A Comparative Analysis of Open Source Dynamic Application Security Testing Tools / En jämförelseanalys av dynamiska testverktyg för applikationssäkerhet med öppen källkod

Chorell, Isak, Ekberg, Christoffer

January 2024

In today’s digital era, the increase of internet usage presents a growing challenge in cyber security. An increase in cyber attacks underscore the need for robust software systems to protect them. One way of detecting vulnerabilities is by using Dynamic Application Security Testing (DAST) tools, which simulate cyber attacks without knowledge of the internal structure of its target. This thesis investigates the four open source DAST tools Black Widow, Nuclei, Wapiti and ZAP in their ability to identify security vulnerabilities in web applications. A comparative analysis was performed, focusing on the tools vulnerability detection capabilities, how different web applications affect their results as well as their practical applicability. Each DAST tool was run against web applications, both with and without intentional vulnerabilities, where measures such as scan time and reported vulnerabilities were collected. The tools were also run against a benchmark to be able to calculate the metrics accuracy, precision, recall and F-measure. The results show that ZAP reported the most vulnerabilities, where Cross Site Scripting and SQL injection are the most common types, but also had the largest number of false positives. However, on the benchmark, none of the DAST tools had any false positives. It was also found that the architecture of the web application highly influenced the tools' attack capabilities. Conclusively, DAST tools can help to improve the security of web applications but come with some drawbacks and limitations. To achieve a more comprehensive scan, one can use more than one DAST tool, but it comes with a cost of longer scan times and an increase in manual effort to review the reported vulnerabilities.

Web security

DAST

Dynamic Application Security Testing

Black Widow

Nuclei

Wapiti

ZAP

Computer Sciences

Datavetenskap (datalogi)

Detection of Vulnerability Scanning Attacks using Machine Learning : Application Layer Intrusion Detection and Prevention by Combining Machine Learning and AppSensor Concepts / Detektering av sårbarhetsscanning med maskininlärning : Detektering och förhindrande av attacker i applikationslagret genom kombinationen av maskininlärning och AppSensor koncept

Shahrivar, Pojan

January 2022

It is well-established that machine learning techniques have been used with great success in other domains and has been leveraged to deal with sources of evolving abuse, such as spam. This study aims to determine whether machine learning techniques can be used to create a model that detects vulnerability scanning attacks using proprietary real-world data collected from tCell, a web application firewall. In this context, a vulnerability scanning attack is defined as an automated process that detects and classifies security weaknesses and flaws in the web application. To test the hypothesis that machine learning techniques can be used to create a detection model, twenty four models were trained. The models showed a high level of precision and recall, ranging from 91% to 0.96% and 85% to 0.93%, respectively. Although the classification performance was strong, the models were not calibrated sufficiently which resulted in an underconfidence in the predictions. The results can therefore been viewed as a performance baseline. Nevertheless, the results demonstrate an advancement over the simplistic threshold-based techniques developed in the early days of the internet, but require further research and development to tune and calibrate the models. / Det är väletablerat att tekniker för maskininlärning har använts med stor framgång inom andra domäner och har utnyttjats för att hantera källor till växande missbruk, såsom spam. Denna studie syftar till att avgöra om maskininlärningstekniker kan tillämpas för att skapa en modell som upptäcker sårbarhets-skanningsattacker med hjälp av proprietär data som samlats in från tCell, en webbapplikationsbrandvägg. I detta sammanhang definieras en sårbarhetsskanningsattack som en automatiserad process som upptäcker och klassificerar säkerhetsbrister och brister i webb-applikationen. För att testa hypotesen att maskininlärningstekniker kan användas för att skapa en detektionsmodell, tränades tjugofyra modeller. Modellerna visade en hög nivå av precision och sensitivitet, från 91% till 0,96% och 85% till 0,93%, respektive. Även om klassificeringsprestandan var god, var modellerna inte tillräckligt kalibrerade, vilket resulterade i ett svagt förtoende för förutsägelserna. De presenterade resultaten kan därför ses som en prestationsbaslinje. Resultaten visar ett framsteg över de förenklade tröskelbaserade teknikerna som utvecklades i begynnelsen av internet, men kräver ytterligare forskning och utveckling för att kalibrera modellerna.

Vulnerability Scanning

Random Forest

Web application security

Next-Gen Web application Firewall

Machine learning

Dynamic application security testing

Intrusion detection & prevention

Computer and Information Sciences

Data- och informationsvetenskap