Article

SecuBat: a web vulnerability scanner

Authors:

Christopher Kruegel,

Nenad JovanovicAuthors Info & Claims

WWW '06: Proceedings of the 15th international conference on World Wide Web

Pages 247 - 256

https://doi.org/10.1145/1135777.1135817

Published: 23 May 2006 Publication History

Abstract

As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable.This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.

References

[1]

Abdulkader A. Alfantookh. An automated universal server level solution for SQL injection security flaw. International Conference on Electrical, Electronic and Computer Engineering, pages 131--135, September 2004.

[2]

CERT. Advisory CA-2000-02: malicious HTML tags embedded in client web requests. http://www.cert.org/advisories/CA-2000-02.html, 2000.

[3]

W3C World Wide Web Consortium. HTTP - Hypertext Transfer Protocol. http://www.w3.org/Protocols/, 2000.

[4]

Microsoft Corporation. Architecture and Design Review for Security. http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnnetsec/html/THCMCh05.asp, 2005.

[5]

Microsoft Corporation. ISAPI Server Extensions and Filters. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore%98/HTML/_core_isapi_server_extensions_and_filters.asp, 2005.

[6]

Microsoft Corporation. Microsoft .NET Framework Development Center. http://msdn.microsoft.com/netframework/, 2005.

[7]

Microsoft Corporation. System.Reflection Namespace. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemreflection.asp, 2005.

[8]

David Cruwys. C Sharp/VB - Automated WebSpider / WebRobot. http://www.codeproject.com/csharp/DavWebSpider.asp, March 2004.

[9]

David Endler. The Evolution of Cross Site Scripting Attacks. Technical report, iDEFENSE Labs, 2002.

[10]

Carlo Ghezzi, Mehdi Jazayeri, and Dino Mandrioli. Fundamentals of software engineering. Prentice-Hall International, 1994.

Digital Library

[11]

Yao-Wen Huang, Fang Yu andChristian Hang, Chung-Hung Tsai, Der-Tsai Lee, and Sy-Yen Kuo. Securing web application code by static analysis and runtime protection. In 13th ACM International World Wide Web Conference, 2004.

Digital Library

[12]

Yao-Wen Huang, Shih-Kun Huang, and Tsung-Po Lin. Web Application Security Assessment by Fault Injection and Behavior Monitoring. 12th ACM International World Wide Web Conference, May 2003.

Digital Library

[13]

Insecure.org. NMap Network Scanner. http://www.insecure.org/nmap/, 2005.

[14]

Rachael Lininger and Russell D. Vines. Phishing. Wiley Publishing Inc., May 2005.

[15]

Acunetix Ltd. Acunetix Web Vulnerability Scanner. http://www.acunetix.com/, 2005.

[16]

Ken Moody and Marco Palomino. SharpSpider: Spidering the Web through Web Services. First Latin American Web Congress (LA-WEB 2003), 2003.

Digital Library

[17]

Information Technology Industry Council NCITS. SQL-92 standard. http://www.ncits.org/, 1992.

[18]

Nikto. Web Server Scanner. http://www.cirt.net/code/nikto.shtml, 2005.

[19]

RSnake. XSS cheatsheet. http://sec.drorshalev.com/dev/xss/xssTricks.htm.

[20]

David Scott and Richard Sharp. Abstracting application-level Web security. 11th ACM International World Wide Web Conference, Hawaii, USA, 2002.

Digital Library

[21]

SelfHtml. JavaScript Tutorial. http://www.selfhtml.de, 2005.

[22]

Tenable Network SecurityTM. Nessus Open Source Vulnerability Scanner Project. http://www.nessus.org/, 2005.

[23]

Paolo Tonella and Filippo Ricca. A 2-Layer Model for the White-Box Testing of Web Applications. In IEEE International Workshop on Web Site Evolution (WSE), 2004.

Digital Library

[24]

Xprobe. Xprobe: active os fingerprinting tool. http://xprobe.sourceforge.net/, 2005.

Cited By

Chen YLu YPan ZChen JShi FLi YJiang Y(2024)APIMiner: Identifying Web Application APIs Based on Web Page States Similarity AnalysisElectronics10.3390/electronics1306111213:6(1112)Online publication date: 18-Mar-2024
https://doi.org/10.3390/electronics13061112
Seara JSerrão C(2024)Automation of System Security Vulnerabilities Detection Using Open-Source SoftwareElectronics10.3390/electronics1305087313:5(873)Online publication date: 24-Feb-2024
https://doi.org/10.3390/electronics13050873
Gui ZWang EDeng BZhang MChen YWei SXie WWang B(2024)SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box DetectionApplied Sciences10.3390/app1416692914:16(6929)Online publication date: 7-Aug-2024
https://doi.org/10.3390/app14166929
Show More Cited By

Index Terms

SecuBat: a web vulnerability scanner

Recommendations

Security vulnerabilities and mitigation techniques of web applications
SIN '13: Proceedings of the 6th International Conference on Security of Information and Networks

Web applications contain vulnerabilities, which may lead to serious security breaches such as stealing of confidential information. To protect against security breaches, it is necessary to understand the detailed steps of attacks and the pros and cons ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...
Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis
COMPSAC '12: Proceedings of the 2012 IEEE 36th Annual Computer Software and Applications Conference

Web applications have become an integral part of the daily lives of millions of users. Unfortunately, web applications are also frequently targeted by attackers, and criticial vulnerabilities such as cross-site scripting and SQL injection are still ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WWW '06: Proceedings of the 15th international conference on World Wide Web

May 2006

1102 pages

ISBN:1595933239

DOI:10.1145/1135777

General Chairs:
Leslie Carr
University of Southampton
,
David De Roure
University of Southampton
,
Arun Iyengar
IBM Research
,
Program Chairs:
Carole Goble
University of Manchester, UK
,
Mike Dahlin
University of Texas at Austin

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 23 May 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

WWW06

Sponsor:

WWW06: The 15th International World Wide Web Conference 2006

May 23 - 26, 2006

Edinburgh, Scotland

Acceptance Rates

Overall Acceptance Rate 1,899 of 8,196 submissions, 23%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

129
Total Citations
View Citations
3,073
Total Downloads

Downloads (Last 12 months)149
Downloads (Last 6 weeks)19

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chen YLu YPan ZChen JShi FLi YJiang Y(2024)APIMiner: Identifying Web Application APIs Based on Web Page States Similarity AnalysisElectronics10.3390/electronics1306111213:6(1112)Online publication date: 18-Mar-2024
https://doi.org/10.3390/electronics13061112
Seara JSerrão C(2024)Automation of System Security Vulnerabilities Detection Using Open-Source SoftwareElectronics10.3390/electronics1305087313:5(873)Online publication date: 24-Feb-2024
https://doi.org/10.3390/electronics13050873
Gui ZWang EDeng BZhang MChen YWei SXie WWang B(2024)SqliGPT: Evaluating and Utilizing Large Language Models for Automated SQL Injection Black-Box DetectionApplied Sciences10.3390/app1416692914:16(6929)Online publication date: 7-Aug-2024
https://doi.org/10.3390/app14166929
Isaacs PWalters ASalman A(2024)Development and Evaluation of SAVI: Simple Automated Vulnerability Inspector2024 Systems and Information Engineering Design Symposium (SIEDS)10.1109/SIEDS61124.2024.10534662(69-74)Online publication date: 3-May-2024
https://doi.org/10.1109/SIEDS61124.2024.10534662
Kandhari HJain SSharma S(2024)Vulnerability Detection and Assessment for SQL Injection, Cross-site Scripting, and Other Common VulnerabilitiesICT for Intelligent Systems10.1007/978-981-97-6684-0_18(211-221)Online publication date: 27-Dec-2024
https://doi.org/10.1007/978-981-97-6684-0_18
Seara JSerrão C(2023)Intelligent System for Automation of Security Audits (SIAAS)ICST Transactions on Scalable Information Systems10.4108/eetsis.3564Online publication date: 20-Oct-2023
https://doi.org/10.4108/eetsis.3564
Eriksson BStjerna ADe Masellis RRüemmer PSabelfeld AMeng WJensen CCremers CKirda E(2023)Black Ostrich: Web Application Scanning with String SolversProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3616582(549-563)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3616582
Chaleshtari NPastore FGoknil ABriand L(2023)Metamorphic Testing for Web System SecurityIEEE Transactions on Software Engineering10.1109/TSE.2023.3256322(1-43)Online publication date: 2023
https://doi.org/10.1109/TSE.2023.3256322
Zhao JLu YZhu KChen ZHuang H(2022)Cefuzz: An Directed Fuzzing Framework for PHP RCE VulnerabilityElectronics10.3390/electronics1105075811:5(758)Online publication date: 1-Mar-2022
https://doi.org/10.3390/electronics11050758
Karl MMusch MMa GJohns MLekies SBarakat CPelsser CBenson TChoffnes D(2022)No keys to the kingdom requiredProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561446(619-632)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561446
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents