AVS Scanner: A Black Box Vulnerability Scanner with Minimum False Positives

Abstract

With the increase in dependence on the web and web applications, the security over web is also becoming an important concern. Various Surveys and News Reports show the significant increase in the number of cyber crimes which are possible only due to the presence of security vulnerabilities in the web applications. Most of these web vulnerabilities exist due to lack of awareness regarding security among the web developers and designers, as a result large number of websites are still lacking security features and are vulnerable. These vulnerabilities if not patched can lead to various adverse affects like database stealing, shell hijacking and arbitrary command execution and much more. This thesis demonstrates how simple it is for the attackers to automatically find and exploit security vulnerabilities in web applications. Understanding these security vulnerabilities can be somehow a complex task for the web developers and for the individuals who designs their websites from thirdparty sources. So for easing their life and with an aim of making web world more secure AVS Scanner, a simple to use but effective vulnerability scanner that automatically scans the websites with the aim of finding critical security issues in web applications, is presented. This thesis also explains about importance of False Positives and False Negatives in a Vulnerability Scanners and discuss about the various logics used in the AVS Scanner that has helped to reduce the False Positives to minimum. Performance comparison between various existing vulnerability scanners and AVS Scanner is performed in term of important parameters like False Negatives, False Positives, and Resource Consumption. For examining the accuracy and efficiency of AVS Scanner in comparison to other scanners available in the market, various popular and high-profile websites, which includes some well-known social networking websites like facebook.com, flickr.com and few educational websites like thapar.edu, nitkkr.ac.in, nitc.ac.in, were analyzed and results were overwhelming.