Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications
| Назва | Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications |
| Назва англійською | Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications |
| Автори | Bohdan Tryhubets, Myroslav Tryhubets, Nataliya Zagorodna |
| Принадлежність | Ternopil Ivan Puluj National Technical University, Ternopil, Ukraine |
| Бібліографічний опис | Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications / Bohdan Tryhubets, Myroslav Tryhubets, Nataliya Zagorodna // Scientific Journal of TNTU. — Tern.: TNTU, 2024. — Vol 116. — No 4. — P. 23–30. |
| Bibliographic description: | Tryhubets B., Tryhubets M., Zagorodna N. (2024) Analysis of the efficiency of open source and commercial vulnerability scanners for e-commerce web applications. Scientific Journal of TNTU (Tern.), vol 116, no 4, pp. 23–30. |
| DOI: | https://doi.org/10.33108/visnyk_tntu2024.04.023 |
| УДК | 004:056 |
| Ключові слова | vulnerability scanners, web applications, e-commerce, OWASP Top 10, OWASP Juice Shop, web application security. |
A comparative analysis of the efficiency of the latest versions of popular open source and commercial vulnerability scanners for e-commerce web applications is presented in this paper. A specially developed prototype of web application, OWASP Juice Shop, with embedded relevant vulnerabilities from OWASP Top 10, was chosen as the test object. The quantitative results of using different commercial scanners are described here. Acunetix is pampered to be the scanner that detected the largest number of vulnerabilities of various criticality levels. At the same time, the authors emphasize the need to use several scanners to increase the efficiency of vulnerability detection. The study highlights the importance of regular scanning and monitoring of web application security, especially for e-commerce organizations. However, the authors note that scanners are important but not the only tools for finding vulnerabilities in complex web applications. | |
| ISSN: | 2522-4433 |
| Перелік літератури |
1. Shay Chen (2023). Web Application Scanners. SecTools.Org: Top 125 Network Security Tools. Available at: https://sectools.org/tag/web-scanners/.
2. Hindawi. Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners. Available at:https://www.hindawi.com/journals/scn/2017/6158107/
3. Kinnaird McQuade. Open Source Web Vulnerability Scanners: The Cost Effective Choice? - ISSN: 2167-1508. Available at: https://www.researchgate.net/profile/Kinnaird-Mcquade/publication/267026342_ Open_Source_Web_Vulnerability_Scanners_The_Cost_Effective_Choice/links/546150000cf2c1a63bff83dc/Open-Source-Web-Vulnerability-Scanners-The-Cost-Effective-Choice.pdf.
4. OWASP Juice Shop. Available at: https://owasp.org/www-project-juice-shop/.
5. OWASP Foundation, the Open Source Foundation for Application Security. Available at: https: //owasp.org/.
6. Common Vulnerability Scoring System Calculator. Available at: https://nvd.nist.gov/vuln-metrics/cvss/ v3-calculator.
7. CWE Version 4.10. Available at: https://cwe.mitre.org/data/published/cwe_v4.10.pdf.
8. The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli. ISBN: 978-0124166004.
9. Hacking Exposed Web Applications, 3rd Edition by Joel Scambray. ISBN: 978-0071740647.
10. OWASP Web Security Testing Guide (WSTG). Available at: https://owasp.org/www-project-web-security-testing-guide/.
11. SANS Institute - Web Application Penetration Testing. Available at: https://www.sans.org/white-papers/web-application-penetration-testing.
12. Comparative Study of Automated Web Vulnerability Scanners. Available at: https://ieeexplore.ieee.org/ document/8691130 .
13. Stuttard D., & Pinto M. (2018). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (2nd ed.). Wiley.
14. Messier R. (2019). Network Vulnerability Assessment: From Auditing to Continuous Monitoring. O'Reilly Media.
15. Hope P., & Walther B. (2021). Web Security for Developers: Real Threats, Practical Defense. No Starch Press.
16. NIST. (2023). National Vulnerability Database. Available at: https://nvd.nist.gov/.
17. OWASP ZAP Development Team. (2023). OWASP Zed Attack Proxy (ZAP). Available at: https://www. zaproxy.org/. |
| References: |
1. Shay Chen (2023). Web Application Scanners. SecTools.Org: Top 125 Network Security Tools. Available at: https://sectools.org/tag/web-scanners/.
2. Hindawi. Performance-Based Comparative Assessment of Open Source Web Vulnerability Scanners. Available at:https://www.hindawi.com/journals/scn/2017/6158107/
3. Kinnaird McQuade. Open Source Web Vulnerability Scanners: The Cost Effective Choice? - ISSN: 2167-1508. Available at: https://www.researchgate.net/profile/Kinnaird-Mcquade/publication/267026342_ Open_Source_Web_Vulnerability_Scanners_The_Cost_Effective_Choice/links/546150000cf2c1a63bff83dc/Open-Source-Web-Vulnerability-Scanners-The-Cost-Effective-Choice.pdf.
4. OWASP Juice Shop. Available at: https://owasp.org/www-project-juice-shop/.
5. OWASP Foundation, the Open Source Foundation for Application Security. Available at: https: //owasp.org/.
6. Common Vulnerability Scoring System Calculator. Available at: https://nvd.nist.gov/vuln-metrics/cvss/ v3-calculator.
7. CWE Version 4.10. Available at: https://cwe.mitre.org/data/published/cwe_v4.10.pdf.
8. The Basics of Web Hacking: Tools and Techniques to Attack the Web by Josh Pauli. ISBN: 978-0124166004.
9. Hacking Exposed Web Applications, 3rd Edition by Joel Scambray. ISBN: 978-0071740647.
10. OWASP Web Security Testing Guide (WSTG). Available at: https://owasp.org/www-project-web-security-testing-guide/.
11. SANS Institute - Web Application Penetration Testing. Available at: https://www.sans.org/white-papers/web-application-penetration-testing.
12. Comparative Study of Automated Web Vulnerability Scanners. Available at: https://ieeexplore.ieee.org/ document/8691130 .
13. Stuttard D., & Pinto M. (2018). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (2nd ed.). Wiley.
14. Messier R. (2019). Network Vulnerability Assessment: From Auditing to Continuous Monitoring. O'Reilly Media.
15. Hope P., & Walther B. (2021). Web Security for Developers: Real Threats, Practical Defense. No Starch Press.
16. NIST. (2023). National Vulnerability Database. Available at: https://nvd.nist.gov/.
17. OWASP ZAP Development Team. (2023). OWASP Zed Attack Proxy (ZAP). Available at: https://www. zaproxy.org/. |
| Завантажити |  |