Litcius/Paper detail

Enhancing Web Application Security through Automated Penetration Testing with Multiple Vulnerability Scanners

Khaled Abdulghaffar, Nebrase Elmrabit, M. Yousefi

2023Computers28 citationsDOIOpen Access PDF

Abstract

Penetration testers have increasingly adopted multiple penetration testing scanners to ensure the robustness of web applications. However, a notable limitation of many scanning techniques is their susceptibility to producing false positives. This paper presents a novel framework designed to automate the operation of multiple Web Application Vulnerability Scanners (WAVS) within a single platform. The framework generates a combined vulnerabilities report using two algorithms: an automation algorithm and a novel combination algorithm that produces comprehensive lists of detected vulnerabilities. The framework leverages the capabilities of two web vulnerability scanners, Arachni and OWASP ZAP. The study begins with an extensive review of the existing scientific literature, focusing on open-source WAVS and exploring the OWASP 2021 guidelines. Following this, the framework development phase addresses the challenge of varying results obtained from different WAVS. This framework’s core objective is to combine the results of multiple WAVS into a consolidated vulnerability report, ultimately improving detection rates and overall security. The study demonstrates that the combined outcomes produced by the proposed framework exhibit greater accuracy compared to individual scanning results obtained from Arachni and OWASP ZAP. In summary, the study reveals that the Union List outperforms individual scanners, particularly regarding recall and F-measure. Consequently, adopting multiple vulnerability scanners is recommended as an effective strategy to bolster vulnerability detection in web applications.

Topics & Concepts

Computer scienceVulnerability (computing)Web applicationRobustness (evolution)Application securityVulnerability assessmentComputer securityData miningSoftware security assuranceWorld Wide WebInformation securityBiochemistryChemistryGenePsychological resiliencePsychologySecurity servicePsychotherapistWeb Application Security VulnerabilitiesAdvanced Malware Detection TechniquesNetwork Security and Intrusion Detection