An open source vulnerability scanner for e-commerce web applications

Abstract

It is essential for businesses to be online for world wide web users to purchase services and products. In such cases, the interface between the client and the enterprise is an e-commerce web application. Security-wise, such applications do fail due to bugs, incorrect logic and human error, resulting in unacceptable losses. The key to these failures present in such applications is security analysis. This process is made up of several components such as vulnerability scanning in which a number of web pages are automatically scanned for security issues such as authentication bypass. Such scanners are faced with the false positives side effect. A false positive is the report of a non-existent vulnerability. Scanners can employ certain techniques such as automatic exploitation as proposed by several authors to reduce the mentioned side effect. Commercial scanners do have features to reduce false positives however the techniques used are closed and therefore not available to the research community. Consequently the result behind this study is to implement an open source vulnerability scanner with an investigation on techniques to reduce false positives. The produced artefact consists of five NASL scripts which check for the following vulnerabilities: SQL Injection, Hidden Fields, Cross Site Scripting, Buffer Overflow and Fail Open Authentication. These are implemented and evaluated using the open source Nessus environment. Results presented in the evaluation suggest that the technique employed in the design and implemented in the artefact work.