CISUC

Testing and comparing web vulnerability scanning tools for SQL injection and XSS attacks

Authors

José Carlos Coelho Martins da Fonseca
Marco Vieira
Henrique Madeira

Subject

Security Benchmarking

Conference

13th IEEE Pacific Rim Dependable Computing Conference (PRDC 2007), December 2007


Cited by

Year 2013 : 8 citations

 N. Awang and A. Manaf, “Detecting Vulnerabilities in Web Applications Using Automated Black Box and Manual Penetration Testing,” in Advances in Security of Information and Communication Networks, vol. 381, A. Awad, A. Hassanien, and K. Baba, Eds. Springer Berlin Heidelberg, 2013.

 P. Santhosh Reddy, G.Sireesha, "Automated Security Test by using Formal Threat Models on Leakage Detection", International Journal of Advanced and Innovative Research (IJAIR), Vol. 2 Issue 2, 2013.

 Prashant Belhekar, Alka Londhe, Bhavana Lucy, Santosh Kumar, "Finding Bugs In Web Applications Using Dynamic Test Generation", International Journal of Engineering Research & Technology (IJERT), Vol. 2 Issue 5, May 2013.

 Michelle Elaine Ruse, "Model checking techniques for vulnerability analysis of Web applications", PhD Thesis, Iowa State University, Ames, Iowa, 2013.

 Eric Alata, Mohamed Kaaniche, Vincent Nicomette, Rim Akrout, "An Automated Approach to Generate Web Applications Attack Scenarios", Sixth Latin-American Symposium on Dependable Computing, LADC 2013, Rio de Janeiro, RJ, Brazil, April 1-5 2013.

 Pallavali Radha, G. Sireesha, "Security Test by Using FTM and Data Allocation Strategies on Leakage Detection", International Journal Of Coputers & Technology, Vol. 4 No 2, March 2013.

 Hannes Holm, Mathias Ekstedt, Teodor Sommestad, "Effort Estimates on Web Application Vulnerability Discovery", 46th Hawaii International Conference on System Sciences, HICSS 2013, January 7-10 2013.

 A. Marback, H. Do, K. He, s. Kondamarri, D. Xu, "A threat model-based approach to security testing", Software: Practice and Experience, Vol. 43 Issue 2, February 2013.

Year 2012 : 8 citations

 Sanon Chimmanee, Thanyada Veeraprasit, Kritsada Sriphaew, Aniwat Hemanidhi, "A Performance Comparison of Vulnerability Detection between Netclarity Auditor and Open Source Nessus", Recent Advances in Communications, Circuits and Technological Innovation, Paris, France, December 2-4, 2012.

 D. N. Swetha, B. S. Kumar, “Protocol Based Approach on Vulnerability Detection Tools of SQLIA along with Monitoring Tools”, International Journal of Computer Science Engineering and Technology (IJCSET), vol. 2, no. 11, November 2012.

 Rim Akrout, "Analyse de vulnérabilités et évaluation de systèmes de détection d'intrusions pour les applications Web", PhD Thesis, Institut National des Sciences Appliquées de Toulouse (INSA Toulouse), Toulouse, France, October 2012.

 T. Koskinen, P. Ihantola, V. Karavirta, "Quality of WordPress Plug-Ins: An Overview of Security and User Ratings", International Conference on Privacy, Security, Risk and Trust and International Conference on Social Computing, PASSAT 2012 and SocialCom 2012, Amsterdam, Netherlands, September 3-5, 2012.

 D. Hauzar, J. Kofron, "On Security Analysis of PHP Web Applications", IEEE 36th Annual Computer Software and Applications Conference Workshops, COMPSACW 2012, Izmir, Turkey, July 16-20, 2012.

 Douglas Rocha, Diego Kreutz, Rogerio Turchetti, "A free and extensible tool to detect vulnerabilities in Web systems", 2012 7th Iberian Conference on Information Systems and Technologies, CISTI 2012, Madrid, Spain, June 2012.

 Mike Samuel, Úlfar Erlingsson, "Let's parse to prevent pwnage", 5th USENIX conference on Large-Scale Exploits and Emergent Threats, LEET'12, San Jose, CA, USA, April 2012.

 D. Xu, M. Tu, M. Sanford, L. Thomas, D. Woodraska, W. Xu, "Automated Security Test Generation with Formal Threat Models", IEEE Transactions on Dependable and Secure Computing, TSC, ISSN: 1545-5971, Issue:99, February 2012.

Year 2011 : 11 citations

 A. Dessiatnikoff, R. Akrout, E. Alata, M. Kaaniche, V. Nicomette, “A Clustering Approach for Web Vulnerabilities Detection", 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing (PRDC 2011), Pasadena, CA, USA, December 2011.

 Nidal Khoury, Pavol Zavarsky, Dale Lindskog Ron Ruhl, "Testing and assessing web vulnerability scanners for persistent SQL injection attacks", First International Workshop on Security and Privacy Preserving in e-Societies (SeceS '11), New York, NY, USA, 2011.

 D. Hauzar, J. Kofron, “Hunting Bugs Inside Web Applications”, Formal Verification of Object-Oriented Software, Technical report, Department of Informatics, KIT, October 2011.

 Zhushou Tang, Haojin Zhu, Zhenfu Cao, Shuai Zhao, "L-WMxD: Lexical based Webmail XSS Discoverer", 2011 IEEE Conference on Computer Communications Workshops, INFOCOM WKSHPS 2011, Hyannis, MA, USA, October 10-12, 2011.

 N. Khoury, P. Zavarsky, D. Lindskog, R. Ruhl, "An Analysis of Black-Box Web Application Security Scanners against Stored SQL Injection", 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust (PASSAT 2011) and 2011 IEEE Third International Conference on Social Computing (SOCIALCOM 2011), Boston, USA, October 2011.

 Jeff Stuckman, James Purtilo, "A Testbed for the Evaluation of Web Intrusion Prevention Systems", 2011 Third International Workshop on Security Measurements and Metrics, Metrisec, September 2011.

 Birhanu Eshete, Komminist Weldemariam, Adolfo Villafiorita, “Early Detection of Security Misconfiguration Vulnerabilities in Web Applications”, Sixth International Conference on Availability, Reliability and Security, ARES 2011, Vienna, Austria, August 22-26, 2011.

 Sangita Roy, Avinash Kumar Singh, Ashok Singh Sairam, "Detecting and Defeating SQL Injection Attacks", International Journal of Information and Electronics Engineering, Vol. 1 , No. 1, July 2011.

 Thomas, L., Weifeng Xu, Dianxiang Xu, "Mutation Analysis of Magento for Evaluating Threat Model-Based Security Testing", IEEE 35th Annual Computer Software and Applications Conference Workshops (COMPSACW), pp. 184 - 189, Minuch, Germany, July, 2011.

 Daniel Woodraska, Michael Sanford, Dianxiang Xu, “Security mutation testing of the FileZilla FTP server”, 2011 ACM Symposium on Applied Computing, ACM SAC '11, Taichung, Taiwan, March 21-24, 2011.

 Geert Smelt, “Programming web applications securely”, BSc Thesis, Faculty of Science, Radboud University of Nijmegen, Nijmegen, Netherlands, January 2011.

Year 2010 : 10 citations

 Dmitri Nikulin, "Assertions For Self-Testing Web Applications", Faculty of Information Technology - Monash University, Clayton, Victoria, Australia, 2010.

 Huning Dai, Michael Glass, E. Gail Kaiser, "Baseline: Metrics for setting a baseline for web vulnerability scanners", Technical Report, CUCS-023-10, Columbia University, New York, NY, 2010.

 P. Roberts-Morpeth, J. Ellman, "Some security issues for web based frameworks", 2010 7th International Symposium on Communication Systems Networks and Digital Signal Processing, CSNDSP 2010, New Castle, UK, July 2010

 Shahriar, M. Zulkernine, “Mitigating Program Security Vulnerabilities: Approaches and Challenges”, ACM Computing Surveys, ACM, 2010.

 D.A. Shelly, “Using a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scanners”, MSc Thesis, Virginia Polytechnic Institute and State University, July 2010.

 Tânia Basso, Plínio César Simões Fernandes, Mario Jino, Regina Moraes, “Analysis of the Effect of Java Software Faults on Security Vulnerabilities and Their Detection by Commercial Web Vulnerability Scanner Tool”, 4th Workshop on Recent Advances on Intrusion-Tolerant Systems, WRAITS 2010, in conjunction with The 40th IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2010), Chicago, IL, USA, 2010.

 Muhammad Sajid Farooq, Muhammad Khalid Khan, Muhammad Qasim Pasta, “Model Based Web Application Backend Testing Using Requirement Specification Table”, Journal of Engineering and Sciences 4, no. 1. Technology Forces, January – June, 2010.

 Hossain Shahriar, “Mitigating and Monitoring Program Security Vulnerabilities”, PhD Thesis, School of Computing - Queen’s University, Kingston, Ontario, Canada, June 2010.

 J. Bau, E. Bursztein, D. Gupta, J.C. Mitchell, “State of the Art: Automated Black-Box Web Application Vulnerability Testing”, Proceedings IEEE Symposium on Security and Privacy, May 2010.

 Tania Basso, Regina L. O. Moraes, Mario Jino, "A Methodology for Effectiveness Analysis of Vulnerability Scanning Tools", III EADCA - Terceiro Encontro dos Alunos e Docentes do Departamento de Engenharia de Computação e Automação Industrial, University of Campinas (UNICAMP), Brazil, March 2010.

Year 2009 : 2 citations

 1. Shahriar, H., Zulkernine, M. “MUTEC: Mutation-based testing of Cross Site Scripting”, 2009 ICSE Workshop on Software Engineering For Secure Systems, International Conference on Software Engineering, Vancouver, Canada, May 19, 2009.

 2. H. Shahriar, M. Zulkernine, “Automatic Testing of Program Security Vulnerabilities", 1st IEEE International Workshop on Test Automation, 2009 33rd Annual IEEE International Computer Software and Applications Conference, IEEE CS Press, Seattle, USA, July 2009.

Year 2008 : 1 citations

 1. Jagdish Halde, "SQL Injection analysis, Detection and Prevention", MSc Thesis, Department of Computer Science, San Jose State University, San Jose, CA, USA, 2008.