An Evaluation of Black-Box Web Application Security Scanners in Detecting Injection Vulnerabilities

Muzun Althunayyan


Supervised by Neetesh Saxena; Moderated by Philipp Reinecke

With the Internet’s meteoric rise in popularity and usage over the past decade, there has also been a significant increase in the number of web applications. As a result, web applications have become increasingly vulnerable and prone to targeting by malicious attackers. To deal with these malicious threats, security experts use black-box web application vulnerability scanners as testing tools to check for potential security vulnerabilities in web applications. Most past studies have evaluated black -box scanners against a wide variety of vulnerable web applications. However, most of the tested applications are traditional (non-dynamic) applications and do not reflect the reality of current web technology. This study evaluated the detection accuracy of five black-box web application vulnerability scanners against a modern insecure web application. The tested vulnerabilities are injection vulnerabilities, in particular, structured query language (SQL) injection, not only SQL (NoSQL), and server-side template injection (SSTI). We also attempted to identify the existing limitations to the evaluated black-box scanners’ ability to detect injection vulnerabilities, as these can be used for future improvement. The findings of the evaluation show that the evaluated black-box scanners overlooked most of the existing vulnerabilities in almost all tested modes, and some scanners were not able to detect any vulnerabilities.

Final Report (17/09/2020) [Zip Archive]

Publication Form