Graduation Semester and Year
2012
Language
English
Document Type
Thesis
Degree Name
Master of Science in Computer Science
Department
Computer Science and Engineering
First Advisor
(Jeff) Yu Lei
Abstract
As software industry is paying increasing attention to web application security, various testing tools with black box testing feature have been developed. To better evaluate their performance, researchers have made efforts in several ways. Since XSS attack is one of the major attacks which can bring severe damages to victims, it is meaningful to pay specific attention to its testing process. However, many web application scanner evaluation projects make comparisons about various vulnerability types, and they are not dedicated to XSS issues enough. Their evaluations either use vulnerable applications in real life, or use test cases created by themselves, and it is possible that their test cases are not comprehensive enough and their test results might be biased due to limited number of test cases. Most projects compare final scanning results and draw conclusions, and they do not have deeper analysis for testing mechanisms. In this project, we evaluate 4 tools, and we are trying to not only compare their performance, but also find out the reasons causing their differences and propose our suggestions. First we use real life vulnerable web applications to evaluate scanners' performance in different testing phases, including crawling. Then we use JSP test cases we controlled to focus on testing their ability of sending fuzzed data and analyzing response. At last we try to explain their performance differences by comparing their injection patterns. Our test results indicate that their performance differences in various phases have influenced their final test results. However, the performance of crawling does not seemed to be a key factor, which is different from conclusions of many related work. Our deeper study about injection patterns suggest that all scanners have certain variety of patterns we focus on, and their final detection ability may result from multiple factors.
Disciplines
Computer Sciences | Physical Sciences and Mathematics
License
This work is licensed under a Creative Commons Attribution-NonCommercial-Share Alike 4.0 International License.
Recommended Citation
Xia, Dengfeng, "Comparing Web Application Scanners For XSS Attacks" (2012). Computer Science and Engineering Theses. 285.
https://mavmatrix.uta.edu/cse_theses/285
Comments
Degree granted by The University of Texas at Arlington