Enhancing web application security through automated penetration testing with multiple vulnerability scanners.

Khaled Abdulghaffar, Nebrase Elmrabit, Mehdi Yousefi

Research output: Contribution to journalArticlepeer-review

1 Citation (Scopus)
78 Downloads (Pure)

Abstract

Penetration testers have increasingly adopted multiple penetration testing scanners to ensure the robustness of web applications. However, a notable limitation of many scanning techniques is their susceptibility to producing false positives. This paper presents a novel framework designed to automate the operation of multiple Web Application Vulnerability Scanners (WAVS) within a single platform. The framework generates a combined vulnerabilities report using two algorithms: an automation algorithm and a novel combination algorithm that produces comprehensive lists of detected vulnerabilities. The framework leverages the capabilities of two web vulnerability scanners, Arachni and OWASP ZAP. The study begins with an extensive review of the existing scientific literature, focusing on open-source WAVS and exploring the OWASP 2021 guidelines. Following this, the framework development phase addresses the challenge of varying results obtained from different WAVS. This framework’s core objective is to combine the results of multiple WAVS into a consolidated vulnerability report, ultimately improving detection rates and overall security.
The study demonstrates that the combined outcomes produced by the proposed framework exhibit greater accuracy compared to individual scanning results obtained from Arachni and OWASP ZAP. In summary, the study reveals that the Union List outperforms individual scanners, particularly regarding recall and F-measure. Consequently, adopting multiple vulnerability scanners is recommended as an effective strategy to bolster vulnerability detection in web applications.
Original languageEnglish
Article number235
JournalComputers
Volume12
Issue number11
Early online date15 Nov 2023
DOIs
Publication statusPublished - Nov 2023

Keywords

  • web applications
  • web application cyber security
  • vulnerability scanners
  • automate penetration testing

ASJC Scopus subject areas

  • Human-Computer Interaction
  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'Enhancing web application security through automated penetration testing with multiple vulnerability scanners.'. Together they form a unique fingerprint.

Cite this