Pertanika Journal

Go to Pertanika

Go to JTAS Home

Go to Pertanika Facebook

Home / Regular Issue / JST Vol. 31 (6) Oct. 2023 / JST-4017-2022

Measuring Vulnerability Assessment Tools’ Performance on the University Web Application

Pita Jarupunphol, Suppachochai Seatun and Wipawan Buathong

Pertanika Journal of Science & Technology, Volume 31, Issue 6, October 2023

DOI: https://doi.org/10.47836/pjst.31.6.19

Keywords: Cybersecurity, cyber threats, risks, vulnerability assessment, web application

Published on: 12 October 2023

Abstract

This research measured vulnerability assessment tools’ performance on a university web application, including Burp Suite and OWASP ZAP. There are three measurement criteria: (1) the number of vulnerabilities classified under risk and confidence metrics, (2) the number of vulnerability types and URL alerts classified under risk and confidence metrics, and (3) the number of vulnerabilities classified in the 2021 OWASP Top 10 vulnerabilities. Results showed that Burp Suite detected more vulnerabilities and alerts than OWASP ZAP, with a higher proportion of high-risk vulnerabilities. However, OWASP ZAP had a higher proportion of medium-confidence vulnerabilities. The comparison also revealed that the vulnerabilities identified by both tools were ranked differently within the OWASP Top 10, and there were variations in risk prioritisation between the tools. Despite these differences, the vulnerability assessment results obtained from these tools are still helpful for the university’s security analysts and administration, as mitigating cyber threats to the web application is paramount.

References

Abdullah, H. S. (2020). Evaluation of open source web application vulnerability scanners. Academic Journal of Nawroz University, 9(1), 47-52. https://doi.org/10.25007/ajnu.v9n1a532
Alexei, L. A., & Alexei, A. (2021). Cyber security threat analysis in higher education institutions as a result of distance learning. International Journal of Scientific & Technology Research, 10(3), 128-133.
Alsaleh, M., Alomar, N., Alshreef, M., Alarifi, A., & Al-Salman, A. M. (2017). Performance-based comparative assessment of open source web vulnerability scanners. Security and Communication Networks, 2017, Article 6158107. https://doi.org/10.1155/2017/6158107
Amankwah, R., Chen, J., Kudjo, P. K., & Towey, D. (2020). An empirical comparison of commercial and open-source web vulnerability scanners. Software - Practice and Experience, 50(9), 1842-1857. https://doi.org/10.1002/spe.2870
Amankwah, R., Chen, J., Kudjo, P. K., Agyemang, B. K., & Amponsah, A. A. (2020). An automated framework for evaluating open-source web scanner vulnerability severity. Service Oriented Computing and Applications, 14, 297-307. https://doi.org/10.1007/s11761-020-00296-9
Darus, M. Y., Omar, M. A., Mohamad, M. F., Seman, Z., & Awang, N. (2020). Web vulnerability assessment tool for content management system. International Journal of Advanced Trends in Computer Science and Engineering, 9(1.3), 440-444.
Diogenes, Y., & Ozkaya, E. (2018). Cybersecurity – Attack and defense strategies:
Infrastructure security with Red Team and Blue Team tactics. Packt Publishing.
Disawal, S., & Suman, U. (2021, March 17-19). An analysis and classification of vulnerabilities in web-based application development. [Paper presentation]. 2021 International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India.
ETDA. (2022). Personal data protection act. Electronic Transactions Development Agency. https://ictlawcenter.etda.or.th/laws/detail/DP-Act-2562
Ibrahim, A. B., & Kant, S. (2018). Penetration testing using SQL injection to recognise the vulnerable point on web pages. International Journal of Applied Engineering Research, 13(8), 5935-5942.
Karumba, M. C., Ruhiu, S., & Moturi, C. A. (2016). A hybrid algorithm for detecting web based applications vulnerabilities. American Journal of Computing Research Repository, 4(10), 15-20. https://doi.org/10.12691/ajcrr-4-1-3
Khalid, M. N., Farooq, H., Iqbal, M., Alam, M. T., & Rasheed, K. (2019). Predicting web vulnerabilities in web applications based on machine learning. In I. S. Bajwa, F. Kamareddine & A. Costa (Eds.), Intelligent Technologies and Applications (pp.473-484). Springer.
Khera, Y., Kumar, D., Sujay., & Garg, N. (2019, February 14-19). Analysis and impact of vulnerability assessment and penetration testing. [Paper presentation]. International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), Faridabad, India.
Liu, M., & Wang, B. (2018). A web second-order vulnerabilities detection method. IEEE
Access, 6, 70983-70988. https://doi.org/10.1109/ACCESS.2018.2881070
Malekar, V., & Ghode, S. (2020). A review on vulnerability assessment and penetration testing open source tools for web application security. International Journal of Advanced Research in Science & Technology (IJARST), 2(3), 30-33.
Mburano, B., & Si, W. (2018, December 18-20). Evaluation of web vulnerability scanners based on OWASP benchmark. [Paper presentation]. International Conference on Systems Engineering (ICSEng), Sydney, Australia. https://doi.org/10.1109/ICSENG.2018.8638176
McNab, C. (2016). Network Security Assessment: Know your Network (3rd ed.). O’Reilly Media.
Muncaster, P. (2020, September 3). Northumbria Uni Campus closed after serious cyber-attack. Information Security Magazine. https://www.infosecurity-magazine.com/news/northumbria-uni-campus-closed/
Muncaster, P. (2021, August 31). Ransomware may have cost US schools over $6bn in 2020. Information Security Magazine. https://www.infosecurity-magazine.com/news/ransomware-cost-us-schools-6bn-2020/
Naagas, M. A., Mique Jr, E. L., Palaoag, T. D., & Cruz, J. D. (2018). Defence-through-deception network security model: Securing university campus network from DoS/DdoS attack. Bulletin of Electrical Engineering and Informatics, 7(4), 593-600. https://doi.org/10.11591/eei.v7i4.1349
Nagpure, S., & Kurkure, S. (2017, August 17-18). Vulnerability assessment and penetration testing of web application. [Paper presentation] International Conference on Computing, Communication, Control and Automation (ICCUBEA), Pune, India. https://doi.org/10.1109/ICCUBEA.2017.8463920
Nunes, P. J., Medeiros, I., Fonseca, J. M., Neves, N. F., Correia, M. P., & Vieira, M. P. (2018). Benchmarking static analysis tools for web security. IEEE Transactions on Reliability, 67(3), 1159-1175. https://doi.org/10.1109/TR.2018.2839339
Pavlova, E. (2020). Enhancing the organisational culture related to cyber security during the university digital transformation. Information & Security, 46(3), 239-249. https://doi.org/10.11610/isij.4617
Popov, G., Lyon, B. K., & Hollcroft, B. (2016). Risk Assessment: A Practical Guide to Assessing Operational Risks. Wiley.
Rahamathullah, U., & Karthikeyan, E. (2021, May 25). Distributed denial of service attacks prevention, detection and mitigation - A review. [Paper presentation]. Proceedings of the International Conference on Smart Data Intelligence (ICSMDI 2021), Tamil Nadu, India. http://dx.doi.org/10.2139/ssrn.3852902
Thai Netizen Network. (2017). Computer crime act 2017 Thai-English Thailand’s computer-related crime act 2017 bilingual. Thai Netizen Network. https://thainetizen.org/docs/cybercrime-act-2017
Ulven, J. B., & Wangen, G. (2021). A systematic review of cybersecurity risks in higher education. Future Internet, 13(2), Article 39. https://doi.org/10.3390/fi13020039
Vibhandik, R., & Bose, A. K. (2015, September 21-23). Vulnerability assessment of web applications - A testing approach. [Paper presentation] International Conference on e-Technologies and Networks for Development (ICeND), Lodz, Poland. https://doi.org/10.1109/ICeND.2015.7328531
Wear, S. (2018). Burp Suite Cookbook: Practical Recipes to Help you Master Web Penetration Testing with Burp Suite. Packt Publishing.