Web Application Vulnerability and Comparison of Scanning Tools for SQL Injection and XSS Attacks

Authors

  • Vandana  M.Tech, Cyber Security, Raksha Shakti University, Ahmedabad, Gujarat, India
  • Shubham Khandelwal  M.Tech, Cyber Security, Raksha Shakti University, Ahmedabad, Gujarat, India

Keywords:

Web Application Vulnerability, SQL Injection (SQLi), Cross-Site Scripting (XSS), DMS, OWASP, Vulnerability Scanner

Abstract

The number of vulnerabilities/threats that are being found today are much higher in applications than in operating systems. Therefore, the attacks aimed at web applications are exploiting vulnerabilities at the application level and not at the transport or network level like common attacks from the past. At the same time, quantity and impact of threats to security or vulnerabilities in such applications has grown as well. Many transactions are performed online with various kinds of web applications. Almost in all of them user is authenticated before providing access to backend database for storing all the user information. A well-designed injection can provide access to malicious or unauthorized users and mostly achieved through SQL injection and Cross-site scripting (XSS). In this paper, we are providing a vulnerability scanning and analyses tool for various kinds of SQL injection and Cross Site Scripting (XSS) attacks. Our approach can be used with any web application it is not limited to the known ones. As well as it supports the most famous Database management servers (DMS), namely MS SQL Server, Oracle, and MySQL. We have also compared the performance results of vulnerability scanner with performance of similar tools.

References

  1. Prof Open Web Application Security Project (OWASP): OWASP Top Ten Project. https://www.owasp.org/index.php/Top_10-2017_Top_10 Accessed Jan 7th, 2018
  2. CWE. 2011 CWE/SANS Top 25 Most Dangerous Software Errors. September 13, 2011. http://cwe.mitre.org/top25/. Accessed Jan 16th, 2018
  3. Chen, S. Web Application Scanners Accuracy Assessment. Security Tools Benchmarking. December 26,2010.http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html. Accessed Jan 20th, 2018
  4. Acunetix Web Application Security. http://www.acunetix.com/ Accessed February 2nd, 2012.
  5. Justin Clarke Author, “SQL Injection Attacks and Defense,” Second ed. Accessed February 4, 2018.
  6. Gordeychik, S. Web Application Security Statistics. Web Application Security Consortium. http://projects.webappsec.org/w/page/13246989/Web%20Application%20Security%20Statistics. Accessed February 8, 2018.
  7. Kiezun, A., Guo, P.J., Jayaraman, K., and Ernst, M.D. Automatic creation of SQL Injection and cross-site scripting attacks. Proceedings of the 31st International Conference on Software Engineering. 2009. pp. 199-209. Accessed February 10, 2018.
  8. Doup´e, A., Cova, M., and Vigna, G. Why Johnny Cannot Pentest: An Analysis of Black-box Web Vulnerability Scanners. Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment. 2010, pp. 111-131. Accessed February 12, 2018.
  9. HP: HP WebInspect (2009) http://www.hp.com/spidynamics/products/webinspect/. Accessed February 14th, 2012
  10. Mavituna Security - Netsparker Vulnerability Scanner http://www.mavitunasecurity.com/netsparker/. Accessed February 16th, 2018
  11. NOSEC: JSky Vulnerability Scanner (2010) http://www.nosecinc.com/en/products/jsky/ Accessed February 18, 2018.
  12. Riancho, A.: w3af Vulnerability Scanner (2011) http://w3af.sourceforge.net. Accessed February 20, 2018.
  13. Surribas, N.: Wapiti Vulnerability Scanner (2009) http://wapiti.sourceforge.net. Accessed February 26, 2018.
  14. Laskos, A.: Arachni - Web Application Vulnerability Scanning Framework (2011) https://github.com/Zapotek/arachni. Accessed March 1, 2018.
  15. Websecurify - Vulnerability Scanner (2011) http://www.websecurify.com. Accessed March 8, 2018.
  16. Zalewski, M., Heinen, N., Roschke, S. Skipfish – Web Application Security Scanner. http://code.google.com/p/skipfish/wiki/SkipfishDoc. Accessed March 20th, 2018
  17. XSSploit - SCRT Information Security https://www.scrt.ch/en/attack/downloads/xssploit Accessed March 25th, 2018

IInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology

Downloads

Published

2018-04-30

Issue

Volume 3, Issue 3, March-April-2018

Section

Research Articles

License

Copyright (c) IJSRCSEIT

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

How to Cite

[1]
Vandana, Shubham Khandelwal, " Web Application Vulnerability and Comparison of Scanning Tools for SQL Injection and XSS Attacks, IInternational Journal of Scientific Research in Computer Science, Engineering and Information Technology(IJSRCSEIT), ISSN : 2456-3307, Volume 3, Issue 3, pp.1153-1162, March-April-2018.