A fault model for false positives in web Applications security testing scanners (T-0744) (MFN 6891)

Abstract

The increased use of web applications has made them a popular and meaningful target for security attacks. Most of the online business today including banking sector, online shopping, university admissions, governmental activities and other personal use etc. is enabled by the web applications. Numbers of tool/scanner are available to identify vulnerabilities in web applications. One of the problem with these scanner is high number of false positives. Existing studies shows that numbers of false positives may range from 20% to 77% in some cases. The developers manually check the code to confirm false positives which is exhaustive and time consuming. This results in low productivity. In order to mitigate or avoid false positives, a fault model is presented in this thesis. An experiment is performed on top security scanners and open source online web applications. The web applications were scanned against scanners to identify the faults/vulnerabilities. Each vulnerability was checked manually to confirm false positive. Based on the identified false positives, a fault classification is presented which is mean of our fault model and categorise frequent false positives. Open web application security organization (OWASP) is a non-profit organization maintained by researches and security experts. Ever since 2003 OWASP releases OWASP top 10 security vulnerabilities list. This list is considered as benchmark by the application security community. For the verification of our fault model. it is mapped against the OWASP top 10:2017.