An automated framework for evaluating open-source web scanner vulnerability severity
- PDF / 1,064,256 Bytes
- 11 Pages / 595.276 x 790.866 pts Page_size
- 34 Downloads / 195 Views
ORIGINAL RESEARCH PAPER
An automated framework for evaluating open‑source web scanner vulnerability severity Richard Amankwah1,3 · Jinfu Chen1 · Patrick Kwaku Kudjo2 · Beatrice Korkor Agyemang3 · Alfred Adutwum Amponsah1 Received: 19 December 2019 / Revised: 23 June 2020 / Accepted: 29 June 2020 © Springer-Verlag London Ltd., part of Springer Nature 2020
Abstract The inevitable use of web applications has resulted in increased exposure to security vulnerabilities which are exploited by attackers each passing day. Fixing these vulnerabilities requires a great deal of effort and time, hence developers need to prioritize and channel their resources to the most severe vulnerabilities to curtail further exploitation. The common vulnerability scoring system (CVSS) is the de-facto standard for characterizing and measuring the severity of security vulnerabilities. However, the efficiency of the CVSS metric has been challenged in previous studies, leading to varied vulnerability scoring metrics. This paper proposes an automated framework for evaluating open-source Web scanner vulnerability severity using a Web vulnerability detection scanner called zed attach proxy to detect vulnerabilities in a damn vulnerable web application. Additionally, we use the OWASP 2017 top ten selection and prioritization scheme as our benchmark for the severity measure and ranking. The preliminary result shows that the most frequent vulnerabilities in Web applications, such as SQL injection and cross-site scripting are of medium severe with a severity score of 8. Keywords Open-source scanner · Vulnerability detection · Vulnerability scanner · Damn vulnerable web application · Vulnerability severity
1 Introduction In recent times, the continuous increase in vulnerabilities in Web applications has become advisable for developers to channel their effort to the most severe vulnerabilities to reduce cost, resources [1]. To achieve this goal, there is a need to develop models or systems that can quantify or analyze the severity of vulnerabilities to improve vulnerability prioritization and mitigation strategies. The Common vulnerability scoring system (CVSS) has become a standardized public means to address this issue by providing a framework for analyzing and quantifying software vulnerability severity [2]. However, the CVSS has been criticized
* Richard Amankwah [email protected] 1
School of Computer Science and Communication Engineering, Jiangsu University, Zhenjiang 212013, China
2
University of Professional Studies, 233 Accra, Ghana
3
Presbyterian College of Education, Akropong-Akuapem, 233 Accra, Ghana
for its bad effectiveness, since its score cannot be the only means to predict the severity of vulnerability [2]. Additionally, researchers have criticized the CVSS for its inconsistency in scoring the severity of vulnerabilities. For example, two people working on the same vulnerability cannot provide identical results. As a result, researchers are focused on identifying alternative ways of improving its effectivene
Data Loading...
