Abstract
Implementing vulnerability assessment (VA) and penetration testing is one of the crucial methods to evaluate the security of web applications. The VA and Pentest results can be used to assess the present vulnerability of the system to help improve effective and up-to-date controls. However, using such static results for vulnerability analysis may not reflect the real situation of the organization’s security policy. In addition, the integration of VA results and adaptive vulnerability calculation of vulnerabilities found in web applications are not provided by existing VA tools. Essentially, a dynamic, and interactive vulnerability assessment system for web applications is crucial due to the dynamic nature of modern web applications causing the possible new threat landscapes. In this paper, we introduce DyVAM (Dynamic Vulnerability Assessment for Multi-Web Applications), a system that integrates OWASP ZAP results and Directed Acyclic Graphs (DAGs) for supporting interactive vulnerability analysis. Our proposed system also incorporates organizational policies into the vulnerability calculation to enable a more actionable and pertinent vulnerability assessment result. Finally, we conducted the experiments to substantiate the efficiency and practicality of our proposed system. The results demonstrate that DyVAM, when implemented with our proposed multi-threading approach, significantly improves processing speed compared to traditional processing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Makino, Y., Klyuev, V.: Evaluation of web vulnerability scanners. In: 2015 IEEE 8th International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), vol. 1, pp. 399–402. IEEE (2015)
Houmb, S.H., Franqueira, V.N., Engum, E.A.: Quantifying security risk level from cvss estimates of frequency and impact. J. Syst. Softw. 83(9), 1622–1634 (2010)
Sethapanee, A., Nimitrchai, T., Fugkeaw, S.: Autorat: automated risk assessment tool for network mapper scanning. In: Meesad, P., Sodsee, S., Jitsakul, W., Tangwannawit, S. (eds.) IC2IT 2022. LNNS, vol. 453, pp. 99–110. Springer, Cham (2022). https://doi.org/10.1007/978-3-030-99948-3_10
Prostov, A., Amfiteatrova, S.S., Butakova, N.G.: Construction and security analysis of private directed acyclic graph based systems for internet of things. In: 2021 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (ElConRus), St. Petersburg, Moscow, Russia, pp. 2394–2398 (2021)
Lathifah, F.B.A., Rosidah, A., et al.: Security vulnerability analysis of the sharia crowdfunding website using owasp-zap. In: 2022 10th International Conference on Cyber and IT Service Management (CITSM), pp. 1–5. IEEE (2022)
Cahyani, D.D., Dewi, L.P.W.P., Suryadi, K.D.R., Listartha, I.M.E.: Analisis kerentanan website smp negeri 3 semarapura menggunakan metode pengujian rate limiting dan owasp. INSERT: Inf. Syst. Emerg. Technol. J. 2(2), 106–112 (2021)
Huang, L., Chen, X., Lai, X.: Computer network vulnerability assessment and safety evaluation application based on bayesian theory. Int. J. Secur. Appl. 10(12), 359–368 (2016)
Gu, H., et al.: Diava: a traffic-based framework for detection of SQL injection attacks and vulnerability analysis of leaked data. IEEE Trans. Reliab. 69(1), 188–202 (2019)
Rahkema, K., Pfahl, D.: Swiftdependencychecker: detecting vulnerable dependencies declared through cocoapods, carthage and swift pm. In: Proceedings of the 9th IEEE/ACM International Conference on Mobile Software Engineering and Systems, pp. 107–111 (2022)
Humayun, M., Niazi, M., Jhanjhi, N., Alshayeb, M., Mahmood, S.: Cyber security threats and vulnerabilities: a systematic mapping study. Arab. J. Sci. Eng. 45, 3171–3189 (2020)
[Online]. Available: https://vuldb.com/
Kai, S., Zheng, J., Shi, F., Lu, Z.: A CVSS-based vulnerability assessment method for reducing scoring error. In: 2021 2nd International Conference on Electronics, Communications and Information Technology (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lapmoon, J., Kosolsriwiwat, T., Jiraporn, S., Fugkeaw, S. (2024). Enabling Dynamic Vulnerability Assessment for Multi-web Application Using Executable Directed Acyclic Graph. In: Barolli, L. (eds) Advanced Information Networking and Applications. AINA 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 200. Springer, Cham. https://doi.org/10.1007/978-3-031-57853-3_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-57853-3_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57852-6
Online ISBN: 978-3-031-57853-3
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)