Please use this identifier to cite or link to this item: https://doi.org/10.21256/zhaw-17956
Publication type: Article in scientific journal
Type of review: Peer review (publication)
Title: Improving the effectiveness of web application vulnerability scanning
Authors: Rennhard, Marc
Esposito, Damiano
Ruf, Lukas
Wagner, Arno
et. al: No
DOI: 10.21256/zhaw-17956
Published in: International Journal on Advances in Internet Technology
Volume(Issue): 12
Issue: 1/2
Page(s): 12
Pages to: 27
Issue Date: Jul-2019
Publisher / Ed. Institution: IARIA
ISSN: 1942-2652
Language: English
Subjects: Web application security; Vulnerability scanning; Vulnerability detection performance; Authenticated scanning; Combining multiple scanners
Subject (DDC): 004: Computer science
Abstract: Using web application vulnerability scanners is very appealing as they promise to detect vulnerabilities with minimal configuration effort. However, using them effectively in practice is often difficult. Two of the main reasons for this are limitations with respect to crawling capabilities and problems to perform authenticated scans. In this paper, we present JARVIS, which provides technical solutions that can be applied to a wide range of vulnerability scanners to overcome these limitations and to significantly improve their effectiveness. To evaluate JARVIS, we applied it to five freely available vulnerability scanners and tested the vulnerability detection performance in the context of seven deliberately insecure web applications. A first general evaluation showed that by using the scanners with JARVIS, the number of detected vulnerabilities can be increased by more than 100% on average compared to using the scanners without JARVIS. A significant fraction of the additionally detected vulnerabilities is security-critical, which means that JARVIS provides a true security benefit. A second, more detailed evaluation focusing on SQL injection and cross-site scripting vulnerabilities revealed that JARVIS improves the vulnerability detection performance of the scanners by 167% on average, without increasing the fraction of reported false positives. This demonstrates that JARVIS not only manages to greatly improve the vulnerability detection rate of these two highly security-critical types of vulnerabilities, but also that JARVIS is very usable in practice by keeping the false positives reasonably low. Finally, as the configuration effort to use JARVIS is small and as the configuration is scanner- independent, JARVIS also supports using multiple scanners in parallel in an efficient way. In an additional evaluation, we therefore analyzed the potential and limitations of using multiple scanners in parallel. This revealed that using multiple scanners in a reasonable way is indeed beneficial as it further increases the number of detected vulnerabilities without a significant negative impact on the reported false positives.
URI: https://digitalcollection.zhaw.ch/handle/11475/17956
Fulltext version: Published version
License (according to publishing contract): Licence according to publishing contract
Departement: School of Engineering
Organisational Unit: Institute of Computer Science (InIT)
Published as part of the ZHAW project: ASAP: Plattform für die automatisierte Sicherheitsanalyse von IT-Systemen
Appears in collections:Publikationen School of Engineering

Files in This Item:
File Description SizeFormat 
webappscan-journal.pdf561.87 kBAdobe PDFThumbnail
View/Open
Show full item record
Rennhard, M., Esposito, D., Ruf, L., & Wagner, A. (2019). Improving the effectiveness of web application vulnerability scanning. International Journal on Advances in Internet Technology, 12(1/2), 12–27. https://doi.org/10.21256/zhaw-17956
Rennhard, M. et al. (2019) ‘Improving the effectiveness of web application vulnerability scanning’, International Journal on Advances in Internet Technology, 12(1/2), pp. 12–27. Available at: https://doi.org/10.21256/zhaw-17956.
M. Rennhard, D. Esposito, L. Ruf, and A. Wagner, “Improving the effectiveness of web application vulnerability scanning,” International Journal on Advances in Internet Technology, vol. 12, no. 1/2, pp. 12–27, Jul. 2019, doi: 10.21256/zhaw-17956.
RENNHARD, Marc, Damiano ESPOSITO, Lukas RUF und Arno WAGNER, 2019. Improving the effectiveness of web application vulnerability scanning. International Journal on Advances in Internet Technology. Juli 2019. Bd. 12, Nr. 1/2, S. 12–27. DOI 10.21256/zhaw-17956
Rennhard, Marc, Damiano Esposito, Lukas Ruf, and Arno Wagner. 2019. “Improving the Effectiveness of Web Application Vulnerability Scanning.” International Journal on Advances in Internet Technology 12 (1/2): 12–27. https://doi.org/10.21256/zhaw-17956.
Rennhard, Marc, et al. “Improving the Effectiveness of Web Application Vulnerability Scanning.” International Journal on Advances in Internet Technology, vol. 12, no. 1/2, July 2019, pp. 12–27, https://doi.org/10.21256/zhaw-17956.


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.