Most scanners do not perform a thorough job. Photo: Shutterstock
Most websites are vulnerable to attack, whether it’s opportunistic or intentional hacking, and the return on investment for cyber criminals can be substantial.
While website security scanning offers a line of protection, it’s not infallible.
To improve screening, a team of Australian and international researchers has just developed a new scanning tool to make sites less vulnerable to cyberattacks.
The black box security assessment prototype, tested by engineers in Australia, Pakistan and the UAE, was found to be more effective than existing web scanners.
UniSA mechanical and systems engineer Dr Yousef Amer, a member of the research team, said the researchers have been able to highlight numerous security vulnerabilities in website applications using the prototype.
Against a backdrop of escalating and more severe cyberattacks, and despite a projected $170 billion global outlay on internet security in 2022 according to Varonis, existing web scanners are falling way short when it comes to assessing vulnerabilities, noted Amer.
“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” said Amer.
These existing tools have less precision, accuracy and recall rate to determine web application vulnerabilities.
In addition, there are some vulnerabilities that most tools are unable to detect.
Dr Amer explained the black box prototype has better crawler coverage as it uses the high performing Arachni crawler.
“This enables us to find all possible web pages associated with the main website,” he told Information Age.
Serious vulnerabilities need to be identified
The researchers compared 11 publicly available web application scanners against the top 10 vulnerabilities in web applications and APIs identified by the Open Web Application Security Project (OWASP).
“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges.
“It’s basically a one-stop guide to ensure 100 per cent website security,” he said.
The vulnerabilities included broken access control that…