Collaborative Computing: Networking, Applications and Worksharing. 13th International Conference, CollaborateCom 2017, Edinburgh, UK, December 11–13, 2017, Proceedings

Research Article

An Efficient Black-Box Vulnerability Scanning Method for Web Application

Download
12 downloads
  • @INPROCEEDINGS{10.1007/978-3-030-00916-8_42,
        author={Haoxia Jin and Ming Xu and Xue Yang and Ting Wu and Ning Zheng and Tao Yang},
        title={An Efficient Black-Box Vulnerability Scanning Method for Web Application},
        proceedings={Collaborative Computing: Networking, Applications and Worksharing. 13th International Conference, CollaborateCom 2017, Edinburgh, UK, December 11--13, 2017, Proceedings},
        proceedings_a={COLLABORATECOM},
        year={2018},
        month={10},
        keywords={Web application Black-box vulnerability scanner},
        doi={10.1007/978-3-030-00916-8_42}
    }
    
  • Haoxia Jin
    Ming Xu
    Xue Yang
    Ting Wu
    Ning Zheng
    Tao Yang
    Year: 2018
    An Efficient Black-Box Vulnerability Scanning Method for Web Application
    COLLABORATECOM
    Springer
    DOI: 10.1007/978-3-030-00916-8_42
Haoxia Jin1,*, Ming Xu1,*, Xue Yang1,*, Ting Wu1,*, Ning Zheng1,*, Tao Yang2,*
  • 1: Hangzhou Dianzi University
  • 2: Key Lab of the Third Research Institute of the Ministry of Public Security
*Contact email: 151050013@hdu.edu.cn, mxu@hdu.edu.cn, 153050004@hdu.edu.cn, wuting@hdu.edu.cn, nzheng@hdu.edu.cn, yangtao@stars.org.cn

Abstract

To discover web vulnerabilities before they are exploited by malicious attackers, black-box vulnerability scanners scan all the web pages of a web application. However, a web application implemented by several server-side programs with a backend database can generate a massive number of web pages, and may raise an unaffordable time consuming. The root cause of vulnerabilities is the mal-implemented server-side program, instead of any certain web pages that generated by the server-side program. In this paper, an efficient black-box web vulnerability scanning method – handler-ready – is proposed, which highlights the scanning on the server-side programs – – rather than concrete web pages. Handler-ready reduces the HTTP requests of massive web pages to a small number of , and gives the an even chance of being scanned. Therefore, the handler-ready can avoid being stuck with massive web pages that generated by the same when scanning. The experimental result shows that the proposed scanning method can discover more vulnerabilities than traditional methods in a limited amount of time.