Web Vulnerability Finder (WVF): Automated Black- Box Web Vulnerability Scanner

Full Text (PDF, 454KB), PP.38-46

Views: 0 Downloads: 0


Muhammad Noman Khalid 1,* Muhammad iqbal 2 Kamran Rasheed 1 Malik Muneeb Abid 3

1. Department of Computer Sciences, Bahria University Karachi

2. Department of Computer Sciences, Bahria University Karachi. & School of Information Sciences & Technology Southwest Jiaotong University, Chengdu, China

3. Department of Civil Engineering, International Islamic University, Islamabad

* Corresponding author.

DOI: https://doi.org/10.5815/ijitcs.2020.04.05

Received: 7 Feb. 2020 / Revised: 10 Mar. 2020 / Accepted: 16 Mar. 2020 / Published: 8 Aug. 2020

Index Terms

WVF, Automated Vulnerability Detection, black-box scanners


Today the internet has become primary source of communication among people because it holds limitless space and pool of various web applications and resources. The internet allows us to communicate in a fraction of second with another people who is sitting in the other part of the world. At present, the internet has become part of our daily life and its usage is increasing exponentially, therefore it accumulates a number of web applications on daily basis on Web podium. Most of the web applications exist with few weaknesses and that weaknesses give room to several bad buys (hackers) to interrupt that weak part of code in web applications. Recently, SQL Injection, Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF) seriously threaten the most of the web applications.  In this study, we have proposed a black box testing method to detect different web vulnerabilities such as SQL Injection, XSS and CSRF and developed a detection tool i.e. Web Vulnerabilities Finder (WVF) for most of these vulnerabilities.  Our proposed method can automatically analyze websites with the aim of finding web vulnerabilities. By applying the tool to some websites, we have found 45 exploitable XSS, SQL Injection 45, Directory Discloser 38 and Local/remote file inclusion 40 vulnerabilities. The experimental results show that our tool can efficiently detect XSS, SQL Injection, Directory Discloser and LFI/RFI vulnerabilities.

Cite This Paper

Muhammad Noman Khalid, Muhammad iqbal, Kamran Rasheed, Malik Muneeb Abid, "Web Vulnerability Finder (WVF): Automated Black- Box Web Vulnerability Scanner", International Journal of Information Technology and Computer Science(IJITCS), Vol.12, No.4, pp.38-46, 2020. DOI:10.5815/ijitcs.2020.04.05


[1]Pop, Dragos-Paul, and Adam Altar. "Designing an MVC model for rapid web application development." Procedia Engineering 69 (2014): 1172-1179.

[2]Deepa, G., Thilagam, P. S., Khan, F. A., Praseed, A., Pais, A. R., & Palsetia, N. (2018). Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications. International Journal of Information Security, 17(1), 105-120.

[3]Khalid, M. N., Farooq, H., Iqbal, M., Alam, M. T., & Rasheed, K. (2018, October). Predicting Web Vulnerabilities in Web Applications Based on Machine Learning. In International Conference on Intelligent Technologies and Applications (pp. 473-484). Springer, Singapore.

[4]Awoleye, Olusesan M., Blessing Ojuloge, and Mathew O. Ilori. "Web application vulnerability assessment and policy direction towards a secure smart government." Government Information Quarterly 31 (2014): S118-S125.

[5]OWASP: Available at http://www.owasp.org/index.php/ Category: OWASP Top Ten Project, 2017. 

[6]Bozic, Josip, and Franz Wotawa. "PURITY: a Planning-based secURITY testing tool." Software Quality, Reliability and Security-Companion (QRS-C), 2015 IEEE International Conference on. IEEE, 2015.

[7]DOUPE, A., BOE, B., KRUEGEL, C., AND VIGNA, G. Fear the EAR:Discovering and Mitigating Execution After Redirect Vulnerabilities. InProceedings of the 18th ACM Conference on Computer and CommunicationsSecurity (CCS 2011) (Chicago, IL, October 2011).

[8]JOVANOVIC, N., KRUEGEL, C., AND KIRDA, E. Static analysisfor detecting taint-style vulnerabilities in web applications.Journal of Computer Security 18, 5 (2010), 861–907

[9]Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell, "State of the Art: Automated Black-Box Web Application Vulnerability Testing", 2010

[10]Adam Doup´e, Marco Cova, and Giovanni Vigna, “Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners”, July 2010

[11]“Burp suite,” http://portswigger.net/burp/, accessed: 2018 -11- 11.

[12]“Zed attack proxy (zap),” https://www.owasp.org/index.php/ OWASP Zed Attack Proxy Project, accessed: 2020-02-10.

[13]Aliero, M. S., Ghani, I., Qureshi, K. N., & Rohani, M. F. A. (2019). An algorithm for detecting SQL injection vulnerability using black-box testing. Journal of Ambient Intelligence and Humanized Computing, 1-18.

[14]“Defensics,” http://www.codenomicon.com/products/defensics/, accessed: 2018-11-10.

[15]F. Duchene, S. Rawat, J.-L. Richier, and R. Groz, “Kameleon- Fuzz: Evolutionary Fuzzing for Black-Box XSS Detection,” in CODASPY. ACM, 2014, pp. 37–48.

[16]B. Garn, I. Kapsalis, D. E. Simos, and S. Winkle8, “On the applicability of combinatorial testing to web application security testing: A case study,” in Proceedings of the 2nd International Workshop on Joining AcadeMiA and Industry Contributions to Testing Automation (JAMAICA’14). ACM, 2014.

[17]N.Antunes and M. Vieira 2010. Benchmarking vulnerability detection Scanners for web services. Paper presented at the Web Services (ICWS), 2010 IEEE International Conference on. 

[18]V. Livshits, and M. S. Lam 2005. Finding Security Errors in Java Programs with Static Analysis. In Proceedings of the 14th Usenix Security Symposium, pages 271-286. 

[19]Z. Duric2013. A black-box testing Scanner for detecting SQL injection vulnerabilities. Paper presented at the Informatics and Applications (ICIA), 2013 Second International Conference on IEEE. 

[20]ALiban, and H. Shadi. 2014. Enhancing Mysql Injector vulnerability checker Scanner (Mysql Injector) using inference binary search algorithm for blind timing-based attack. Paper presented at the Control and System Graduate Research Colloquium (ICSGRC), 2014 IEEE 5th.

[21]S. Kals Kirda E. Kruegel Christopher, and J. Nenad 2006. Secubat: a web vulnerability scanner. Paper presented at the Proceedings of the 15th international conference on World Wide Web.

[22]Doupé, Adam, et al. "Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner." USENIX Security Symposium. Vol. 14. 2012.

[23]W. G. Halfond, and A Orso, 2005. AMNESIA: Analysis and Monitoring for NEutralizing SQL-Inj ection attacks", Proceedings of the 20thlEEE/ACM international Conference on Automated software engineering, pp. 174-183,2005. 

[24]OWSAP Open Web Security Project. Retrieved 29/06/2015, from owasp.org/index.php/Category:VulnerabilitLScanning_ Scanners 

[25]M.F Jnena 2013. Modern Approach for WEB Applications Vulnerability Analysis retrieve on 27/812015 fromhttp://library. iugaza.edu.ps/thesis/1 09553 .pdf 229

[26]Shay Chen 2011. Security Scanner Benchmarking available at http://secScanneraddict. blogspot.my/20 11108/commercial-webapplication- scanner.html

[27]X. Zhang, and Z. Wang. 2010. Notice of Retraction A Static Analysis Scanner for Detecting Web Application Injection Vulnerabilities for ASP Program. Paper presented at the eBusiness and Information System Security (EBISS), 2010 2nd International Conference on

[28]L. Zhang, et al. 2010. D-WAV: A web application vulnerabilities detection Scanner using Characteristics of Web Forms." Software Engineering Advances (ICSEA), 2010 Fifth International Conference on. IEEE, 20 I O. 

[29]F. Jose'S. Nuno , V. Marco, and M. Henrique"Analysis of field data on web security vulnerabilities."Dependable and Secure

[30]Kals, Stefan, et al. "Secubat: a web vulnerability scanner." Proceedings of the 15th international conference on World Wide Web. ACM, 2006.

[31]MLA Shahriar, Hossain, and Mohammad Zulkernine. ”Client-side de-tection of cross-site request forgery attacks.” 2010 IEEE 21st Interna-tional Symposium on Software Reliability Engineering. IEEE, 2010.

[32]Goel, Jai Narayan, and B. M. Mehtre. "Vulnerability assessment & penetration testing as a cyber defence technology." Procedia Computer Science 57 (2015): 710-715.

[33]Djuric, Zoran. "A black-box testing tool for detecting SQL injection vulnerabilities." Informatics and Applications (ICIA), 2013 Second International Conference on. IEEE, 2013

[34]Y.-W. Huang, S.-K. Huang, T.-P. Lin, and Ch.-H. Tsai, “Web application security assessment by fault injection and behavior monitoring”, Proceedings of the 12th international conference on World Wide Web, pp. 148-159, 2003