文章基本信息

标题：Effectiveness of Web Application Security Scanners at Detecting Vulnerabilities behind AJAX/JSON
本地全文：下载
作者：Faustin Kagorora ; Junyi Li ; Damien Hanyurwimfura 等
期刊名称：International Journal of Innovative Research in Science, Engineering and Technology
印刷版ISSN：2347-6710
电子版ISSN：2319-8753
出版年度：2015
卷号：4
期号：6
页码：4179
DOI：10.15680/IJIRSET.2015.0406079
出版社：S&S Publications
摘要：Web applications are used by almost all organizations in all sectors and are accessed by a large numberof anonymous users, including malicious users. This wide visibility makes them susceptible to various attacks, such asSQL Injection (SQLI). Web application vulnerability scanners (WAVS) are automated black-box testing tools thatexamine web applications for security vulnerabilities. Evaluations of WAVSs have shown that executing client-sidecode is a major challenge to many scanners. However, despite the popularity of AJAX (Asynchronous JavaScript andXML) and JSON (JavaScript Object Notation) in modern web applications, no evaluation implemented test cases forthe support for both AJAX and JSON technologies. This paper presents a test application and an assessment of thecapability of 5 state-of-the-art black-box scanners to detect vulnerabilities hidden behind AJAX requests and JSONdata. The test suite contains many vulnerability instances, with different levels of exploitation difficulty. Ourexperimental results show that executing AJAX code and analyzing JSON parameters are still challenges to manytools. We provide recommendations for assessing complete capability of WAVSs as evaluations did not cover all themain features.
关键词：Black-box testing; vulnerability detection; web application security; Rich Internet Application; web;application vulnerability scanner