Evaluation of Static Analysis on Web Applications

TL;DR

This paper evaluates the effectiveness and limitations of static analysis and vulnerability scanners in detecting security flaws in web applications, highlighting the prevalence of vulnerabilities and the need for improved testing methods.

Contribution

It provides a qualitative assessment of existing vulnerability scanners and discusses static analysis approaches for identifying security issues in web applications.

Findings

Many vulnerabilities are present in web services, often undetected by scanners.

Significant false positives are observed in vulnerability detection.

Static analysis offers a complementary approach to improve security testing.

Abstract

Web services are becoming business-critical components, often deployed with critical software bugs that can be maliciously explored. Web vulnerability scanners allow the detection of security vulnerabilities in web services by stressing the service from the point of view of an attacker. However, research and practice show that different scanners perform differently in vulnerability detection. This paper presents a qualitative evaluation of security vulnerabilities found in web applications. Some well-known vulnerability scanners have been used to identify security flaws in web service implementations. Many vulnerabilities have been observed, which confirms that many services are deployed without proper security testing. Additionally, having reviewed and considered several articles, the differences in the vulnerabilities detected and the high number of false positives observed highlight the limitations of web vulnerability scanners in detecting security vulnerabilities in web services. Furthermore, this work will discuss the static analysis approach for discovering security vulnerabilities in web applications and complimenting it with proven research findings or solutions. These vulnerabilities include broken access control, cross-site scripting, SQL injections, buffer overflow, unrestricted file upload, broken authentications, etc. Web applications are becoming mission-essential components for businesses, potentially risking having several software vulnerabilities that hackers can exploit maliciously. A few Vulnerability scanners have been used to detect security weaknesses in web service applications, and many vulnerabilities have been discovered, thus confirming that many online apps are launched without sufficient security testing.