| Popis: |
Security experts, web developers, hackers sometimes use Web Vulnerability Scanners (WVSs) for identifying vulnerabilities in web applications. There are commercial and free/open source WVSs, and nowadays, many companies offer WVSs as services. In this paper, we test and evaluate 3 free/open source WVSs and 4 free, trial or regular editions of commercial WVSs using two versions of our one created trading web application. One version has SQL injection and XSS vulnerabilities as critical, and the other version is free from these vulnerabilities. Results are showing that most of the scanners pollute the backend database with many garbage records using user input fields for obtaining user’s opinion, comments, rating, etc., independently of the presence or absence of given critical vulnerabilities. In our experiment, garbage records were injected as comments for ads, and the magnitude of pollution goes more than 50 times the number of ads in the database in the worst case. Also, some scanners manage to find the implemented vulnerabilities without producing garbage records. |
