{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2023,1,1]],"date-time":"2023-01-01T22:19:48Z","timestamp":1672611588333},"reference-count":20,"publisher":"IGI Global","issue":"3","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2012,7,1]]},"abstract":"<p>As many Web applications are developed daily and used extensively, it becomes important for developers and testers to improve these application securities. Pen testing is a technique that helps these developers and testers to ensure that the security levels of their Web application are at acceptable level to be used safely. Different tools are available for Pen testing Web applications; in this paper the authors compared six Pen testing tools for Web applications. The main goal of these tests is to check whether there are any security vulnerabilities in Web applications. A list of faults injected into set of Web pages is used in order to check if tools can find them as they are claimed. Test results showed that these tools are not efficient and developers should not depend solely on them.<\/p>","DOI":"10.4018\/jitwe.2012070101","type":"journal-article","created":{"date-parts":[[2012,11,26]],"date-time":"2012-11-26T19:39:53Z","timestamp":1353958793000},"page":"1-13","source":"Crossref","is-referenced-by-count":2,"title":["Pen Testing for Web Applications"],"prefix":"10.4018","volume":"7","author":[{"given":"Ahmad","family":"Al-Ahmad","sequence":"first","affiliation":[{"name":"Yarmouk University, Jordan"}]},{"given":"Belal","family":"Abu Ata","sequence":"additional","affiliation":[{"name":"Yarmouk University, Jordan"}]},{"given":"Abdullah","family":"Wahbeh","sequence":"additional","affiliation":[{"name":"Dakota State University, USA"}]}],"member":"2432","reference":[{"key":"jitwe.2012070101-0","doi-asserted-by":"crossref","unstructured":"Antunes, N., & Vieira, M. (2009). Comparing the effectiveness of penetration testing and static code analysis on the detection of SQL injection vulnerabilities in web services. In Proceedings of the 15th IEEE Pacific Rim International Symposium on Dependable Computing.","DOI":"10.1109\/PRDC.2009.54"},{"key":"jitwe.2012070101-1","doi-asserted-by":"crossref","unstructured":"Antunes, N., & Vieira, M. (2009). Detecting SQL injection vulnerabilities in web services. In Proceedings of the Fourth Latin-American Symposium on Dependable Computing.","DOI":"10.1109\/LADC.2009.21"},{"key":"jitwe.2012070101-2","unstructured":"Erlingsson, U., Livshits, B., & Xie, Y. (2007). End-to-end web application security. In Proceedings of the 11th USENIX Workshop on Hot Topics in Operating Systems, San Diego, CA (pp.1-6)."},{"key":"jitwe.2012070101-3","doi-asserted-by":"crossref","unstructured":"Fonseca, J., Vieira, M., & Madeira, H. (2007). Testing and comparing Web vulnerability scanning tools for SQL injection and XSS attacks. In Proceedings of the 13th Pacific Rim International Symposium on Dependable Computing (pp. 365-372).","DOI":"10.1109\/PRDC.2007.55"},{"key":"jitwe.2012070101-4","unstructured":"Guo, F., Yu, Y., & Chiueh, T. (2005). Automated and safe vulnerability assessment. In Proceedings of the 21st Annual Computer Security Applications Conference."},{"key":"jitwe.2012070101-5","unstructured":"Halfond, W. G. J., Viegas, J., & Orso, A. (2006). A classification of SQL injection attacks and countermeasures. In Proceedings of the International Symposium on Secure Software Engineering."},{"key":"jitwe.2012070101-6","doi-asserted-by":"crossref","unstructured":"Huang, Y., Tsail, G., Lee, D. T., & Kuo, S. (2004). Non-detrimental web application security scanning. In Proceedings of the 15th International Symposium on Software Reliability Engineering.","DOI":"10.1109\/ISSRE.2004.25"},{"key":"jitwe.2012070101-7","doi-asserted-by":"crossref","unstructured":"Ismail, O., Etoh, M., & Kadobayashi, Y. (2004). A proposal and implementation of automatic detection\/collection system for cross-site scripting vulnerability. In Proceedings of the 18th International Conference on Advanced Information Networking and Application.","DOI":"10.1109\/AINA.2004.1283902"},{"key":"jitwe.2012070101-8","doi-asserted-by":"crossref","unstructured":"Jovanovic, N., Kruegel, C., & Kirda, E. (2006, May 21-24). Pixy: A static analysis tool for detecting web application vulnerabilities (Short Paper). In Proceedings of the IEEE Symposium on Security and Privacy (pp. 258-263).","DOI":"10.1109\/SP.2006.29"},{"key":"jitwe.2012070101-9","doi-asserted-by":"crossref","unstructured":"Kie\u02d9zun, A., Guo, P. J., & Ernst, M. D. (2009, May 16-24). Automatic creation of SQL injection and cross-site scripting attacks. In Proceedings of the 31st International Conference on Software Engineering, Vancouver, BC, Canada.","DOI":"10.1109\/ICSE.2009.5070521"},{"key":"jitwe.2012070101-10","doi-asserted-by":"crossref","unstructured":"Kwon, O., Lee, S. M., Lee, H., Kim, J., Kim, S. C., Nam, G., & Park, J. G. (2005). HackSim: An automation of penetration testing for remote buffer overflow vulnerabilities. In C. Kim (Ed.), Proceedings of the International Conference on Information Networking (LNCS 3391, pp. 652-661).","DOI":"10.1007\/978-3-540-30582-8_68"},{"key":"jitwe.2012070101-11","unstructured":"Livshits, V., & Lam, M. S. (2005). Finding security vulnerabilities in java applications with static analysis. In Proceedings of the 14th Conference on USENIX Security Symposium, Baltimore, MD (p. 18)."},{"key":"jitwe.2012070101-12","unstructured":"Mei, J. (2009). An approach for SQL injection vulnerability detection. In Proceedings of the Sixth International Conference on Information Technology: New Generations."},{"key":"jitwe.2012070101-13","doi-asserted-by":"crossref","unstructured":"Moraes, R., de Abreu, B. T., & Martins, E. (2009). Mapping web-based applications failures to faults. In Proceedings of the Fourth Latin-American Symposium on Dependable Computing.","DOI":"10.1109\/LADC.2009.9"},{"key":"jitwe.2012070101-14","unstructured":"Orloff, J. (2011) Web application security: Testing for vulnerabilities. Retrieved from http:\/\/www.ibm.com\/developerWorks"},{"key":"jitwe.2012070101-15","doi-asserted-by":"crossref","unstructured":"Pan, W., & Li, W. (2009). A penetration testing method for e-commerce authentication system security. In Proceedings of the International Conference on Management of e-Commerce and e-Government.","DOI":"10.1109\/ICMeCG.2009.111"},{"key":"jitwe.2012070101-16","unstructured":"Petukhov, A., & Kozlov, D. (2008, May 12-22). Detecting security vulnerabilities in web applications using dynamic analysis with penetration testing, OWASP. In Proceedings of the Application Security Conference, Ghent, Belgium."},{"key":"jitwe.2012070101-17","doi-asserted-by":"crossref","unstructured":"Shahriar, H., & Zulkernine, M. (2009). Automatic testing of program security vulnerabilities. In Proceedings of the 33rd Annual IEEE International Computer Software and Applications Conference.","DOI":"10.1109\/COMPSAC.2009.191"},{"key":"jitwe.2012070101-18","doi-asserted-by":"crossref","unstructured":"Vieira, M., Antunes, N., & Madeira, H. (2009). Using web security scanners to detect vulnerabilities in web services. In Proceedings of the IEEE\/IFIP International Conference on Dependable Systems and Networks, Lisbon, Portugal.","DOI":"10.1109\/DSN.2009.5270294"},{"key":"jitwe.2012070101-19","doi-asserted-by":"crossref","unstructured":"Zhao, G., Zheng, W., Zhao, J., & Chen, H. (2009). An heuristic method for web-service program security testing. Proceedings of the Fourth ChinaGrid Annual Conference, Yantai, Shandong, China (pp. 139-144).","DOI":"10.1109\/ChinaGrid.2009.10"}],"container-title":["International Journal of Information Technology and Web Engineering"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=72989","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T19:08:16Z","timestamp":1654110496000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jitwe.2012070101"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2012,7,1]]},"references-count":20,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2012,7]]}},"URL":"https:\/\/doi.org\/10.4018\/jitwe.2012070101","relation":{},"ISSN":["1554-1045","1554-1053"],"issn-type":[{"value":"1554-1045","type":"print"},{"value":"1554-1053","type":"electronic"}],"subject":[],"published":{"date-parts":[[2012,7,1]]}}}