Paper Info
Title
Adaptive Entry Point Discovery for Web Vulnerability Scanning
Abstract
Entry point collection is crucial to web vulnerability scanning since the collected entry points may contain serious web vulnerabilities such as SQL injection and Cross-Site Scripting (XSS). Most Web Vulnerability Scanners (WVSs) are equipped with crawlers to collect and locate the web pages for testing. The crawlers are intended to discover all links of the web applications being tested. However, exhaustive crawling may not be feasible when time and computation resources are limited, especially for large websites with rapidly and dynamically generated new content. Research studies regarding generic selection policies for web crawlers have been attempted. However, these studies are neither suitable for the search of entry points, nor for WVSs given that their selection policies are intended for content comparison, not for maximizing the test coverage and diversity of functionalities. In this paper, an adaptive entry point crawler named VulCrawl is proposed for WVSs to discover web pages distinct in terms of functionality and code-wise structure. VulCrawl extends the entry point collection and improves WVS code coverage of a target web application. The effectiveness and efficiency of VulCrawl are evaluated using two famous websites. In the experiments, VulCrawl found 2 to 3 times more distinct entry points than those crawled by the web crawler without adopting the adaptive entry point crawling. The results indicate that the proposed selection policy enables web crawling to discover more entry points suitable for WVSs.
Year
DOI
Venue
2022
10.6688/JISE.202201_38
JOURNAL OF INFORMATION SCIENCE AND ENGINEERING
Keywords
DocType
Volume
vulnerability, input validation, crawler, SQL injection, XSS
Journal
38
Issue
ISSN
Citations 
1
1016-2364
0
PageRank 
References 
Authors
0.34
0
6
Name
Order
Citations
PageRank
Hsiu-Chuan Huang1122.43
Zhi-Kai Zhang200.34
Chung-Kuan Chen300.34
Wei-da Hong400.34
Jui-Chien Jao500.34
Shiuhpyng Shieh600.34