American Journal of Computing Research Repository
ISSN (Print): 2377-4606 ISSN (Online): 2377-4266 Website: http://www.sciepub.com/journal/ajcrr Editor-in-chief: Vishwa Nath Maurya
Open Access
Journal Browser
Go
American Journal of Computing Research Repository. 2016, 4(1), 15-20
DOI: 10.12691/ajcrr-4-1-3
Open AccessArticle

A Hybrid Algorithm for Detecting Web Based Applications Vulnerabilities

Muiruri Chris Karumba1, , Samuel Ruhiu1 and Christopher A. Moturi1

1School of Computing and Informatics, University of Nairobi, Nairobi, Kenya

Pub. Date: February 17, 2016

Cite this paper:
Muiruri Chris Karumba, Samuel Ruhiu and Christopher A. Moturi. A Hybrid Algorithm for Detecting Web Based Applications Vulnerabilities. American Journal of Computing Research Repository. 2016; 4(1):15-20. doi: 10.12691/ajcrr-4-1-3

Abstract

Web vulnerability scanners (WVS) are tools for discovering vulnerabilities in a web application. However, they are not 100% accurate. In this paper we develop a hybrid algorithm for detecting web based applications vulnerabilities and compare its performance with other open source WVS. The comparison is based on three metrics namely time taken to scan, detection accuracy and consistency.

Keywords:
web vulnerability scanners open source algorithm web based applications

Creative CommonsThis work is licensed under a Creative Commons Attribution 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

References:

[1]  Alssir, F. T., & Ahmed, M. (2012). Web Security Testing Approaches: Comparison Framework. In Proceedings of the 2011 2nd International Congress on Computer Applications and Computational Science (pp. 163-169). Springer Berlin Heidelberg.
 
[2]  Antunes & Vieira (2012). Defending against web application vulnerabilities. Computer, (2), 66-72.
 
[3]  Bau, J., Bursztein, E., Gupta, D., & Mitchell, J. (2010). State of the art: Automated black-box web application vulnerability testing. In Security and Privacy (SP), 2010 IEEE Symposium on (pp. 332-345). IEEE.
 
[4]  Chen, S. (2014). wavsep. Available: http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.html. [Accessed 09 July 2015.]
 
[5]  Dessiatnikoff, A., Akrout, R., Alata, E., Kaaniche, M., & Nicomette, V. (2011). A clustering approach for web vulnerabilities detection. InDependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on (pp. 194-203). IEEE.
 
[6]  Dougherty, C. (2012).Practical Identification of SQL Injection Vulnerabilities. 2012. US-CERT-United States Computer Emergency Readiness Team. Citado na, 34. [Accessed: 08th June 2015].
 
[7]  Doupe, A., Cova, M., & Vigna, G. (2010). Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. In Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 111-131). Springer Berlin Heidelberg. [Accessed: 10th June 2015].
 
[8]  Fonseca, J., Vieira, M., & Madeira, H. (2014). Evaluation of Web Security Mechanisms using Vulnerability & Attack Injection. Dependable and Secure Computing, IEEE Transactions on, 11(5), 440-453.
 
[9]  Granville, K . (2015).Nine Recent Cyber-attacks against Big Businesses. New York Times [online] Available from: http://www.nytimes.com/interactive/2015/02/05/technology/recent-cyberattacks.html?_r=1. [Accessed 08 July 2015.].
 
[10]  Howard, M., LeBlanc, D., & Viega, J. (2010). 24 deadly sins of software security [electronic book]: Programming flaws and how to fix them. New York: McGraw-Hill.
 
[11]  Jovanovic, N., Kruegel, C., & Pixy, E. K. (2010). A Static Analysis Tool for Detecting Web Application Vulnerabilities (Short Paper). In Proceedings of the 2006 IEEE symposium on Security and Privacy, Washington, DC, IEEE Computer Society (pp. 258-263).
 
[12]  Kalman., G. (2014). Ten Most Common Web Security Vulnerabilities.[online] Available from: http://www.toptal.com/security/10-most-common-web-security-vulnerabilities [Accessed 08 July 2015.]
 
[13]  Kals, S., Kirda, E., Kruegel, C., & Jovanovic, N. (2014). A web vulnerability scanner. In Proceedings of the 15th international conference on World Wide Web (pp. 247-256). ACM.
 
[14]  Khoury, N., Zavarsky, P., Lindskog, D., & Ruhl, R. (2011). Testing and assessing web vulnerability scanners for persistent SQL injection attacks. In Proceedings of the First International Workshop on Security and Privacy Preserving in e-Societies (pp. 12-18). ACM.
 
[15]  Kothari, C. R. (2009). Quantitative Techniques, 3E. Vikas publishing house PVT LTD.
 
[16]  McQuade, K. (2014). Open Source Web Vulnerability Scanners: The Cost Effective Choice?. In Proceedings of the Conference for Information Systems Applied Research ISSN (Vol. 2167, p. 1508). [Accessed: 18th June 2015].
 
[17]  Mirjalili, M., Nowroozi, A., & Alidoosti, M. (2014). A survey on web penetration test.
 
[18]  Mugenda, O. Mugenda (2009) Research Methods: Quantitative and Qualitative Approaches. Nairobi: ACTS.
 
[19]  Myers, G. J., Sandler, C., & Badgett, T. (2011). The art of software testing. John Wiley & Sons.
 
[20]  Nagpal, B., Chauhan, N., & Singh, N. (2015). Defending Against Remote File Inclusion Attacks on Web Applications. i-Manager's Journal on Information Technology, 4(3), 25.
 
[21]  Park, N. (2015). Detection Experimentation and Validation of Web Applications using Both Static and Dynamic Analysis. International Information Institute (Tokyo). Information, 18(5 (A)), 1735.
 
[22]  Tripathi, A., & Singh, U. K. (2011). On prioritization of vulnerability categories based on CVSS scores. In Computer Sciences and Convergence Information Technology (ICCIT), 2011 6th International Conference on (pp. 692-697).
 
[23]  Saunders, M. N., Saunders, M., Lewis, P., & Thornhill, A. (2011). Research methods for business students, 5/e. Pearson Education India.
 
[24]  Sekaran, U. (2011). Research methods for business: A skill building approach. John Wiley & Sons.
 
[25]  Shelly, D.A. (2010) .Using a Web Server Test Bed to Analyse the Limitations of Web Application Vulnerability Scanners. Master's thesis, Virginia Polytechnic Institute and State University, Blacksburg, Virginia. [Accessed: 10th June 2015].
 
[26]  Shema. M, (2011). Web Application Security for Dummies. England: John Wiley & Sons Ltd. P27-68.
 
[27]  Snyder, B. (2014). 5 huge cyber security breaches at companies you know. Available from: http://fortune.com/2014/10/03/5-huge-cybersecurity-breaches-at-big-companies/. [Accessed 08 July 2015.]
 
[28]  Stuttard, D., & Pinto, M. (2011). The web application hacker's handbook: discovering and exploiting security flaws. John Wiley & Sons. Inc. p33-80, p200-243.
 
[29]  Van der Loo, F. (2011). Comparison of penetration testing tools for web applications (Doctoral dissertation, Master thesis, Radboud University Nijmegen. http://www.ru.nl/publish/pages/578936/frank_van_der_loo_scriptie. pdf).[Accessed: 08th June 2015].
 
[30]  WhiteHat Security team. (2015). WhiteHat Security Statistics Report 2015. Available From: https://www.whitehatsec.com/statistics-report/featured/2015/05/21/statsreport.html. [Accessed 09 July 2015.].
 
[31]  Yu, Y., Yang, Y., Gu, J., & Shen, L. (2011). Analysis and suggestions for the security of web applications. In Computer Science and Network Technology (ICCSNT), 2011 International Conference on (Vol. 1, pp. 236-240).