A new and simple scanning tool has laid bare some glaring weaknesses in commonly used web cybersecurity programs. The tool also demonstrates that these weaknesses can be shored up.
Websites and web applications have become a key target of cybercriminals in recent years. As such, there’s a growing number of commercial scanners available, designed to spot vulnerabilities in websites’ architecture.
“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” says Dr Yousef Amer, a mechanical and systems engineer at the University of South Australia, and part of the international team of researchers who built the new tool.
The researchers assessed 11 publicly available web scanners against the OWASP Top Ten: the 10 most critical cybersecurity risks to web applications, according to the nonprofit Open Web Application Security Project.
First published in 2017 and updated last year, the OWASP Top 10 represents a broad consensus from cybersecurity experts on where the biggest website vulnerabilities lie.
“These vulnerabilities do change but it doesn’t happen frequently,” says Amer. He says that “things are pretty much the same” in both the 2017 and 2021 lists.
“We found that no single scanner is capable of countering all these vulnerabilities,” says Amer.
The researchers developed a prototype tool that would counter all these vulnerabilities. The tool is described in a paper delivered at the 2022 International Conference on Artificial Intelligence.
“Our prototype tool caters for all these challenges. It’s basically a one-stop guide to ensure 100% website security,” says Amer.
The prototype is a “black box security assessment” tool: a program that finds vulnerabilities in a website by attempting to break in from the outside.
“It’s feasible to upgrade if any new version [of the list] is introduced,” says Amer.
The researchers are now seeking to commercialise their tool.
“It would be similar to web scanners but with more effective crawling, scanning, and automated report generation,” says Amer.