Date of Publication
6-20-2022
Document Type
Master's Thesis
Degree Name
Master of Information Technology
Subject Categories
Computer Sciences
College
College of Computer Studies
Department/Unit
Information Technology
Thesis Advisor
Michelle Renee D. Ching
Defense Panel Chair
Danny C. Cheng
Defense Panel Member
Alain L. Encarnacion
Lissa Andrea K. Magpantay
Abstract/Summary
As most organizations already rely on digitalization regardless of the purpose, web applications are indeed one of the digital components to reach their target audience. Due to this nature, Web Apps needed to be deployed on the public internet. Efficiency as it is, the risk of them being compromised is very high, that is why it is imperative to have this undergo security checks before deploying.
Security testing during the early years was very costly as this was mostly done manually by professionals. Later on, vulnerability scanners were developed to lessen the workload of the testers. However, effective and easy-to-use vulnerability scanners are expensive while open-source scanners are very complex to use.
Now, there were improvements seen in open-source scanners, they started to have Graphical User Interfaces (GUI), do automated scanning, and generate comprehensive reports which are the commercial Web Application Vulnerability Scanners’ (WAVS) selling points. Yet, there were no studies that compared the performance gap of these scanners.
Thus, this research aimed to compare the accuracy and reporting capabilities of 2 commercial and 2 open-source WAVS. The evaluation was done thru Acunetix Acuart and OWASP Benchmark for accuracy and WIVET for its crawling URLs.
The results implied that open-source vulnerability scanners are already competitive enough to match the detection capabilities of commercial ones as well as the visualization of their reports. On the other hand, we also discovered incompatibility of commercial WAVS on the OWASP benchmark which caused an absence of data for comparison. Lastly, it was noted that all WAVS were not able to crawl and detect all test cases by the benchmarking tools. Therefore, scanners still cannot be fully replaced the practice of penetration testing and human validation.
Abstract Format
html
Language
English
Format
Electronic
Physical Description
[85 leaves]
Keywords
Scanning systems; Web applications
Recommended Citation
Dalmacio, J. G. (2022). Benchmarking of web application vulnerability scanners. Retrieved from https://animorepository.dlsu.edu.ph/etdm_infotech/4
Upload Full Text
wf_yes
Embargo Period
12-16-2022
Note
Capstone project paper