Evaluation of Static Web Vulnerability Analysis Tools

Abstract

In the recent years many web applications of different kinds has grown significanlty all over the world. Unfortunately on the other hand, there is an increase in the number of attacks on these applications. Hence, security against web application vulnerabilities become necessary. However, checking all web vulnerabilities manually is tedious and needs much effort and skills. So the use of web application vulnerability scanners becomes necessary. Many static and dynamic, open source and commercial vulnerability analysis tools are available. In this paper, we evaluate two open source, static web application vulnerability analyses tools, OWASP WAP and RIPS using the deliberately vulnerable web application. These are Damn Vulnerable Web Application (DVWA) and A Buggy Web Application (bWAPP). OWASP WAP and RIPS tools are selected as they are open source static tools WAP is recommended by OWASP and RIPS provide commercial versions as well. We used deliberately vulnerable web applications so that the vulnerabilities detected could be easily analyzed whether they are true positive or false positive. We found that OWASP WAP give better results over RIPS in our experimental scenario.