Semantic security against web application attacks
Information Sciences: an International Journal
| Hi-index | 0.00 |
This paper describes the design of a test suite forthorough evaluation of web application scanners. Webapplication scanners are automated, black-box testingtools that examine web applications for securityvulnerabilities. For several common vulnerabilitytypes, we classify defense mechanisms that can beimplemented to prevent corresponding attacks. Wecombine the defense mechanisms into ''levels ofdefense'' of increasing strength.This approach allowsus to develop an extensive test suite that can be easilyconfigured to switch on and off vulnerability types andselect a level of defense.We evaluate the test suiteexperimentally using several web application scanners,both open-source and proprietary.The experimentssuggest that the test suite is effective at distinguishingthe tools based on their vulnerability detection rate; inaddition, its use can suggest areas for toolimprovement.