Most websites are vulnerable to attack, whether it’s opportunistic or intentional hacking, and the return on investment for cyber criminals can be substantial.

While website security scanning offers a line of protection, it’s not infallible.

To improve screening, a team of Australian and international researchers has just developed a new scanning tool to make sites less vulnerable to cyberattacks.

The black box security assessment prototype, tested by engineers in Australia, Pakistan and the UAE, was found to be more effective than existing web scanners.

UniSA mechanical and systems engineer Dr Yousef Amer, a member of the research team, said the researchers have been able to highlight numerous security vulnerabilities in website applications using the prototype.

Against a backdrop of escalating and more severe cyberattacks, and despite a projected $170 billion global outlay on internet security in 2022 according to Varonis, existing web scanners are falling way short when it comes to assessing vulnerabilities, noted Amer.

“We have identified that most of the publicly available scanners have weaknesses and are not doing the job they should,” said Amer.

These existing tools have less precision, accuracy and recall rate to determine web application vulnerabilities.

In addition, there are some vulnerabilities that most tools are unable to detect.

Dr Amer explained the black box prototype has better crawler coverage as it uses the high performing Arachni crawler.

“This enables us to find all possible web pages associated with the main website,” he told Information Age.

Serious vulnerabilities need to be identified

The researchers compared 11 publicly available web application scanners against the top 10 vulnerabilities in web applications and APIs identified by the Open Web Application Security Project (OWASP).

“We found that no single scanner is capable of countering all these vulnerabilities, but our prototype tool caters for all these challenges.

“It’s basically a one-stop guide to ensure 100 per cent website security,” he said.

The vulnerabilities included broken access control that pose serious security risks, as well as cryptographic failures, risk of injection of hostile data, insecure design, misconfiguration, outdated components, and authentication and data integrity failures, among the list.

“There’s a dire need to audit websites and ensure they are secure if we are to curb these breaches and save companies and governments millions of dollars,” he said.

A three-stage scanning process

The new framework has three major components — process initiator, security assessment and reporting.

To initiate the process, a user inputs a targeted URL, where the host discovery and initialisation of the scanning process starts.

Unreachable hosts are screened here, and the process terminated.

In the assessment phase, the input web application is scanned using a scanning engine, vulnerabilities database, and knowledge base.

Amer explained that the scanning engine is compliant with Zap, Nikto,and W3af security scanning frameworks and is compatible with custom plugin scripts like OAuth and others.

The database contains all possible OWASP top 10 vulnerabilities, and the knowledge base is an AI-based analysis engine that identifies security trends, information leakage, and highlights compromised critical data of scanned organisations.

To complete the cycle, a detailed report is generated with identified vulnerabilities along with their details, an assessment score and possible remediation.

This information is then used for manual analysis and patching process by a security analyst and software developer.

Down the track, the researchers expect it will be updated to suit different needs, and plan to commercialise its application.

“The tool can be customised as per user requirements and all customisations are possible like plugin integration, crawling customisation, and more features,” Dr Amer said.