Why Johnny can't pentest: An analysis of black-box web vulnerability scanners

Adam Doupé, Marco Cova, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contribution

98 Scopus citations

Abstract

Black-box web vulnerability scanners are a class of tools that can be used to identify security issues in web applications. These tools are often marketed as "point-and-click pentesting" tools that automatically evaluate the security of web applications with little or no human support. These tools access a web application in the same way users do, and, therefore, have the advantage of being independent of the particular technology used to implement the web application. However, these tools need to be able to access and test the application's various components, which are often hidden behind forms, JavaScript-generated links, and Flash applications. This paper presents an evaluation of eleven black-box web vulnerability scanners, both commercial and open-source. The evaluation composes different types of vulnerabilities with different challenges to the crawling capabilities of the tools. These tests are integrated in a realistic web application. The results of the evaluation show that crawling is a task that is as critical and challenging to the overall ability to detect vulnerabilities as the vulnerability detection techniques themselves, and that many classes of vulnerabilities are completely overlooked by these tools, and thus research is required to improve the automated detection of these flaws.

Original languageEnglish (US)
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings
Pages111-131
Number of pages21
DOIs
StatePublished - Aug 3 2010
Event7th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2010 - Bonn, Germany
Duration: Jul 8 2010Jul 9 2010

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume6201 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other7th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2010
CountryGermany
CityBonn
Period7/8/107/9/10

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Why Johnny can't pentest: An analysis of black-box web vulnerability scanners'. Together they form a unique fingerprint.

  • Cite this

    Doupé, A., Cova, M., & Vigna, G. (2010). Why Johnny can't pentest: An analysis of black-box web vulnerability scanners. In Detection of Intrusions and Malware, and Vulnerability Assessment - 7th International Conference, DIMVA 2010, Proceedings (pp. 111-131). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 6201 LNCS). https://doi.org/10.1007/978-3-642-14215-4_7