Evaluation of Web Application Vulnerability Scanner for Modern Web Application

摘要

Current needs and developments encourage the increasing use of digital-based applications. One of them is a web-based application that is easy to access and used by today’s society. Along with these developments, it is common for vulnerabilities to exist in web applications that the owners are unaware of. It creates the risk of data leakage or damage to the organization’s reputation as the application owner. In addition, the number of web applications owned by an organization or company leads to challenges in finding vulnerabilities in these applications. This happened due to time and resource constraints for conducting manual assessments. Therefore, there is necessary to use a web application vulnerability scanner, which performs vulnerability scanning automatically, to be able to help and streamline the search for vulnerabilities. There are many types of web application vulnerability scanners that can be used for free or commercially. This study evaluated the capabilities of WAVS (Web Application Vulnerability Scanners) tools such as OWASP ZAP, Wapiti, Arachni, and Burp Suite Professional with NodeJS-based benchmark targets, namely Damn Vulnerable NodeJS Application (DVNA) and NodeGoat. This study found that the four WAVS have an average f-measured value between 0.4-0.6. Burp Suite Professional had the best True Positive (TP) and Recall values, while Arachni for perfect Precision valued for both benchmark targets.