Professional Documents
Culture Documents
I. INTRODUCTION
Web applications today are highly functional, and rely
upon a two-way flow of information between the server and
browser. Security becomes a big issue because no one wants to
use a web application if they believe their information will be
disclosed to unauthorized parties [1]. Vulnerabilities
commonly found in web applications include injection, crosssite scripting, cross-site request forgery, security
misconfiguration, broken authentication and session
management, and more.
Penetration testing and static code analysis may be used to
assess the vulnerabilities of web applications. Penetration
testing is a method of security testing through the simulation of
an attack. Static code analysis, also known as source code
analysis is a code review process that examines the softwares
source code for common coding errors and defects without
execution [3].
This case study uses an example web application,
Tunestore to conduct security testing. It illustrates web
application security testing using tools and manual testing. The
tools used to conduct testing on Tunestore are Paros,
WebScarab, JBroFuzz, Fortify, and Acunetix. Our case study
shows manual testing is very important since some
vulnerability types can only be found through manual testing
and testers observations, and it is important to utilize a variety
of tools as well as conduct careful manual testing in order to
find the most number of vulnerabilities in a web application.
Based on this case study, hands-on labs can be developed to
This work is partially supported by Department of Education under grant
P120A090049 and NSF under grant HRD-1137516. Any opinions, findings,
and conclusions or recommendations expressed in this material are those of
the author(s) and do not necessarily reflect the views of the National Science
Foundation and Department of Education.
This section briefly describes the tools used in this case study
which are: Paros, WebScarab, JBroFuzz, Acunetix and
Fortify.
A. Paros
Paros [7] is a free web application vulnerability assessment
tool written in Java by ProofSecure.com. It can be used as a
web spider, vulnerability scanner, proxy, and a fuzzer. The web
spider function is used to discover the content of a website by
parsing a webpage for links to other content, requesting these
pages, and continuing this process recursively. The scanner
function scans the web application to identify common
vulnerabilities such as cross-site scripting, SQL injection,
forms with autocomplete enabled, old versions of files, etc.
Paros can also trap HTTP and HTTPS requests and responses
so they can be modified manually [1, 8].
B. WebScarab
WebScarab [9] is an open-source web application security
testing tool written in Java. The tool is a part of the Open Web
Application Security Project (OWASP) [10]. It can be used for
IV.
WebScarab [8]
JBroFuzz [11]
Acunetix [12]
Fortify [13]
Functionalities
Web proxy
Web spider
Automated vulnerability scanner
Manual request with proxy, fuzzer
Web proxy
Web spider
Manual fuzzer
Manual vulnerability scanner
Manual request with web proxy, spider,
fuzzer, history
Automated fuzzing
Graphing
Built-in attack payloads
Automatic client script analyzer
SQL Injection and Cross-site scripting
testing
Fast scanner crawls
Port scans on web servers
Automated vulnerability scanner
Source code analyzer
Cost
Free
Operating System
Linux, Apple Mac OS X, Microsoft Windows
Free
Free
Commercial
$1,000 $12,995
Commercial
MANUAL TESTING
Main,
2010,
www.owasp.org/index.php/Top_10_2010-Main, retrieved
on January 13, 2013.
[5] Web-Hacking-Incident-Database. Retrieved on Jan 6,
2013
http://projects.webappsec.org/w/page/13246995/WebHacking-Incident-Database
[6] Top 10 2010. Retrieved on January 10, 2013:
https://www.owasp.org/index.php/Top_10_2010-Main
[7] Paros, Paros for web application security assessment,
2004,
http://www.parosproxy.org/,
retrieved
on
November 6, 2012.
[8] Paros, User
Guide for
Paros v2.x, 2003,
http://www.parosproxy.org/paros_user_guide.pdf,
retrieved on November 6, 2012.
[9] The Open Web Application Security Project, Category:
OWASP
WebScarab
Project,
2012,
https://www.owasp.org/index.php/Category:OWASP_We
bScarab_Project, retrieved on November 6, 2012.
[10] The Open Web Application Security Project, OWASP,
2012, www.owasp.org, retrieved on November 6, 2012.
[11] Dustin, E., Nelson, L., Wysopal, C., Zovi, D. The Art of
Software Security Testing: Identifying Software Security
Flaws. Symantec Corporation: Upper Saddle River, New
Jersey, 2007.
[12] The Open Web Application Security Project, JBroFuzz,
2012,
https://www.owasp.org/index.php/JBroFuzz,
retrieved on November 6, 2012.
[13] Acunetix Ltd., Acunetix Web Application Security,
www.acunetix.com/vulnerability-scanner/, retrieved on
November 6, 2012.
[14] HP Enterprise Security, HP Fortify Static Code Analyzer,
2012, http://www.hpenterprisesecurity.com/products/hpfortify-software-security-center/hp-fortify-static-codeanalyzer/, retrieved on November 6, 2012.