Enhancing the Performance of Web Application Security Testing: An In-Depth Analysis and Optimization of Web Vulnerability Scanners
| dc.contributor.advisor | de Leon, Daniel Conte | |
| dc.contributor.author | Alazmi, Suliman | |
| dc.date.accessioned | 2024-02-20T11:10:30Z | |
| dc.date.available | 2024-02-20T11:10:30Z | |
| dc.date.issued | 2024-01-24 | |
| dc.description.abstract | Web applications have become an indispensable part of our lives today. Meanwhile, hackers' exploitation of web application vulnerabilities is increasing, and the damages caused are devastating. Web application vulnerability scanners (WVS's) are tools have been considered to remediate this situation. However, these tools are different in their effectiveness and their quality of use. In this dissertation we provided four contributions: Firstly, we conducted a Systematic Literature Review (SLR) on the most frequently used WVS's. A total of 90 research papers were carefully evaluated. Thirty (30) WVS's were collected and reported, with only 12 having at least one quantitative assessment of effectiveness. These 12 WVS's were evaluated by 15 original evaluation studies. We found that these evaluations tested mostly only two of the Open Web Application Security Project (OWASP) Top Ten vulnerability types: SQL injection (SQLi) (13/15) and Cross-Site Scripting (XSS) (8/15). We also found that the reported detection rates were highly dissimilar between these 15 evaluations. Secondly, we evaluated the performance of four well known web vulnerability scanners (Burp Suite Pro, OWASP ZAP, Arachni and Wapiti) in detecting the OWASP Top Ten vulnerability types by running them against three benchmark web applications (Mutillidae, bWAPP, WebGoat). Our comparative results showed that web vulnerability scanners, were effective detecting only a very few of the OWASP Top Ten vulnerability types. Thirdly, we conducted a statistical study to measure the quality of use of four web vulnerability scanners. The quality of use was measured using the Software Usability Measurement Inventory (SUMI). The results suggested that OWASP ZAP and Burp Suite Pro were more positively perceived by the participants in terms of their Affect and Learnability, while Wapiti waFourthly, new scanning rules were proposed to improve OWASP ZAP's detection of SQL injection attacks. Testing on vulnerable web applications showed a significant improvement in detection capability.s less positively perceived by the participants in terms of their Efficiency, Affect and Controllability. | |
| dc.format.extent | 189 | |
| dc.identifier.other | https://www-proquest-com.sdl.idm.oclc.org/docview/2903246191/ADA33844A95C4F0CPQ/1?accountid=142908&sourcetype=Dissertations%20&%20Theses | |
| dc.identifier.uri | https://hdl.handle.net/20.500.14154/71488 | |
| dc.language.iso | en_US | |
| dc.publisher | ProQuest | |
| dc.subject | Web application | |
| dc.subject | Web vulnerability scanner | |
| dc.subject | Performance | |
| dc.subject | Detection rate | |
| dc.subject | Severity level | |
| dc.subject | Vulnerability type | |
| dc.subject | OWASP. | |
| dc.title | Enhancing the Performance of Web Application Security Testing: An In-Depth Analysis and Optimization of Web Vulnerability Scanners | |
| dc.type | Thesis | |
| sdl.degree.department | Computer Science | |
| sdl.degree.discipline | Cybersecurity | |
| sdl.degree.grantor | University of Idaho | |
| sdl.degree.name | Doctor of Philosophy |