Please use this identifier to cite or link to this item:
Publication type: Conference paper
Type of review: Peer review (publication)
Title: Exploiting the potential of web application vulnerability scanning
Authors: Esposito, Damiano
Rennhard, Marc
Ruf, Lukas
Wagner, Arno
DOI: 10.21256/zhaw-3927
Proceedings: ICIMP 2018 - The Thirteenth International Conference on Internet Monitoring and Protection
Page(s): 22
Pages to: 29
Conference details: ICIMP 2018 the Thirteenth International Conference on Internet Monitoring and Protection, Barcelona, Spain, 22-26 July 2018
Issue Date: 2018
Publisher / Ed. Institution: IARIA
Language: English
Subjects: Web application security; Vulnerability scanning; Vulnerability detection performance
Subject (DDC): 005: Computer programming, programs and data
Abstract: Using automated web application vulnerability scanners so that they truly live up to their potential is difficult. Two of the main reasons for this are limitations with respect to crawling capabilities and problems to perform authenticated scans. In this paper, we present JARVIS, which provides technical solutions that can be applied to a wide range of vulnerability scanners to overcome these limitations. Our evaluation shows that by using JARVIS, the vulnerability detection performance of five freely available scanners can be improved by more than 100% compared to using them in their basic configuration. As the configuration effort to use JARVIS is small and the configurations are scanner-independent, JARVIS also allows to use multiple scanners in parallel in an efficient way. In an additional evaluation, we therefore analyzed the potential and limitations of using multiple scanners in parallel. This revealed that using multiple scanners in a reasonable way is indeed beneficial as it increases the number of detected vulnerabilities without a significant negative impact on the reported false positives.
Fulltext version: Published version
License (according to publishing contract): Licence according to publishing contract
Departement: School of Engineering
Organisational Unit: Institute of Applied Information Technology (InIT)
Published as part of the ZHAW project: ASAP: Plattform für die automatisierte Sicherheitsanalyse von IT-Systemen
Appears in collections:Publikationen School of Engineering

Files in This Item:
File Description SizeFormat 
icimp_2018_2_10_30010.pdfPaper319.6 kBAdobe PDFThumbnail

Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.