Universiti Teknologi Malaysia Institutional Repository

Enhancement of automated black-box web application vulnerability assessment algorithms

Lim, Kah Seng (2019) Enhancement of automated black-box web application vulnerability assessment algorithms. PhD thesis, Universiti Teknologi Malaysia.

[img]
Preview
PDF
326kB

Official URL: http://dms.library.utm.my:8080/vital/access/manage...

Abstract

Presently, the web application vulnerability assessment has been widely automated to shorten the web application penetration testing life-cycle. Unfortunately, in the testing environment of the black-box where web-based application codes are unreachable, the automation of web application vulnerability assessment tend to produce the false negatives. This research was conducted to enhance the present state-of-the-art automated web application vulnerability assessment and mitigate the research problems of test coverage and false negatives. In this research, three enhancements were developed to address the problems. The first enhancement involved the improvement of current web-based application reconnaissance solution, using the derived algorithms for form fills and input generation. The second enhancement improved the existing vulnerability assessment solutions by using an invented algorithm, which implemented the execution-path oriented analysis. The final enhancement improved the present vulnerability detection solution with an algorithm that detects vulnerability using a proposed execution path-oriented data flow analysis and fuzzy set theory. This research was conducted based on applied research method, which covered literature reviews, requirement analysis, and preliminary experimentation that led to the creation of the stated algorithms. In addition, a prototype automated black-box web application vulnerability assessment tool was conceived using Java programming language as well as Selenium and Crawljax frameworks. An experimentation was conducted to quantitatively benchmark the validity of the algorithm using twelve test-beds, composed of vulnerable web-based applications, and eight existing automated black-box web application vulnerability assessment tools. The experimental results showed there was an improvement of test coverage by 14.35% and a reduction of false negative by 64%. In conclusion, the enhancements made using the proposed algorithms have improved the automated web application vulnerability assessment test coverage and reduced the false negatives.

Item Type:Thesis (PhD)
Uncontrolled Keywords:web application, black-box web application
Subjects:Q Science > QA Mathematics > QA75 Electronic computers. Computer science
Divisions:Computing
ID Code:96252
Deposited By: Narimah Nawil
Deposited On:05 Jul 2022 07:15
Last Modified:05 Jul 2022 07:15

Repository Staff Only: item control page