Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications
Article Sidebar
Main Article Content
Abstract
A comparative analysis of the efficiency of the latest versions of popular open source and commercial vulnerability scanners for e-commerce web applications is presented in this paper. A specially developed prototype of web application, OWASP Juice Shop, with embedded relevant vulnerabilities from OWASP Top 10, was chosen as the test object. The quantitative results of using different commercial scanners are described here. Acunetix is pampered to be the scanner that detected the largest number of vulnerabilities of various criticality levels. At the same time, the authors emphasize the need to use several scanners to increase the efficiency of vulnerability detection. The study highlights the importance of regular scanning and monitoring of web application security, especially for e-commerce organizations. However, the authors note that scanners are important but not the only tools for finding vulnerabilities in complex web applications
Article Details
Issue
Section
This work is licensed under a Creative Commons Attribution 4.0 International License.
References
1. Shay Chen (2023). Web Application Scanners. SecTools.Org: Top 125 Network Security Tools. Available at: https://sectools.org/tag/web-scanners/.
2. Hindawi. Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners. Available at: https://www.hindawi.com/journals/scn/2017/6158107/. https://doi.org/10.1155/2017/6158107
3. Kinnaird McQuade. Open Source Web Vulnerability Scanners: The Cost Effective Choice? - ISSN: 2167-1508. Available at: https://www.researchgate.net/profile/Kinnaird-Mcquade/publication/267026342_Open_Source_Web_Vulnerability_Scanners_The_Cost_Effective_Choice/links/546150000cf2c1a63bff83dc/Open-Source-Web-Vulnerability-Scanners-The-Cost-Effective-Choice.pdf.
4. OWASP Juice Shop. Available at: https://owasp.org/www-project-juice-shop/.
5. OWASP Foundation, the Open Source Foundation for Application Security. Available at: https: //owasp.org/.
6. Common Vulnerability Scoring System Calculator. Available at: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.
7. CWE Version 4.10. Available at: https://cwe.mitre.org/data/published/cwe_v4.10.pdf.
8. The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli. ISBN: 978-0124166004.
9. Hacking Exposed Web Applications, 3rd Edition by Joel Scambray. ISBN: 978-0071740647.
10. OWASP Web Security Testing Guide (WSTG). Available at: https://owasp.org/www-project-web-security-testing-guide/.
11. SANS Institute – Web Application Penetration Testing. Available at: https://www.sans.org/white-papers/web-application-penetration-testing.
12. Comparative Study of Automated Web Vulnerability Scanners. Available at: https://ieeexplore.ieee.org/document/8691130 .
13. Stuttard D., & Pinto M. (2018). The Web Application Hackerʼs Handbook: Finding and Exploiting Security Flaws (2nd ed.). Wiley.
14. Messier R. (2019). Network Vulnerability Assessment: From Auditing to Continuous Monitoring. OʼReilly Media.
15. Hope P., & Walther B. (2021). Web Security for Developers: Real Threats, Practical Defense. No Starch Press.
16. NIST. (2023). National Vulnerability Database. Available at: https://nvd.nist.gov/.
17. OWASP ZAP Development Team. (2023). OWASP Zed Attack Proxy (ZAP). Available at: https://www.zaproxy.org/.