An Analysis of Black-box Web Vulnerability Scanners
Page 1 of 1
An Analysis of Black-box Web Vulnerability Scanners
Abstract
Black-box web vulnerability scanners are a class of tools that can be used to identify security issues in web applications. These tools are often marketed as “point-and-click pentesting” tools that automatically evaluate the security of web applications with little or no human support.These tools access a web application in the same way users do, and, therefore, have the advantage of being independent of the particular technology used to implement the web application.
However, these tools need to be able to access and test the application’s various components, which are often hidden behind forms, JavaScript-generated links,and Flash applications.This paper presents an evaluation of eleven black-box web vulnerability scanners,both commercial and open source. The evaluation composes different types of vulnerabilities with different challenges to the crawling capabilities of the tools.These tests are integrated in a realistic web application.The results of the evaluation show that crawling is a task that is as critical and challenging to the overall ability to detect vulnerabilities as the vulnerability detection techniques themselves,and that many classes of vulnerabilities are completely overlooked by these tools, and thus research is required to improve the automated detection of these flaws.
Download PDF
Black-box web vulnerability scanners are a class of tools that can be used to identify security issues in web applications. These tools are often marketed as “point-and-click pentesting” tools that automatically evaluate the security of web applications with little or no human support.These tools access a web application in the same way users do, and, therefore, have the advantage of being independent of the particular technology used to implement the web application.
However, these tools need to be able to access and test the application’s various components, which are often hidden behind forms, JavaScript-generated links,and Flash applications.This paper presents an evaluation of eleven black-box web vulnerability scanners,both commercial and open source. The evaluation composes different types of vulnerabilities with different challenges to the crawling capabilities of the tools.These tests are integrated in a realistic web application.The results of the evaluation show that crawling is a task that is as critical and challenging to the overall ability to detect vulnerabilities as the vulnerability detection techniques themselves,and that many classes of vulnerabilities are completely overlooked by these tools, and thus research is required to improve the automated detection of these flaws.
Download PDF
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics
» Web Application Scanners Accuracy Assessment
» Black Hat Schedule XSS again
» XSSer v0.7a Black edition released
» Are You Tired of Using Black Hat SEO?
» Vulnerability to www.paypal.com
» Black Hat Schedule XSS again
» XSSer v0.7a Black edition released
» Are You Tired of Using Black Hat SEO?
» Vulnerability to www.paypal.com
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum