PERTANIKA JOURNAL OF SCIENCE AND TECHNOLOGY

 

e-ISSN 2231-8526
ISSN 0128-7680

Home / Regular Issue / JST Vol. 31 (6) Oct. 2023 / JST-4017-2022

 

Measuring Vulnerability Assessment Tools’ Performance on the University Web Application

Pita Jarupunphol, Suppachochai Seatun and Wipawan Buathong

Pertanika Journal of Science & Technology, Volume 31, Issue 6, October 2023

DOI: https://doi.org/10.47836/pjst.31.6.19

Keywords: Cybersecurity, cyber threats, risks, vulnerability assessment, web application

Published on: 12 October 2023

This research measured vulnerability assessment tools’ performance on a university web application, including Burp Suite and OWASP ZAP. There are three measurement criteria: (1) the number of vulnerabilities classified under risk and confidence metrics, (2) the number of vulnerability types and URL alerts classified under risk and confidence metrics, and (3) the number of vulnerabilities classified in the 2021 OWASP Top 10 vulnerabilities. Results showed that Burp Suite detected more vulnerabilities and alerts than OWASP ZAP, with a higher proportion of high-risk vulnerabilities. However, OWASP ZAP had a higher proportion of medium-confidence vulnerabilities. The comparison also revealed that the vulnerabilities identified by both tools were ranked differently within the OWASP Top 10, and there were variations in risk prioritisation between the tools. Despite these differences, the vulnerability assessment results obtained from these tools are still helpful for the university’s security analysts and administration, as mitigating cyber threats to the web application is paramount.

  • Abdullah, H. S. (2020). Evaluation of open source web application vulnerability scanners. Academic Journal of Nawroz University, 9(1), 47-52. https://doi.org/10.25007/ajnu.v9n1a532

  • Alexei, L. A., & Alexei, A. (2021). Cyber security threat analysis in higher education institutions as a result of distance learning. International Journal of Scientific & Technology Research, 10(3), 128-133.

  • Alsaleh, M., Alomar, N., Alshreef, M., Alarifi, A., & Al-Salman, A. M. (2017). Performance-based comparative assessment of open source web vulnerability scanners. Security and Communication Networks, 2017, Article 6158107. https://doi.org/10.1155/2017/6158107

  • Amankwah, R., Chen, J., Kudjo, P. K., & Towey, D. (2020). An empirical comparison of commercial and open-source web vulnerability scanners. Software - Practice and Experience, 50(9), 1842-1857. https://doi.org/10.1002/spe.2870

  • Amankwah, R., Chen, J., Kudjo, P. K., Agyemang, B. K., & Amponsah, A. A. (2020). An automated framework for evaluating open-source web scanner vulnerability severity. Service Oriented Computing and Applications, 14, 297-307. https://doi.org/10.1007/s11761-020-00296-9

  • Darus, M. Y., Omar, M. A., Mohamad, M. F., Seman, Z., & Awang, N. (2020). Web vulnerability assessment tool for content management system. International Journal of Advanced Trends in Computer Science and Engineering, 9(1.3), 440-444.

  • Diogenes, Y., & Ozkaya, E. (2018). Cybersecurity – Attack and defense strategies:

  • Infrastructure security with Red Team and Blue Team tactics. Packt Publishing.

  • Disawal, S., & Suman, U. (2021, March 17-19). An analysis and classification of vulnerabilities in web-based application development. [Paper presentation]. 2021 International Conference on Computing for Sustainable Global Development (INDIACom), New Delhi, India.

  • ETDA. (2022). Personal data protection act. Electronic Transactions Development Agency. https://ictlawcenter.etda.or.th/laws/detail/DP-Act-2562

  • Ibrahim, A. B., & Kant, S. (2018). Penetration testing using SQL injection to recognise the vulnerable point on web pages. International Journal of Applied Engineering Research, 13(8), 5935-5942.

  • Karumba, M. C., Ruhiu, S., & Moturi, C. A. (2016). A hybrid algorithm for detecting web based applications vulnerabilities. American Journal of Computing Research Repository, 4(10), 15-20. https://doi.org/10.12691/ajcrr-4-1-3

  • Khalid, M. N., Farooq, H., Iqbal, M., Alam, M. T., & Rasheed, K. (2019). Predicting web vulnerabilities in web applications based on machine learning. In I. S. Bajwa, F. Kamareddine & A. Costa (Eds.), Intelligent Technologies and Applications (pp.473-484). Springer.

  • Khera, Y., Kumar, D., Sujay., & Garg, N. (2019, February 14-19). Analysis and impact of vulnerability assessment and penetration testing. [Paper presentation]. International Conference on Machine Learning, Big Data, Cloud and Parallel Computing (COMITCon), Faridabad, India.

  • Liu, M., & Wang, B. (2018). A web second-order vulnerabilities detection method. IEEE

  • Access, 6, 70983-70988. https://doi.org/10.1109/ACCESS.2018.2881070

  • Malekar, V., & Ghode, S. (2020). A review on vulnerability assessment and penetration testing open source tools for web application security. International Journal of Advanced Research in Science & Technology (IJARST), 2(3), 30-33.

  • Mburano, B., & Si, W. (2018, December 18-20). Evaluation of web vulnerability scanners based on OWASP benchmark. [Paper presentation]. International Conference on Systems Engineering (ICSEng), Sydney, Australia. https://doi.org/10.1109/ICSENG.2018.8638176

  • McNab, C. (2016). Network Security Assessment: Know your Network (3rd ed.). O’Reilly Media.

  • Muncaster, P. (2020, September 3). Northumbria Uni Campus closed after serious cyber-attack. Information Security Magazine. https://www.infosecurity-magazine.com/news/northumbria-uni-campus-closed/

  • Muncaster, P. (2021, August 31). Ransomware may have cost US schools over $6bn in 2020. Information Security Magazine. https://www.infosecurity-magazine.com/news/ransomware-cost-us-schools-6bn-2020/

  • Naagas, M. A., Mique Jr, E. L., Palaoag, T. D., & Cruz, J. D. (2018). Defence-through-deception network security model: Securing university campus network from DoS/DdoS attack. Bulletin of Electrical Engineering and Informatics, 7(4), 593-600. https://doi.org/10.11591/eei.v7i4.1349

  • Nagpure, S., & Kurkure, S. (2017, August 17-18). Vulnerability assessment and penetration testing of web application. [Paper presentation] International Conference on Computing, Communication, Control and Automation (ICCUBEA), Pune, India. https://doi.org/10.1109/ICCUBEA.2017.8463920

  • Nunes, P. J., Medeiros, I., Fonseca, J. M., Neves, N. F., Correia, M. P., & Vieira, M. P. (2018). Benchmarking static analysis tools for web security. IEEE Transactions on Reliability, 67(3), 1159-1175. https://doi.org/10.1109/TR.2018.2839339

  • Pavlova, E. (2020). Enhancing the organisational culture related to cyber security during the university digital transformation. Information & Security, 46(3), 239-249. https://doi.org/10.11610/isij.4617

  • Popov, G., Lyon, B. K., & Hollcroft, B. (2016). Risk Assessment: A Practical Guide to Assessing Operational Risks. Wiley.

  • Rahamathullah, U., & Karthikeyan, E. (2021, May 25). Distributed denial of service attacks prevention, detection and mitigation - A review. [Paper presentation]. Proceedings of the International Conference on Smart Data Intelligence (ICSMDI 2021), Tamil Nadu, India. http://dx.doi.org/10.2139/ssrn.3852902

  • Thai Netizen Network. (2017). Computer crime act 2017 Thai-English Thailand’s computer-related crime act 2017 bilingual. Thai Netizen Network. https://thainetizen.org/docs/cybercrime-act-2017

  • Ulven, J. B., & Wangen, G. (2021). A systematic review of cybersecurity risks in higher education. Future Internet, 13(2), Article 39. https://doi.org/10.3390/fi13020039

  • Vibhandik, R., & Bose, A. K. (2015, September 21-23). Vulnerability assessment of web applications - A testing approach. [Paper presentation] International Conference on e-Technologies and Networks for Development (ICeND), Lodz, Poland. https://doi.org/10.1109/ICeND.2015.7328531

  • Wear, S. (2018). Burp Suite Cookbook: Practical Recipes to Help you Master Web Penetration Testing with Burp Suite. Packt Publishing.