Building a Test Suite for Web Application Scanners

Author

Fong, Erin ; Gaucher, R. ; Okun, Vadim ; Black, Paul E.

Author_Institution

Nat. Inst. of Stand. & Technol., Gaithersburg

fYear

2008

fDate

7-10 Jan. 2008

Firstpage

478

Lastpage

478

Abstract

This paper describes the design of a test suite for thorough evaluation of web application scanners. Web application scanners are automated, black-box testing tools that examine web applications for security vulnerabilities. For several common vulnerability types, we classify defense mechanisms that can be implemented to prevent corresponding attacks. We combine the defense mechanisms into "levels of defense" of increasing strength. This approach allows us to develop an extensive test suite that can be easily configured to switch on and off vulnerability types and select a level of defense. We evaluate the test suite experimentally using several web application scanners, both open-source and proprietary. The experiments suggest that the test suite is effective at distinguishing the tools based on their vulnerability detection rate; in addition, its use can suggest areas for tool improvement.

Keywords

Internet; program testing; security of data; Web application scanners; automated black-box testing; security vulnerabilities; test suite; Application software; Automatic testing; Buildings; Information security; NIST; National security; Open source software; Software testing; Switches; System testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Hawaii International Conference on System Sciences, Proceedings of the 41st Annual

Conference_Location

Waikoloa, HI

ISSN

1530-1605

Type

conf

DOI

10.1109/HICSS.2008.79

Filename

4439178