Enlargement of vulnerable web applications for testing.
Saved in:
| Title: | Enlargement of vulnerable web applications for testing. |
|---|---|
| Authors: | Román Muñoz, Fernando1, Sabido Cortes, Iván Israel1, García Villalba, Luis Javier1 |
| Source: | Journal of Supercomputing. Dec2018, Vol. 74 Issue 12, p6598-6617. 20p. |
| Subjects: | Web-based user interfaces, Computer security testing, Computer security vulnerabilities, Scanning systems, Application software security measures |
| Abstract: | There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and where vulnerabilities are detected, and often mended, such as online banking systems, newspaper sites, or any other Web site. On the other hand, vulnerable by design web applications are developed for proper evaluation of web vulnerability scanners and for training in detecting web vulnerabilities. The main drawback of vulnerable by design web applications is that they used to include just a short set of well-known types of vulnerabilities, usually from famous classifications like the OWASP Top Ten. They do not include most of the types of web vulnerabilities. In this paper, an analysis and assessment of vulnerable web applications is conducted in order to select the applications that include the larger set of types of vulnerabilities. Then those applications are enlarged with more types of web vulnerabilities that vulnerable web applications do not include. Lastly, the new vulnerable web applications have been analyzed to check whether web vulnerability scanners are able to detect the new added vulnerabilities, those vulnerabilities that vulnerable by design web applications do not include. The results show that the tools are not very successful in detecting those vulnerabilities, less than well-known vulnerabilities. [ABSTRACT FROM AUTHOR] |
| Copyright of Journal of Supercomputing is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
|
Full text is not displayed to guests.
Login for full access.
|
|
| Abstract: | There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and where vulnerabilities are detected, and often mended, such as online banking systems, newspaper sites, or any other Web site. On the other hand, vulnerable by design web applications are developed for proper evaluation of web vulnerability scanners and for training in detecting web vulnerabilities. The main drawback of vulnerable by design web applications is that they used to include just a short set of well-known types of vulnerabilities, usually from famous classifications like the OWASP Top Ten. They do not include most of the types of web vulnerabilities. In this paper, an analysis and assessment of vulnerable web applications is conducted in order to select the applications that include the larger set of types of vulnerabilities. Then those applications are enlarged with more types of web vulnerabilities that vulnerable web applications do not include. Lastly, the new vulnerable web applications have been analyzed to check whether web vulnerability scanners are able to detect the new added vulnerabilities, those vulnerabilities that vulnerable by design web applications do not include. The results show that the tools are not very successful in detecting those vulnerabilities, less than well-known vulnerabilities. [ABSTRACT FROM AUTHOR] |
|---|---|
| ISSN: | 09208542 |
| DOI: | 10.1007/s11227-017-1981-2 |