Scribd Logo
Hochladen

Willkommen bei Scribd!

  • IT Research

    Hochgeladen von

    Matt Morrie Añana
    43 Ansichten4 Seiten
    It research example

    Originaltitel

    IT research

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    DOCX, PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    It research example

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    43 Ansichten4 Seiten

    IT Research

    Hochgeladen von

    Matt Morrie Añana
    It research example

    Copyright:

    © All Rights Reserved
    Als DOCX, PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 4

    DITCC 104: IT Protection and Security

    Research Proposal

    Name: Timbal, Maricel A.

    Title:

    A Comparative Study of Arachni and Vega WAVS based on WAVSEP

    1. Introduction

    Many organizations are now having more sophisticated web application. However, this

    does not exempt from vulnerabilities no matter how sophisticated it is. According to [1], it

    is difficult, time-consuming, error-prone and costly if all web vulnerabilities are to be

    checked by hand. That is the reason why there are lots of Web Application Vulnerability

    Scanner (WAV) were develop to provide report of security vulnerabilities [2] such as SQL

    injections, cross site scripting (XSS), broken authentication & session management,

    insecure direct object references, security misconfiguration, and cross-site request forgery

    (CSRF). Based on their study, only OWASP ZAP and Skipfish were evaluated using

    DVWA and WAVSEP where in fact there are lots of other WAVS. Although [3] had

    provided feature comparison and evaluation, the study was conducted in 2014 and the

    information generated from this is out dated because of the fact that WAVS might have

    been upgraded.

    In this study, two WAVS, which are open source, among the top five WAVS of 2017

    [4] will be evaluated using The Web Application Vulnerability Scanner Evaluation Project

    (WAVSEP). It aims to compare its efficiency when it comes to detecting security

    vulnerabilities.
    2. Problem statement

    The study would seek to find out the following:

    1. How many found vulnerabilities classified (by risk) of each scanner?

    2. What is the precision rate of each scanner?

    3. What is the false positive rate of each scanner?

    4. Which scanner is better on detecting security vulnerabilities?

    3. Objectives

    The purpose of the study is to compare the efficiency of two open source WAVS on

    detecting security vulnerabilities. It specifically aims to:

    1. determine the number of found vulnerabilities classified (by risk) of each

    scanner;

    2. determine the precision rate of each scanner;

    3. determine the false positive rate of each scanner; and

    4. identify which scanner is better on detecting security vulnerabilities?

    4. Preliminary literature review


    Web Application Vulnerability Scanners (WAVS) are automated tool used to test web
    applications for regular security issues, for example, Cross-Site Scripting, SQL Injection,
    Directory Traversal, uncertain arrangements, and remote order execution vulnerabilities.
    These instruments creep a web application and find application layer vulnerabilities and
    shortcomings, either by controlling HTTP messages or by examining them for suspicious
    traits [5].
    The Web Application Vulnerability Scanner Evaluation Project (WAVSEP) is a free
    software designed to help assessing the features, quality and accuracy of web application
    vulnerability scanners [6].
    Vulnerabilities are classified into three categories [1], these are cross site scripting, SQL
    injection, and File inclusion (remote and local).
    [7] designed a vulnerability testing approach for assessing web applications by means of
    analyzing and using a combined set of tools – W3AF and Nikto. In their findings,
    combination of tools can increase the vulnersbility testing coverage for web applications
    adhering OWASP top 10 [8].
    [1] evaluated two WAVS – OWASP Zed Attack Proxy (OWASP ZAP) and Skipfish
    using Damn Vulnerable Web Application (DVWA). They found out that OWASP ZAP
    performs better than Skipfish. Furthermore, by using WAVSEP, detects more intentional
    vulnerabilities compared to DVWA.
    [3] presented the WAVS benchmark through accuracy, coverage, versatility,
    adaptability, feature and price comparison of sixty-three WAVS using three assessment
    environment such as WAVSEP 1.5, WIVET v3-rev148 and ZAP-WAVE.

    5. Methodology

    The research method to be used is quantitative utilizing comparative study, as

    explained in [6] is examining two (or more) cases, using descriptive comparison. It

    will follow the vulnerability testing approach of [7] and these are:

    1. identification of target WAVS (Arachni and Vega) on development platform

    (OS and programming language used);

    2. analysis of vulnerabilities and selection of vulnerability assessment tool

    (WAVSEP);

    3. conduct a vulnerability assessment test by installing tools and configuring

    testing parameters; and

    4. report result based on the risk involved and identification of threat severity.

    6. Paper Outline

    Abstract (summary of the study)


    Introduction (includes background of the study, problem statement and objectives)
    Literature Review (cite related works that supports the study)
    Methodology (implements vulnerability testing approach)
    Results and Discussions (discusses the answer of the problem statement)
    Conclusion (gives final judgment)
    References (lists all studies of which this study is anchored with)

    References
    [1] Y. Makino and V. Klyuev, "Evaluation of Web Vulnerability Scanners," The 8th IEEE International
    Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and
    Applications, pp. 1-4, 2015.

    [2] B. Bassi, "6 Common Website Security Vulnerabilities," Commonplaces Interactive, 19 June 2017.
    [Online]. Available: http://www.commonplaces.com/blog/6-common-website-security-
    vulnerabilities/. [Accessed 4 August 2017].

    [3] S. Chen, "Security Tools Benchmarking: WAVSEP Web Application Vulnerability Scanners
    Benchmark," 5 February 2014. [Online]. Available:
    http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html. [Accessed 4
    August 2017].

    [4] I. Shakeel, "Top 5 Web Application Security Scanners of 2017," 14 March 2017. [Online].
    Available: http://resources.infosecinstitute.com/top-5-web-application-security-scanners-
    2017/#gref. [Accessed 4 August 2017].

    [5] R. Gaucher, "Web Application Security Scanner Evaluation Criteria," Web Application Security
    Consortium, 5 February 2014. [Online]. Available:
    http://projects.webappsec.org/f/Web+Application+Security+Scanner+Evaluation+Criteria+-
    +Version+1.0.pdf. [Accessed 4 August 2017].

    [6] "Comparative Study," 3 August 2007. [Online]. Available:


    http://www2.uiah.fi/projekti/metodi/172.htm. [Accessed 4 August 2017].

    [7] R. Vibhandik and A. K. Bose, "Vulnerability Assessment of Web Applications - A Testing


    Approach," 2015 Forth International Conference on e-Technologies and Networks for
    Development (ICeND), pp. 1-6, 2015.

    Das könnte Ihnen auch gefallen