Most scanners don’t do a thorough job. Photo: Shutterstock
Most websites are vulnerable to attacks, whether opportunistic or intentional, and the return on investment for cybercriminals can be substantial.
Although website security scanning offers a line of protection, it is not infallible.
To improve screening, a team of Australian and international researchers has just developed a new scanning tool to make sites less vulnerable to cyberattacks.
The prototype black box security assessment, tested by engineers in Australia, Pakistan and the United Arab Emirates, has proven to be more effective than existing web scanners.
UniSA Mechanical and systems engineer Dr. Yousef Amer, a member of the research team, said the researchers were able to highlight numerous security vulnerabilities in website applications using the prototype.
Amid growing and more severe cyberattacks, and despite a projected global spending of $170 billion on internet security in 2022 according to Varonis, existing web scanners fall far short of assessing vulnerabilities, Amer noted.
“We’ve identified that most publicly available scanners have weaknesses and don’t do the job they should,” Amer said.
These legacy tools have less precision, accuracy, and recall rates for determining web application vulnerabilities.
Additionally, there are some vulnerabilities that most tools are unable to detect.
Dr. Amer explained that the black box prototype has better crawler coverage because it uses the very capable Arachni crawler.
“This allows us to find all possible web pages associated with the main website,” he said. information age.
Serious vulnerabilities must be identified
The researchers compared 11 publicly available web application scanners with the Top 10 vulnerabilities in web applications and APIs identified by the Open Web Application Security Project (OWASP).
“We found that no single scanner is able to counter all of these vulnerabilities, but our prototype tool addresses all of these challenges.
“It’s basically a one-stop guide to making the website 100% secure,” he said.
The vulnerabilities included broken access control which poses serious security risks, as well as cryptographic failures, risk of hostile data injection, insecure design, misconfiguration, outdated components, and authentication failures and data integrity, among the list.
“There is an urgent need to audit websites and ensure they are secure if we are to curb these breaches and save businesses and governments millions of dollars,” he said.
A three-step scanning process
The new framework has three main components: the process initiator, security assessment, and reporting.
To initiate the process, a user enters a targeted URL, where host discovery and scanning process initiation begins.
Unreachable hosts are filtered out here and the process is complete.
In the assessment phase, the input web application is scanned using a scanning engine, a vulnerability database, and a knowledge base.
Amer explained that the scanning engine complies with Zap, Nikto, and W3af security scanning frameworks and is compatible with custom plugin scripts like OAuth and others.
The database contains all of the top 10 possible OWASP vulnerabilities, and the knowledge base is an AI-based scanning engine that identifies security trends, information leaks, and highlights data compromised reviews of the analyzed organizations.
To complete the cycle, a detailed report is generated with the identified vulnerabilities along with their details, an assessment score and a possible correction.
This information is then used for a manual analysis and remediation process by a security analyst and software developer.
Along the way, the researchers expect it to be updated to meet different needs and plan to market its application.
“The tool can be customized according to the user’s needs and all customizations are possible, such as plug-in integration, exploration customization and other features,” Dr. Amer said.