Comparative analysis of the effectiveness of OWASP ZAP, Burp Suite, Nikto and Skipfish in testing the security of web applications
Aleksandra Kondraciuk
aleksandra.kondraciuk@pollub.edu.plLublin University of Technology (Poland)
Aleksandra Bartos
Lublin University of Technology (Poland)
Beata Pańczyk
Lublin University of Technology (Poland)
https://orcid.org/0000-0001-8908-8501
Abstract
Application security is one of the key aspects necessary for its proper functioning. Ensuring security consists primarily in conducting regular penetration tests and checking the vulnerability of the application to various types of attacks. The recommended solution is to use tools dedicated to detecting security holes in applications. Choosing the right tool from among those available on the market can be difficult. This article presents a comparative analysis of the effectiveness of popular application security testing tools in terms of the number of detected vulnerabilities. The analysis was based on the obtained results of scanning two Internet applications containing a number of security vulnerabilities, used to learn ethical hacking.
Keywords:
application security, penetration tests, testing toolsReferences
D.D. Bertoglio, A.F. Zorzo, Overview and open issues on penetration test, Journal of the Brazilian Computer Society volume 23, Article number 2 (2017) 1-2.
DOI: https://doi.org/10.1186/s13173-017-0051-1
Google Scholar
Spis narzędzi służących do skanowania bezpieczeństwa polecanych przez OWASP, https://owasp.org/www-community/Vulnerability_Scanning_Tools, [02.2022].
Google Scholar
R. Devi, M. Kumar, Testing for Security Weakness of Web Applications using Ethical Hacking, 2020 4th International Conference on Trends in Electronics and Informatics (2020) 354, 358-360.
DOI: https://doi.org/10.1109/ICOEI48184.2020.9143018
Google Scholar
D. Sagar, S. Kukreja, J. Brahma, S. Tyagi, P. Jain, Studying Open Source Vulnerability Scanners For Vulnerabilities In Web Applications, Accendere KMS Services Pvt. Ltd, New Delhi, INDIA (2018) 43-49.
Google Scholar
B. Mburano, W. Si, Evaluation of Web Vulnerability Scanners Based on OWASP Benchmark, 2018 26th International Conference on Systems Engineering (2018) 1-2.
DOI: https://doi.org/10.1109/ICSENG.2018.8638176
Google Scholar
Dokumentacja i kod źródłowy aplikacji bWAPP, https://sourceforge.net/projects/bwapp/files/bWAPP/, [03.2022].
Google Scholar
Dokumentacja i kod źródłowy aplikacji Mutillidae, https://github.com/webpwnized/mutillidae, [03.2022].
Google Scholar
M. El, E. McMahon, S. Samtani, M. Patton, H. Chen, Benchmarking vulnerability scanners: An experiment on SCADA devices and scientific instruments, IEEE International Conference on Intelligence and Security Informatics (ISI) (2017) 83-85.
DOI: https://doi.org/10.1109/ISI.2017.8004879
Google Scholar
S. Tyagi, K. Kumar, Evaluation of Static Web Vulnerability Analysis Tools, 2018 Fifth International Conference on Parallel, Distributed and Grid Computing (PDGC) (2018) 1-3.
DOI: https://doi.org/10.1109/PDGC.2018.8745996
Google Scholar
Authors
Aleksandra Kondraciukaleksandra.kondraciuk@pollub.edu.pl
Lublin University of Technology Poland
Authors
Aleksandra BartosLublin University of Technology Poland
Statistics
Abstract views: 809PDF downloads: 700
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
