Skip to main content
SpringerLink
Log in

Enlargement of vulnerable web applications for testing

  • Published:
The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

There are two main kinds of vulnerable web applications, usual applications developed with a specific aim and applications which are vulnerable by design. On one hand, the usual applications are those that are used everywhere and on a daily basis, and where vulnerabilities are detected, and often mended, such as online banking systems, newspaper sites, or any other Web site. On the other hand, vulnerable by design web applications are developed for proper evaluation of web vulnerability scanners and for training in detecting web vulnerabilities. The main drawback of vulnerable by design web applications is that they used to include just a short set of well-known types of vulnerabilities, usually from famous classifications like the OWASP Top Ten. They do not include most of the types of web vulnerabilities. In this paper, an analysis and assessment of vulnerable web applications is conducted in order to select the applications that include the larger set of types of vulnerabilities. Then those applications are enlarged with more types of web vulnerabilities that vulnerable web applications do not include. Lastly, the new vulnerable web applications have been analyzed to check whether web vulnerability scanners are able to detect the new added vulnerabilities, those vulnerabilities that vulnerable by design web applications do not include. The results show that the tools are not very successful in detecting those vulnerabilities, less than well-known vulnerabilities.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Martirosyan J (2012) Evaluation of web application security vulnerability scanners’ strengths and limitations using custom web application. Thesis, California State University - East Bay. http://www.mcs.csueastbay.edu/~lertaul/YulianaThesis_V8.pdf

  2. National Institute of Standards and Technology (NIST) (2004) Engineering Principles for Information Technology Security (A Baseline for Achieving Security) NIST SP 800-27, Revision A

  3. Doupé A, Cova M, Giovanni Vigna G (2010) Why Johnny can’t pentest: an analysis of black-box web vulnerability scanners. In: Proceedings of the 7th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’10). Berlin, Heidelberg, pp 111–131

    Chapter  Google Scholar 

  4. Roman F, Garcia LJ (2016) An algorithm to find relationships between web vulnerabilities. J Supercomput. doi:10.1007/s11227-016-1770-3

    Article  Google Scholar 

  5. Gupta S, Sharma L (2011) Analysis and assessment of web application security testing tools. In: Proceedings of the 5th National Conference

  6. Saeed FA (2014) Using wassec to evaluate commercial web application security scanners. Int J Soft Comput Eng (IJSCE) 4(1):177–181

    MathSciNet  Google Scholar 

  7. National Institute of Standards and Technology: Software assurance tools: web application security scanner functional specification version 1.0. NIST special publication 500-269

  8. Fong E, Okun V (2007) Web application scanners: definitions and functions. In: Proceedings of the 40th Annual Hawaii International Conference on System Sciences, HICSS ’07, p 280b. IEEE Computer Society, Washington, DC

  9. Black PE, Kass M (2005) Software security assurance tools, techniques and metrics (SSATTM). In: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, ASE ’05, New York, pp 461–461

  10. Assad RE, Katter T, Ferraz F, de Lemos Meira S (2010) Security quality assurance on web-based application through security requirements tests based on owasp test document: elaboration, execution and automation. In: Proceedings of the 2nd OWASP Ibero-American Web Applications Security Conference

  11. Ferreira AM, Klepee H (2011) Effectiveness of automated application penetration testing tools. Cees de Laat. System and Network Engineering Lab Informatics Institute, Faculty of Science. University of Amsterdam. http://www.delaat.net/rp/2010-2011/p27/report.pdf. Accessed 10 Nov 2016

  12. Bau J, Bursztein E, Gupta D, Mitchell J (2010) State of the art: automated black-box web application vulnerability testing. In: IEEE Symposium on Security and Privacy, Oakland, CA, USA, pp 332–345. doi:10.1109/SP.2010.27

  13. Fonseca J, Vieira M, Madeira H (2007) Testing and comparing web vulnerability scanning tools for SQL injection and xss attacks. In: Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing, PRDC ’07. IEEE Computer Society, Washington, DC, pp 365–372

  14. Fonseca J, Vieira M, Madeira H (2014) Evaluation of web security mechanisms using vulnerability & attack injection. IEEE Trans Dependable Secur Comput 11(5):440–453

    Article  Google Scholar 

  15. Tripp O,Weisman O, Guy L (2013) Finding your way in the testing jungle: a learning approach to web security testing. In: Proceedings of the 2013 International Symposium on Software Testing and Analysis, ISSTA 2013, New York, pp 347–357

  16. Doupé A, Cavedon L, Kruegel C, Vigna G (2012) Enemy of the state: a state-aware black-box web vulnerability scanner. In: Proceedings of the 21st USENIX Conference on Security Symposium, Security’ 12. USENIX Association, Berkeley, p 26

  17. Khalili A, Sami A, Ghiasi M, Moshtari S, Salehi Z, Azimi M (2014) Software engineering issues regarding securing ICS: an industrial case study. In: Proceedings of the 1st International Workshop on Modern Software Engineering Methods for Industrial Automation, MoSEMInA 2014, New York, pp 1–6

  18. Demchenko Y, Gommans L, de Laat C, Oudenaarde B (2005) Web services and grid security vulnerabilities and threats analysis and model. In: Proceedings of the 6th IEEE/ACM International Workshop on Grid Computing, GRID ’05. IEEE Computer Society, Washington, DC, pp 262–267

  19. Akowuah F, Lake J, Yuan X, Nuakoh E, Yu H (2015) Testing the security vulnerabilities of openEMR 4.1.1: a case study. J Comput Sci Coll 30(3):26–35

    Google Scholar 

  20. Austin A, Smith B, Williams L (2010) Towards improved security criteria for certification of electronic health record systems. In: Proceedings of the 2010 ICSE Workshop on Software Engineering in Health Care, SEHC ’10, New York, pp 68–73

  21. Mcquade K (2014) Open source web vulnerability scanners: the cost effective choice? In: Proceedings of the Conference for Information Systems Applied Research, Baltimore

  22. Parmar S (2015) Vulnerability checker for infosecurity. Int J Sci Res (IJSR) 4(3):1593–1596

    Google Scholar 

  23. Nuno Teodoro CS (2010) Automating web applications security assessments through scanners. In: Proceedings of the OWASP Ibero-American Web Applications Security Conference

  24. Chen S (2012) General features comparison—web application scanners. http://www.sectoolmarket.com

  25. Suto L (2010) Analyzing the accuracy and time costs of web application security scanners. In: Beyond Trust

  26. Fong E et al (2008), Building a test suite for web application scanners. Hawaii International Conference on System Sciences. In: Proceedings of the 41st Annual, Waikoloa, HI, 2008, pp. 478–478. doi:10.1109/HICSS.2008.79

  27. Roman F, Garcia LJ (2015) Web from preprocessor for crawling. Multimed Tools Appl 74(19):8559–8570. doi:10.1007/s11042-013-1460-6

    Article  Google Scholar 

  28. Román Muñoz F, García Villalba LJ (2013) Methods to testweb applications scanners. Amman, Jordan

  29. Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. SIGSOFT Softw Eng Notes 30(4):1–7

    Article  Google Scholar 

  30. Weber S, Karger PA, Paradkar A (2005) A software flaw taxonomy: aiming tools at security. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems—Building Trustworthy Applications, SESS ’05, New York, pp 1–7

Download references

Acknowledgements

This work was funded by the European Commission Horizon 2020 Programme under Grant Agreement No. H2020-FCT-2015/700326-RAMSES (Internet Forensic Platform for Tracking the Money Flow of Financially-Motivated Malware). 

Author information

Authors and Affiliations

  1. Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases, 9, Ciudad Universitaria, 28040, Madrid, Spain

    Fernando Román Muñoz, Iván Israel Sabido Cortes & Luis Javier García Villalba

Authors
  1. Fernando Román Muñoz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Iván Israel Sabido Cortes
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Luis Javier García Villalba
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luis Javier García Villalba.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Román Muñoz, F., Sabido Cortes, I.I. & García Villalba, L.J. Enlargement of vulnerable web applications for testing. J Supercomput 74, 6598–6617 (2018). https://doi.org/10.1007/s11227-017-1981-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-017-1981-2

Keywords

Search

Navigation