A Quantitative Assessment of the Detection Performance of Web Vulnerability Scanners

A Quantitative Assessment of the Detection Performance of Web Vulnerability Scanners

연구 분야: Infrastructure

학회: ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Software developers use web application vulnerability scanners to automatically identify security weaknesses in their web applications. The scanners inspect source code or analyze the running application, and look for specific vulnerability types. While it can be expected that a scanner will not discover every vulnerability, no information is available on the expected efficacy of currently available vulnerability scanners for a given vulnerability type. We present an analysis of 24 web vulnerability scanners and determine their effectiveness on 11 vulnerability types. Our study offers insights into the trade-offs when selecting a specific type of scanner. We show that for some vulnerability types, most vulnerability scanners perform poorly.