Beruflich Dokumente
Kultur Dokumente
Research Proposal
Title:
1. Introduction
Many organizations are now having more sophisticated web application. However, this
does not exempt from vulnerabilities no matter how sophisticated it is. According to [1], it
checked by hand. That is the reason why there are lots of Web Application Vulnerability
Scanner (WAV) were develop to provide report of security vulnerabilities [2] such as SQL
injections, cross site scripting (XSS), broken authentication & session management,
insecure direct object references, security misconfiguration, and cross-site request forgery
(CSRF). Based on their study, only OWASP ZAP and Skipfish were evaluated using
DVWA and WAVSEP where in fact there are lots of other WAVS. Although [3] had
provided feature comparison and evaluation, the study was conducted in 2014 and the
information generated from this is out dated because of the fact that WAVS might have
been upgraded.
In this study, two WAVS, which are open source, among the top five WAVS of 2017
[4] will be evaluated using The Web Application Vulnerability Scanner Evaluation Project
vulnerabilities.
2. Problem statement
3. Objectives
The purpose of the study is to compare the efficiency of two open source WAVS on
scanner;
5. Methodology
explained in [6] is examining two (or more) cases, using descriptive comparison. It
will follow the vulnerability testing approach of [7] and these are:
(WAVSEP);
4. report result based on the risk involved and identification of threat severity.
6. Paper Outline
References
[1] Y. Makino and V. Klyuev, "Evaluation of Web Vulnerability Scanners," The 8th IEEE International
Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and
Applications, pp. 1-4, 2015.
[2] B. Bassi, "6 Common Website Security Vulnerabilities," Commonplaces Interactive, 19 June 2017.
[Online]. Available: http://www.commonplaces.com/blog/6-common-website-security-
vulnerabilities/. [Accessed 4 August 2017].
[3] S. Chen, "Security Tools Benchmarking: WAVSEP Web Application Vulnerability Scanners
Benchmark," 5 February 2014. [Online]. Available:
http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html. [Accessed 4
August 2017].
[4] I. Shakeel, "Top 5 Web Application Security Scanners of 2017," 14 March 2017. [Online].
Available: http://resources.infosecinstitute.com/top-5-web-application-security-scanners-
2017/#gref. [Accessed 4 August 2017].
[5] R. Gaucher, "Web Application Security Scanner Evaluation Criteria," Web Application Security
Consortium, 5 February 2014. [Online]. Available:
http://projects.webappsec.org/f/Web+Application+Security+Scanner+Evaluation+Criteria+-
+Version+1.0.pdf. [Accessed 4 August 2017].