Sciweavers

DIMVA
2010

Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners

14 years 1 months ago
Why Johnny Can't Pentest: An Analysis of Black-Box Web Vulnerability Scanners
Black-box web vulnerability scanners are a class of tools that can be used to identify security issues in web applications. These tools are often marketed as "point-and-click pentesting" tools that automatically evaluate the security of web applications with little or no human support. These tools access a web application in the same way users do, and, therefore, have the advantage of being independent of the particular technology used to implement the web application. However, these tools need to be able to access and test the application's various components, which are often hidden behind forms, JavaScript-generated links, and Flash applications. This paper presents an evaluation of eleven black-box web vulnerability scanners, both commercial and open-source. The evaluation composes different types of vulnerabilities with different challenges to the crawling capabilities of the tools. These tests are integrated in a realistic web application. The results of the evaluat...
Adam Doupé, Marco Cova, Giovanni Vigna
Added 29 Oct 2010
Updated 29 Oct 2010
Type Conference
Year 2010
Where DIMVA
Authors Adam Doupé, Marco Cova, Giovanni Vigna
Comments (0)