Using Vulnerability Injection to Improve Web Security

摘要: This chapter presents a methodology to evaluate and benchmark web application vulnerability scanners using software fault injection techniques. The most common faults are injected in the source code, which is then checked by scanners. Using this procedure, we evaluated three leading commercial scanners, often regarded as an easy way test security of applications, including critical vulnerabilities such XSS SQL Injection. Our idea consists providing with input they supposed handle, possible originated faults. results compared evaluating efficiency identifying potential created fault, their coverage detection false positives. However, show that these tools low percentage positives very high.