNERABILITY;

AUTOMATION; PURCHASING; REGULATORY COMPLIANCE; SCANNING; STANDARDS; WORLD WIDE WEB;

SECURITY OF DATA;

EID: 77955207391     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2010.27     Document Type: Conference Paper

References (35)

1. StrongWebmail CEO's mail account hacked via XSS. ZDNet. [Online]. Available: http://blogs.zdnet.com/security/?p=3514
2. D. Litchfield. SQL Injection and Data Security Breaches. [Online]. Available: http://www.davidlitchfield.com/blog/archives/00000001.htm
3. Websites of WHO and MI5 Hacked Using XSS Attacks. Spamfigher.com. [Online]. Available: http://tinyurl.com/yfqauzo
4. Approved Scanning Vendors. Payment Card Industry Security Standards Council. [Online]. Available: https://www.pcisecuritystandards.org/pdfs/asv report.html
5. VUPEN Security. [Online]. Available: http://www.vupen.com
6. National Vulnerability Database. Dept. of Homeland Security National Cyber Security Division. [Online]. Available:http://web.nvd.nist.gov
7. Software Assurance Tools: Web Application Security Scanner Functional Specification, National Institute of Standards and Technology Std., Rev. 1.0.
8. Web Application Security Scanner Evaluation Criteria. Web Application Security Consortium. [Online]. Available: http://projects.webappsec.org/Web- Application-Security-Scanner-Evaluation-Criteria
9. OWASP Top Ten Project. Open Web Application Security Project. [Online]. Available: http://www.owasp.org/index.php/Category:OWASP-Top-Ten-Project
10. Web Security Threat Classification. Web Application Security Consortium. [Online]. Available: http://www.webappsec.org/projects/threat/
11. Common Weakness Enumeration. [Online]. Available: http://cwe.mitre.org
12. H. Bojinov, E. Bursztein, and D. Boneh, "Xcs: cross channel scripting and its impact on web applications," in CCS '09:Proceedings of the 16th ACM conference on Computer and communications security. New York, NY, USA: ACM, 2009, pp. 420-431.
13. Common Vulnerabilities and Exposures. [Online]. Available: http://cve.mitre.org
14. D. Kaminsky, "Black Ops of PKI," BlackHat USA, August 2009.
15. M. Marlinspike, "More Tricks For Defeating SSL," BlackHat USA, August 2009.
16. E. V. Nava and D. Lindsay, "Our Favorite XSS Filters and How to Attack Them," BlackHat USA, August 2009.
17. Open Web Application Security Project. [Online]. Available: http://www.owasp.org
18. Web Application Security Consortium. [Online]. Available: http://www.wasc.org
19. Web Application Security Statistics. Web Application Security Consortium. [Online]. Available: http://projects.webappsec.org/Web-Application-Security- Statistics
20. G. Wassermann and Z. Su, "Sound and precise analysis of web applications for injection vulnerabilities," SIGPLAN Not., vol. 42, no. 6, pp. 32-41, 2007.
21. M. S. Lam, M. Martin, B. Livshits, and J. Whaley, "Securing web applications with static and dynamic information flow tracking," in PEPM '08: Proceedings of the 2008 ACM SIGPLAN symposium on Partial evaluation and semantics-based program manipulation. New York, NY, USA: ACM, 2008, pp. 3-12.
22. A. Kiėzun, P. J. Guo, K. Jayaraman, and M. D. Ernst, "Automatic creation of SQL injection and cross-site scripting attacks," in ICSE'09, Proceedings of the 30th International Conference on Software Engineering, Vancouver, BC, Canada, May 20-22, 2009.
23. N. Jovanovic, C. Kruegel, and E. Kirda, "Pixy: A static analysis tool for detecting web application vulnerabilities (short paper)," in 2006 IEEE Symposium on Security and Privacy, 2006, pp. 258-263. [Online]. Available: http://www.iseclab.org/papers/pixy.pdf
24. Y.-W. Huang, F. Yu, C. Hang, C.-H. Tsai, D.-T. Lee, and S.-Y. Kuo, "Securing web application code by static analysis and runtime protection," in WWW '04: Proceedings of the 13th international conference on World Wide Web. New York, NY, USA: ACM, 2004, pp. 40-52.
25. S. Kals, E. Kirda, C. Kruegel, and N. Jovanovic, "Secubat: a web vulnerability scanner," in WWW '06: Proc. 15th Int'l Conf. World Wide Web, 2006, pp. 247-256.
26. S. Mcallister, E. Kirda, and C. Kruegel, "Leveraging user interactions for in-depth testing of web applications," in RAID '08: Proc. 11th Int'l Symp. Recent Advances in Intrusion Detection, 2008, pp. 191-210.
27. F. Maggi, W. K. Robertson, C. Kr̈ugel, and G. Vigna, "Protecting a moving target: Addressing web application concept drift," in RAID, 2009, pp. 21-40.
28. Web Application Attack and Audit Framework. [Online]. Available: http://w3af.sourceforge.net/
29. Powerfuzzer. [Online]. Available: http://www.powerfuzzer.com/
30. CIRT.net Nikto Scanner. [Online]. Available: http://cirt.net/nikto2
31. WebGoat Project. OWASP. [Online]. Available: http://www.owasp.org/index. php/Category:OWASP-WebGoat-Project
32. HacmeBank. McAfee Corp. [Online]. Available: http://www.foundstone.com/ us/resources/proddesc/hacmebank.htm
33. AltoroMutual Bank. Watchfire Corp. [Online]. Available:http://demo. testfire.net/
34. Larry Suto. Analyzing the Accuracy and Time Costs of Web Application Security Scanners. [Online]. Available: http://ha.ckers.org/files/Accuracy-and- Time-Costs-of-Web-App-Scanners.pdf
35. J. Fonseca, M. Vieira, and H. Madeira, "Testing and comparing web vulnerability scanning tools for sql injection and xss attacks," Pacific Rim Int'l Symp. Dependable Computing, IEEE, vol. 0, pp. 365-372, 2007.