Show simple item record

dc.contributor.authorShelly, David Andrewen_US
dc.date.accessioned2014-03-14T20:43:09Z
dc.date.available2014-03-14T20:43:09Z
dc.date.issued2010-07-29en_US
dc.identifier.otheretd-08102010-184408en_US
dc.identifier.urihttp://hdl.handle.net/10919/34464
dc.description.abstractThe threat of cyber attacks due to improper security is a real and evolving danger. Corporate and personal data is breached and lost because of web application vulnerabilities thousands of times every year. The large number of cyber attacks can partially be attributed to the fact that web application vulnerability scanners are not used by web site administrators to scan for flaws. Web application vulnerability scanners are tools that can be used by network administrators and security experts to help prevent and detect vulnerabilities such as SQL injection, buffer overflows, cross-site scripting, malicious file execution, and session hijacking. However, these tools have been found to have flaws and limitations as well. Research has shown that web application vulnerability scanners are not capable of always detecting vulnerabilities and attack vectors, and do not give effective measurements of web application security. This research presents a method to analyze the flaws and limitations of several of the most popular commercial and free/open-source web application scanners by using a secure and insecure version of a custom-built web application. Using this described method, key improvements that should be made to web application scanner techniques to reduce the number of false-positive and false-negative results are proposed.en_US
dc.publisherVirginia Techen_US
dc.relation.haspartShelly_DA_T_2010.pdfen_US
dc.rightsI hereby certify that, if appropriate, I have obtained and attached hereto a written permission statement from the owner(s) of each third party copyrighted matter to be included in my thesis, dissertation, or project report, allowing distribution as specified below. I certify that the version I submitted is the same as that approved by my advisory committee. I hereby grant to Virginia Tech or its agents the non-exclusive license to archive and make accessible, under the conditions specified below, my thesis, dissertation, or project report in whole or in part in all forms of media, now or hereafter known. I retain all other ownership rights to the copyright of the thesis, dissertation or project report. I also retain the right to use in future works (such as articles or books) all or part of this thesis, dissertation, or project report.en_US
dc.subjectVulnerability Detectionen_US
dc.subjectWeb Application Scannersen_US
dc.subjectWeb Application Securityen_US
dc.subjectBlack Box Testingen_US
dc.titleUsing a Web Server Test Bed to Analyze the Limitations of Web Application Vulnerability Scannersen_US
dc.typeThesisen_US
dc.contributor.departmentElectrical and Computer Engineeringen_US
thesis.degree.nameMaster of Scienceen_US
thesis.degree.levelmastersen_US
thesis.degree.grantorVirginia Polytechnic Institute and State Universityen_US
dc.contributor.committeechairTront, Joseph G.en_US
dc.contributor.committeememberMarchany, Randolph C.en_US
dc.contributor.committeememberMidkiff, Scott F.en_US
dc.identifier.sourceurlhttp://scholar.lib.vt.edu/theses/available/etd-08102010-184408/en_US
dc.date.sdate2010-08-10en_US
dc.date.rdate2010-09-17
dc.date.adate2010-09-17en_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record