Home // ICIMP 2018, The Thirteenth International Conference on Internet Monitoring and Protection // View article

Exploiting the Potential of Web Application Vulnerability Scanning

Authors:
Damiano Esposito
Marc Rennhard
Lukas Ruf
Arno Wagner

Keywords: Web Application Security; Vulnerability Scanning; Vulnerability Detection Performance

Abstract:
Using automated web application vulnerability scanners so that they truly live up to their potential is difficult. Two of the main reasons for this are limitations with respect to crawling capabilities and problems to perform authenticated scans. In this paper, we present JARVIS, which provides technical solutions that can be applied to a wide range of vulnerability scanners to overcome these limitations. Our evaluation shows that by using JARVIS, the vulnerability detection performance of five freely available scanners can be improved by more than 100% compared to using them in their basic configuration. As the configuration effort to use JARVIS is small and the con- figurations are scanner-independent, JARVIS also allows to use multiple scanners in parallel in an efficient way. In an additional evaluation, we therefore analyzed the potential and limitations of using multiple scanners in parallel. This revealed that using multiple scanners in a reasonable way is indeed beneficial as it increases the number of detected vulnerabilities without a significant negative impact on the reported false positives.

Pages: 22 to 29

Copyright: Copyright (c) IARIA, 2018

Publication date: July 22, 2018

Published in: conference

ISSN: 2308-3980

ISBN: 978-1-61208-652-1

Location: Barcelona, Spain

Dates: from July 22, 2018 to July 26, 2018