An Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities

机译：黑盒Web应用程序扫描仪在检测到存储SQL注入和存储XSS漏洞中的有效性分析

获取原文

页面导航

摘要
著录项
相似文献
相关主题

摘要

Black-box web application scanners are used to detect vulnerabilities in the web application without any knowledge of the source code. Recent research had shown their poor performance in detecting stored Cross-Site Scripting (XSS) and stored SQL Injection (SQLI). The detection efficiency of four black-box scanners on two testbeds, Wackopicko and Custom testbed Scanit (obtained from [5]), have been analyzed in this paper. The analysis showed that the scanners need to be improved for better detection of multi-step stored XSS and stored SQLI. This study involves the interaction between the selected scanners and the web application to measure their efficiency of inserting proper attack vectors in appropriate fields. The results of this research paper indicate that there is not much difference in terms of performance between open-source and commercial black-box scanners used in this research. However, it may depend on the policies and trust issues of the companies using them according to their needs. Some of the possible recommendations are provided to improve the detection rate of stored SQLI and stored XSS vulnerabilities in this paper. The study concludes that the state-of-the-art of automated black-box web application scanners in 2020 needs to be improved to detect stored XSS and stored SQLI more effectively.

机译：黑匣子Web应用程序扫描仪用于检测Web应用程序中的漏洞，而无需任何知识源代码。最近的研究表明它们在检测存储的跨站点脚本（XSS）和存储的SQL注入（SQLI）方面的性能不佳。在本文中分析了两个测试台，Wackopicko和自定义测试用扫描仪（从[5]）上的四个黑匣子扫描仪的检测效率。分析表明，需要改进扫描仪以便更好地检测多步存储XS和存储的SQLI。本研究涉及所选扫描仪与Web应用程序之间的交互，以测量它们在适当领域中插入适当的攻击向量的效率。本研究论文的结果表明，在本研究中使用的开源和商业黑匣子扫描仪之间的性能方面没有太大差异。但是，它可能取决于公司的政策和信任问题，根据他们的需求使用它们。提供了一些可能的建议，以提高存储SQLI的检测率并在本文中存储了XSS漏洞。该研究的结论是，需要改进2020年自动黑匣子Web应用程序扫描仪的最新，以检测存储的XSS并更有效地存储SQLI。

著录项

来源
《International Conference on Data Intelligence and Security》|2020年|40-48|共9页
会议地点
作者
Karthik Anagandula; Pavol Zavarsky;
展开▼
作者单位

展开▼
会议组织
原文格式 PDF
正文语种
中图分类
关键词
SQL injection; Databases; Cross-site scripting; Web pages; Uniform resource locators; Payloads; Manuals;

机译：SQL注入;数据库;跨站点脚本;网页;统一资源定位器;有效载荷;手册;

相似文献

外文文献
中文文献
专利

1. Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications [J] . Deepa G., Thilagam P. Santhi, Khan Furqan Ahmed, International Journal of Information Security . 2018,第1期

机译：XQuery注入的黑盒检测和Web应用程序中的漏洞漏洞
2. Web Application Vulnerability Analysis Using Robust SQL Injection Attacks [J] . Anil Kumar Mandapati, Adi lakshmi.Yannam International Journal of Engineering Trends and Technology . 2012,第5a1期

机译：使用强大的SQL注入攻击的Web应用程序漏洞分析
3. Web Application Vulnerability Analysis Using Robust SQL Injection Attacks [J] . Anil Kumar Mandapati, Adi lakshmi.Yannam International Journal of Engineering Trends and Technology . 2012,第5a1期

机译：使用强大的SQL注入攻击的Web应用程序漏洞分析
4. Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities [C] . Muhammad Parvez, Pavol Zavarsky, Nidal Khoury International Conferece for Internet Technology and Secured Transactions . 2015

机译：在存储SQL注入检测中的黑盒Web应用程序扫描仪的有效性分析，并存储XSS漏洞
5. Evaluation of Training Methods That Prepare Software Programmers to Mitigate Web Application Cross-Site Scripting (XSS) Vulnerabilities for Software Vendors of Commercial Banks [D] . Oladele, Adekunle 2019

机译：对培训方法的评估，这些培训方法使软件程序员能够缓解商业银行软件供应商的Web应用程序跨站点脚本（XSS）漏洞
6. Vulnerability Assessment of IPv6 Websites to SQL Injection and Other Application Level Attacks [O] . Ying-Chiang Cho, Jen-Yi Pan 2013

机译：IPv6网站对SQL注入和其他应用程序级别攻击的漏洞评估
7. Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection [O] . De Meo Federico, Rocchetto Marco, Vigano Luca 2016

机译：基于SQL注入的Web应用程序漏洞的形式分析

An Analysis of Effectiveness of Black-Box Web Application Scanners in Detection of Stored SQL Injection and Stored XSS Vulnerabilities

摘要

著录项

相似文献

相关主题

期刊订阅