Tool for web application vulnerability scanning

A recent MSc student project by Akhil Antony looked at a website that allows certain security risks (SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery) to be tested for.




Abstract:
Web applications are open and available on the internet 24/7 and the attackers can easily access the applications from anywhere and can penetrate the system by identifying and exploiting the vulnerability exists within it. Probability of web applications to be attacked is very high compared to the offline applications. The number of new developments for security enhancements is tend to be increasing, on the other hand the new modern technologies like HTML5, CSS3, jQuery, Silverlight and so on creates new vulnerabilities every minute and the number of such attacks increasing in a very high order. The attacker not just looking for the sensitive information from the victims web application; these applications could be used for further criminal activities including terrorism, drug dealing etc. The research is to investigate the vulnerabilities affecting the web applications and to develop an automated web application vulnerability scanner. The investigation is also focuses on the motivations and profits behind these attacks. With this application users could be able to test the web application’s security rating based on the possible vulnerabilities and developers could be able to perform penetration search within their application.
Most of the web applications suffers from generic validation errors and causes security vulnerabilities. SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery etc are examples of popular vulnerabilities exist within web applications. Majority of these web vulnerabilities are easy to identify and avoid, but unfortunately the developers are not much security aware or they work in very small time constraints. As a result more and more web applications on the internet would be vulnerable. (Stefan Kals, 2006)
The cyber crimes and the cyber attacks to web applications could be categorized on a general principle that what illegal offline is illegal online. The research is on the crimes which can only be carried out using the internet, including attacks on computer systems to disrupt IT infrastructure, and the stealing of data over a network using malware, often to enable further crime. The cyber attackers attempt to access information stored on a computer. Information may have a sale value (corporate espionage), may be valuable to the owner (ransom opportunity) or may be useful for further illegal activity such as fraud. Threats, motivations and profit achieved from cyber attacks being investigated.