Manju Khari, Neha Singh
Computer Science Department, Guru Gobind Singh Indraprashta University, Dwarka, Delhi , India
Web application users and web application vulnerabilities are increasing. Today web applications turning out to be tools of everyday use by many users with the growing popularity of the web. With this web application users are more prone to malicious attacks consequently the need of web security testing arises as well. As security testing helps to mitigate vulnerabilities in the web applications which is quite intricate process so requires the use of efficient security testing technique. Frequently occurring security vulnerabilities in web applications result from generic input validation problems. Examples are SQL injection and Cross-Site Scripting (XSS) etc. These vulnerabilities are more often exploited by attackers to access sensitive information form the websites for their personal gain. Black Box scanners offers a good choice to test for vulnerabilities in an automated fashion. Although the majority of web vulnerabilities are easy to understand and to avoid but still many web developers are not security aware. As a result, there exist many web sites on the Internet that are vulnerable. This paper Shows the experimental study of open source web scanners that help detecting the potential vulnerabilities. Also there an approach (Black Box based) has been proposed that brings out the rules to confirm the presence of SQL injection vulnerability in particular web application or services.This can help reduce the false positives and increase effectiveness of the scanners.
Some features of Black-box web vulnerability scanners are:
- Black-box web vulnerability scanners are a modern choice for finding security loopholes in web applications in an automated manner.
- These tools functions in a point-and-shoot manner, testing any web application—regardless of the server-side language—for common security vulnerabilities.
- Black-box tools suffer from a number of limitations, particularly when interacting with complex applications that have multiple actions.
- If a vulnerability analysis tool does not take into consideration changes in the web application’s state, it might ignore vulnerabilities or completely overlook entire portions of the application.
Classical black-box web scanners crawl a web application to enumerate all reachable pages and then inject some input data (URL parameters, form values, cookies) to trigger vulnerabilities. However, this approach ignores a key aspect of modern web applications: The state of the web application changes according to the current request. Web application (black-box) scanners perform security tests on Web applications by (usually) ﬁrst crawling through the entire Web site that’s holding the Web application, and then running speciﬁc security test cases wherever possible. All the tests are performed over the HTTP protocol.They are not only eﬀective at ﬁnding attack incidents like cross-site scripting and SQL injection , but also at ﬁnding conﬁguration management issues (related to Web servers). These tools are usually not aimed at developers, this makes the mitigation process complex.
2.Web Service Introduction.
A Web service is a standardized way of establishing communication between two Web-based applications by using open standards over an internet protocol backbone. Generally web applications work using HTTP and HTML, but web services work using HTTP and XML. Which as added some advantages over web applications. HTTP is transfer independent and XML is data independent, the combination of both makes web services support a heterogeneous environment
Volume -02, Issue -07 , July 2014.