Computers & Security 122 (2022) 102886

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

A Proactive Approach to assess web application security through the

integration of security tools in a Security Orchestration Platform
Navdeep S. Chahal a,∗, Preeti Bali a, Praveen Kumar Khosla b
a
C-DAC, Centre for Development of Advanced Computing, Mohali, India
b
Chitkara University Institute of Engineering and Technology, Chitkara University, Punjab, India

a r t i c l e i n f o a b s t r a c t

Article history: The increasing number of attacks leads to a growing research and development interest in cybersecurity
Received 27 October 2021 systems. As a response to the increasingly distributed nature of attacks, many organizations have demon-
Revised 7 April 2022
strated willingness to exchange information concerning threats, incidents, and mitigation strategies with
Accepted 18 August 2022
security detection tools and techniques. Various security detection techniques such as signature recogni-
Available online 20 August 2022
tion, anomaly detection, etc fail to completely detect complicated attacks. The current situation can be
Keywords: dealt with as a significant tool that helps auditors and administrators to manage and identify distributed
Application security threats. In this paper, a novel social spider communicating behavior-based swarm intelligent open-source
vulnerability scanning tool Orchestrated Continuous Vulnerability Assessment (OCVA) scanning tool is proposed. The proposed OCVA
Security Information and Event tool addresses the requirement of orchestration of continuous vulnerability assessment of all automated
Management cybersecurity detection processes. It scans, monitors, visualizes, analyzes, mitigates, and remediates the
threats
vulnerabilities of the network, assets, and web applications. It helps the developers and security auditors
mitigation
vulnerability detection
overcome challenges by providing the desired visualizations and analytics of the vulnerable assets. Two
case studies are conducted on the basis of the algorithmic comparative analysis with BRICK, Fuzzing, ACO,
PSO and GA based vulnerability scanners along with the tool based comparative evaluation with W3af,
ZAP, Wapiti, and Arachni in terms of vulnerability detection rate, accuracy, false positive rate, true positive
rate and consistency. The results indicate that the proposed OCVA tool outperforms in terms of accuracy,
vulnerability remediation rate, and consistency in both.
© 2022 Elsevier Ltd. All rights reserved.

1. Introduction prone to attacks, thus compromising the web server and even the
database (Gartner, 2015). Due to the increase in the impact of
The multi-layered web-based application architecture and it’s web security attacks, vulnerability detection activities are in de-
sophisticated, as well as complicated communication with vari- mand that can be facilitated with the help of effective, consis-
ous sub modules, increase the vulnerabilities drastically. The Open tent, easy to use, open-source, or commercial web security vul-
Web Security Application Project (OWASP) emphasizes that attack- nerability detection tools (Doupé et al., 2012). Hence, security au-
ers may follow tracks for targeting the assets by finding vulner- ditors and developers make use of vulnerability scanners for de-
abilities that might lead to critical results (OWASP 2013). Over tecting and analyzing the vulnerabilities of various web applica-
70 0 0 web vulnerabilities were reported by Symantec (Zaman et al., tions (Antunes and Vieira, November 2009; Elberzhager, M¨unch,
2021), and about 30% of them, are marked for severe conse- and Nha, 2012). These vulnerability scanning tools include crawl-
quences. Although the internet infrastructure is developed by ex- ing or scanning all the internal web pages of the application and
perienced programmers, some of the web applications include var- automating the vulnerability assessment process by simulating at-
ious vulnerabilities and provide avenues for cybercriminals to gain tacking scripts and payloads (Kupsch and Miller, 2014). These scan-
unauthorized access to confidential information (Garnaeva et al., ning tools follow different approaches for finding vulnerabilities.
2015). A huge proportion of application developers focus on the These significant web security vulnerability detection approaches
functionality of the application rather than security complications. are:
As the result, web applications become vulnerable and are more White box approaches: This approach constitutes the applica-
tion’s code analysis, conducted manually or with code analysis
tools.
∗
Corresponding author. Black box approaches: Black box approach includes the applica-
E-mail addresses: [email protected] (N.S. Chahal), [email protected] (P. Bali). tion execution analysis and vulnerability identification dynamically.

https://doi.org/10.1016/j.cose.2022.102886
0167-4048/© 2022 Elsevier Ltd. All rights reserved.
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

It is also referred to as penetration testing as it does not have any investigating the details about the prey from the vibration sensed,
knowledge of the application source code and fuzzes the web HTTP spiders attack the captured prey to fulfill their hunger. These vi-
requests. The black box testing approach is considered to be the brations when sensed by the spiders, they come to know about
better approach (Makino and Klyuev, 2015). the following details about the prey:
Acunetix, Solar Winds Network Configuration Manager (NCM),
• Position of the prey
HP web inspect (PHPWeb 2015), IBM Security AppScan (IBM 2015),
• Fitness of the prey
and Acunetix web vulnerability scanner (AcunetixWeb 2015), etc
are a few illustrations of commercial web-based vulnerability de- Another important concept named Attenuation in the intensity
tection and scanning tools. However, several commercial vulner- of vibration can be defined as the loss in the intensity of vibration
ability detection tools exist for the identification of security de- from the source of vibration to the spider which is sensing this
fects. Although vulnerability scanners play an effective role in vibration (Abrol, Gupta, and Kaur, 2016). When a prey vibrates, it
security-based flaws identification, comprehensive research proves is detected and evaluated by the social spiders. The spiders will
that various inconsistencies still prevail in terms of its performance receive the attenuated intensity and instead of attacking the prey
characteristics, accuracy, crawler coverage, vulnerability detection together at the same time, the spiders will check the fitness of
types, etc (Vieira, Antunes, and Madeira, 2009; Fonseca, Vieira, and the prey which is analyzed from the attenuated vibration intensity
Madeira, 20 07; Suto, 20 07). The unaffordable high prices, lower to ensure its occurrence and decide if the prey can satisfy their
vulnerability detection rate, reduced accuracy and false positives hunger or not.
do not let developers and audits rely fully on these scanners 
(McQuade, 2014). Along with the commercial tools, a few open-
( δmax − − f(Pp ) ) f or maximum risk
Ixp (t ) = 1 (1)
source vulnerability scanning, and assessment tools are also avail- log f or minimum risk
( )
f Pp −δmin
able such as OpenVAS, Wireshark, OWASP Zed Attack Proxy (ZAP),
web application attack and audit framework (W3af), Network Map- Attenuation in the vibration intensity w.r.t distance and time is
per (Nmap), Arachni, Wapiti, etc., but they lag accuracy as well as calculated. To compute the distance between the spider x and prey
consistency (Böhm and Lolagar, 2021). p using Euclidean distance Dx,p is shown as below:
Apart from commercial vulnerability scanning tools, Re- 
Dx ,p = x2  +  p2  − 2x.p (2)
searchers are working on various methodologies and optimized ap-
proaches that enhance the overall performance of these vulnera- Now attenuated intensity of vibration w.r.t. distance, A(Ix,p (t ) )
bility scanning tools. Swarm intelligence is another significant do- is as follows
−Dx,p
main of Artificial in]telligence that can be deployed as counter- A(Ixp (t ) ) = Ixp (t ) · e σR (3)
measures in support with the existing vulnerability scanning and
detection policies. These significant techniques include swarm in- Where σ is the average of the standard deviation of all spider
telligent algorithms also such as Ant colony optimization (ACO), positions and R is Attenuation Rate which is the control parameter
Particle swarm optimization (PSO), Genetic algorithm (GA), Artifi- for handling the attenuation such that R∈ (0, + ∞).
cial bee colony (ABC), etc. These evolutionary algorithms are popu- Now attenuated vibration intensity w.r.t time is as follows:
lar for providing solutions for complex optimization problems such A(Ixp (t + 1 ) ) = Ixp (t ) · eR (4)
as NP-Hard and NP- Complete problems. It also includes conse-
quential flaws, for instance premature convergence and problems Adding Eq. (3) and (4)
in overcoming local minima. With the evolution of algorithm, the
 
−D

x,p+R2 σ
σR
major concentration revolves around the best optimal solution and SoTA(Ixp (t ) ) = Ixp (t ) · e (5)
diverges at that point uncontrollably. This leads to the premature
convergence and destroy the exploration-exploitation equilibrium.
This mechanism of detecting the prey on the web among spi-
Exploration–exploitation imbalance has been an unresolved prob-
ders can be emulated in vulnerability scanning tools to enhance
lem in the evolutionary algorithms domain. Therefore, it lags be-
the accuracy of the tool (Abrol, Gupta, and Singh, 2020). In vulner-
hind due to exploration–exploitation and premature convergence
ability scanner, preys are correlated as vulnerabilities in the asset
constraints that do not allow the vulnerability scanners to reach to
and spider are assumed as vulnerability detecting agents (VDAs).
its best possible potential. Hence there is need for the introducing
The major objective of the vulnerability scanning tool is not only
a novel swarm intelligent algorithm that not only patch the disad-
to evaluate the applications for vulnerabilities but also to provide
vantages of these existing nature inspired algorithms but also up-
accurate vulnerability with minimal or no false positives. With the
lift the performance of the vulnerability scanner (Yu and Li, 2015).
addition of a comprehensive swarm intelligent layer to the vulner-
Therefore, to fulfill these challenges, a novel open-source au-
ability detection, the proposed OCVA scanning tool will not only
tomated vulnerability detection tool, namely an Orchestrated Con-
improve the performance but will also act as a milestone in open
tinuous Vulnerability Assessment (OCVA), is proposed that mimics
source vulnerability detection of web applications to impede vari-
the swarm intelligent communication behavior of social spiders.
ous security threats (Zaman et al., 2021).
Hence a qualitative approach-based vulnerability scanning tool
1.1. Biological Background of Social Spiders
is required that can also be evaluated quantitatively for vulnerabil-
ity detection rate, accuracy, consistency, and cost-effectiveness in
There are many species of spider but the social spider lives in
comparison with existing approaches and tools also.
colonies. These social spiders live together in the colonial spider
The contributions are framed as follows.
web. The vibrations are generated by the spider or prey is sensed
by the other spider on the spider web. Hence, this colonial spider (1) Swarm intelligent social spider communication-based open-
web acts as a channel of communication among social spiders and source OCVA scanner implementation
the prey captured in the web. The communicating behavior of the (2) Comparative evaluation of proposed OCVA approach and ex-
social spider web assures the spiders that any prey is captured in isting swarm intelligent approaches i.e., ACO, PSO, GA, Fuss-
the spider web (Abrol, Gupta, and Kaur, 2015). The spiders sense ing and BRICK for qualitative metrics
the vibration generated by the prey due to the squirm produced (3) Comparative analysis of proposed and existing Open-Source
while it (prey) is trying to free itself from the spider web. After Web Vulnerability Scanners tool.

2
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Therefore, to find the best-automated web vulnerability scan- ious fuzzing techniques that target application termination by pro-
ner, the various open-source automated web security scanning viding unintended random inputs. Dumb fuzzing, smart fuzzing,
tools are compared for the best consistent and efficient perfor- mutation fuzzing, generation fuzzing and evolutionary fuzzing
mance. In this paper, the proposed OCVA orchestrates and advo- techniques are introduced that provides new input values gener-
cates continuous assessment of vulnerabilities detected in the web ation to response back on the targeted application (Su et al., 2016).
applications. Two case studies are outlined that include the com- Hui et al. proposed a novel framework namely Mobile Agent Vul-
parative evaluation of existing research based vulnerability scan- nerability Detection and Restoration System (MAVDRS) that follows
ners i.e. BRICK, Fuzzing, ACO, PSO and GA based vulnerability scan- the restoration techniques by adopting ACO approach. The results
ners and another comparative evaluation of some presently avail- show that the framework ensures network security. Hence, reduc-
able open-source dynamic security scanners i.e. Wapiti, Arachni, ing the delay and maximizing the utilization of network bandwidth
W3af, ZAP with the proposed OCVA vulnerability scanner in terms (Hui and Min, 2009). Abadi et al. specified ant colony optimiza-
of rigorous performance indicators i.e. vulnerability detection rate, tion variant named as AntNAG, for the purpose of the minimization
True positive rate (TPR), False positive rate (FPR), accuracy, con- analysis of network attack graphs. In this approach, every individ-
sistency, and performance with the comprehensive web vulnera- ual ant creates several critical payloads of exploits. The use of lo-
bility assessment on 485 web applications is conducted and ana- cal search heuristic improves the overall algorithmic performance.
lyzed. The result specifies that OCVA reduces the vulnerability re- AntNAG performance is compared with greedy based minimization
mediation rate and enhances accuracy and consistency. The paper approach for large-scale network attack graphs. The experimental
organization is as follows: Section 2 discusses the related work; results prove the success of AntNAG (Abadi and Jalili, July 2006).
Section 3 describes Orchestrated Continuous Vulnerability Assess- Krishnakumar et al. introduced a collaborative Unified Threat
ment (OCVA) vulnerability scanning tool. Section 4 covers the im- Management (UTM), a traffic prober along with the security cen-
plementation and evaluation of the proposed vulnerability scan- ter based on Ant colony optimization. The security center acts as
ning tool. Lastly, this paper is concluded with future work in an instructor to various collaborative UTMs and traffic prober col-
Section 5. lects traffic. This humungous traffic data is provided to data center
that performs classification of data. This classified data is analyzed,
2. Related Work generating various new security rules as per the security center, to
be followed by collaborative UTM. Further, feedback of new secu-
For this purpose, extensive and exhaustive literature survey is rity rules is submitted to security center. Traffic data analysis is
conducted. Several scanning and detection tools-based frameworks conducted for detection of some malicious attacks and leads to se-
are implemented by researchers for the performance quantifica- curity rule generation accordingly. As per the feedback evaluation,
tion and accuracy of web application security scanners. An ex- invalid rules are removed for the efficient and reliable performance
haustive literature survey of various open-source, commercial, dy- of the system (Krishnakumar and Varughese, 2014).
namic, black-box security scanners is conducted to understand the Dass et al. presented a novel technique of adequacy audit
research gaps. Researchers have widely studied the various ap- known as “vulnerability coverage.” This metrics examines the vul-
proaches for vulnerability scanning and detection methods. These nerabilities listed in the National Vulnerability Database (NVD).
vulnerability detection methods can be categorized in the follow- The process of test input generation involves GA and PSO adap-
ing ways (Jurn, Kim, and Kim, 2018): tation. An open and free industry standard, Common Vulnerabil-
ity Scoring System (CVSS), used to assess the vulnerability sever-
• Static analysis for security testing (SAST) - Static techniques are
ity is regularized in the methodology for the fitness evaluation of
the automatic defensive and preventive analysis tools that iden-
the test inputs generation. The experimental results segregates the
tify vulnerabilities from the web applications (McQuade, 2014).
vulnerabilities identified that correlates with the vulnerability pat-
These techniques include Pattern Matching, Model Checking,
terns class (Dass and Namin, 2012).
Lexical Analysis, Type Qualifier, Parsing, Abstract Interpretation,
Chen et al. proposed PSOFuzzer that is a novel target-oriented
Data Flow Analysis, Taint Analysis, etc.
fuzzer, which implemented particle swarm optimization for the
• Dynamic analysis for security testing (DAST)- It follows a black
sample generation. PSOFuzzer adapts high-definition attributes
box testing approach such that the tools or person only inter-
from the historical samples and hence, implant these features to
act with the application as users that have no knowledge of its
new upcoming samples for executing the malicious vulnerable
internal operations such as Fuzzy testing, Dynamic Taint, Fault
spot. The research evaluations highlights that PSOFuzzer generated
Injection, Sanitization, etc.
more samples for targeting the vulnerability point and triggered
• Interactive analysis for security testing (IAST) - IAST uses dif-
79% and 423% higher probability of vulnerabilities in comparison
ferent instruments to monitor a running application in order to
to AFLGo and Sidewinder, respectively[31].
gather information about the internal processes. These tools try
David et al. enlightens LineVD, a deep learning based frame-
to mitigate SAST’s and DAST’s limitations, namely, identify the
work, for the purpose of formulation control and data depen-
specific place where a bug/vulnerability is located.
dencies among statements with the help of graph neural net-
• Artificial Intelligence in vulnerability scanning: Artificial intelli-
works, along with transformer-based framework to encode source
gence and its sub domains such as swarm intelligence, machine
code tokens, hence addressing the outputs of function-level and
and deep learning are automating various activities in various
statement-level information. It leads to improvement in the predic-
domains successfully. For instance- image recognition, user be-
tion without vulnerability status for function code. Extensive eval-
havior analytics, traffic prediction, cybersecurity, etc.
uation is conducted to demonstrate an increase of 105% in F1-score
Broadly, vulnerability scanning and detection can be categorized over the current solutions (Hin, Chen, and Ali Babar, 2022).
in two parts on the basis of exhaustive literature survey as de- An extensive literature survey is conducted to resolve the prob-
scribed in the following way: lems and various gaps are spotted.
As already discussed about the shortcomings of the nature-
2.1. Algorithm based vulnerability scanners inspired algorithms such as ACO, PSO, GA, ABC etc., the proposed
social spider based OCVA approach for vulnerability scanning tool
Researcher works on various aspects related to the automation imbibes the significant concept of attenuation added to vibration
of vulnerability detection techniques. Yunfei et al. highlighted var- intensity. With the introduction of this concept the vibration in-

3
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

tensity (fitness) of the prey acting as vulnerability will fade away. replacement of conventional branch coverage and statement cover-
If it is lesser than the threshold vibration intensity, then it will be age is focused. In another paper, the author highlighted the grading
counted as vulnerability. Otherwise it will be considered as a false system for the website to grade web (Loh and Subramanian, 2010).
positive. In this way, only those vulnerabilities that are strongly Earlier work targets web security vulnerabilities, either by find-
recommended by the tool will be reported and others will be ing better ways to enhancement of dynamic testing techniques
dropped. Thus, leading to an optimal solution wherein premature (Livshits and Lam, 2005) or by evaluating of static analysis testing
convergence is avoided due to attenuating the vibration intensity. approach (Alarifi and Alsaleh, December 2012; Alsaleh et al., 2015;
Therefore, the most significant advantages of social spider based Curphey and Arawo, 2006) and implementing these approaches for
vulnerability scanning tool are as follows: analyzing web application security (Alomar, Alsaleh, and Alarifi,
2017). The research studies focus on the performance evaluation
1. Premature convergence is delayed with the help of attenuation
of web security detectors that signifies their limitation in crawling
in vibration intensity.
capabilities and high FPR (false positive rates).
2. The exploitative-explorative characteristic of the proposed
Evaluation of the web application security and detection of
methodology is enhanced as each vulnerability is explored be-
the vulnerabilities is a complicated and challenging problem to
fore converging towards the global best optimal solution.
be addressed (Bau et al., May 2010; Suteva, Zlatkovski, and Mil-
2.2. Tool based Vulnerability scanner eva, 2013). With the increase in web application complexity and
advanced development technologies emergence, the requirement
All the Tool based vulnerability assessment scanners can be for automatic security vulnerability detection tools is increasing
categorized into two parts; i.e. open-source and commercial vul- (Fonseca, Vieira, and Madeira, 2007). Penetration testing is a cost-
nerability scanners (Jurn, Kim, and Kim, 2018), such as Increase effective approach implemented for the detection of security vul-
the MySQLinj factor (Liban and Hilles, 2014), SQIVS (Djuric, 2013), nerabilities (Chen, 2014). Many researchers have enlightened the
Secubat (Kals et al., 2006), Amnisia (Halfond and Orso, 2005), poor accomplishment of web vulnerability scanners and are inca-
State aware scanner (Doupe et al., 2012), Nikto, ZAP, Wapiti, Vega, pable to cover all the vulnerabilities (Felmetsger et al., 2010). The
Wave (Huang et al., 2003), Arachni and Wa3p (OWSAP 2017). Var- limited discoverability of vulnerabilities is another significant pit-
ious commercial vulnerability scanners are also available for in- fall of web vulnerability scanners (Doupé et al., 2012). Although
stance AppScan, Acunetix, Bugblast, Netsparker, etc. These com- the scan report generated is supposed to be comprehensive and
mercial vulnerability Scanners are different from open source Scan- accurate (Suto, October 2007), it is proved that this report is only
ners. Some of the existing open-source vulnerability scanners are a subset of evaluated vulnerabilities that even includes false alarms
discussed as follows: (Sagar1 et al., January 2018). Fonseca et al. work has targeted
the web security vulnerability scanner’s performance in terms of
• W3af- W3af is the abbreviation for web application attack and the scanner’s effectiveness evaluation (Finifter and Wagner, 2011;
audit framework. This framework is an open-source scanning Vieira, Antunes, and Madeira, 2009; Fonseca and Vieira, June 2008)
tool that includes several vulnerability scan modules that are or accuracy evaluation (Soska and Christin, 2014).
activated plugins that are synchronized with a central coor- Sagar et al. evaluates w3af, Skipfish and ZAP for DVWA. The
dination unit. W3af scan can also be used to store a plugin process starts targeted website and ends with the vulnerability re-
configuration which enables users for vulnerability exploitation port. Comparative analysis of these three scanners results in terms
(Witschey, 2013). of efficiency with reduced time. Author concludes that ZAP out-
• Arachni- Arachni is a free and open-sourcing licensed WVS. It stands other mentioned scanning tools (Sekar, 2009). Other re-
covers quick scans via CLI, Customized scans supporting Ruby searchers focused on the comparison between the effectiveness
library, Multi-User, multi-Scan and multi-Dispatcher execution of dynamic testing with the static testing approach (khalid et al.,
is enabled in the web user interface, Distributed systems are 2017).
deployed using remote agents. HTML5, AJAX, DOM, and ad- Vieira et al. highlighted commercial web vulnerability scanners
vanced JavaScript crawling are supported in Arachni. to quantify the security vulnerabilities in web services and per-
• Wapiti- Another free and open-source web application scan- ceived a high false-positive rate (Alsaleh et al., 2017). The exper-
ner, Wapiti is written in Python. The flags used for the scan- imental results proved the vulnerability detection limitations and
ning in Wapiti are -o, -a, and -x as in Skipfish. Wapiti generates crawling incapability. It shows the major differences in security
the result report in TXT, HTML, XML, and JSON format. Wapiti vulnerabilities scanner types and vulnerability count. It also speci-
can detect Malicious File Inclusion, SQL Injection, XML Injec- fies the result variations reported by various vulnerability scanning
tion, Session Fixation, Command Injection, Information Leakage, tools. The observations show the high false positives percentages
and Cross-Site Scripting. and 75% FPRs by the evaluated scanning tools. This implies the in-
• OWASP Zed Attack Proxy (ZAP)- The OWASP Zed Attack Proxy consistent scan results reported by numerous scanners.
(ZAP) is an efficient, effective, and integrated tool of penetra- Fonseca et al. enlightens the automation of audit process, con-
tion testing that identifies web application vulnerabilities. It stituting vulnerability list and result analysis. The proposed ap-
is designed for the convenience of the new developers and proach demonstrates the feasibility and effectiveness to evaluate
pen testers as well as useful for experienced security auditors in terms of vulnerability coverage along with false positives rate
(Makino and Klyuev, 2015). for SQL Injection and comprehensive evaluation of two Vulnerabil-
Some authors introduced a scanning framework for the im- ity Scanners resulting an effective and efficient method of security
plementation and evaluation of web application security scan- evaluation mechanisms (Chen, Xu, and Cui, 2021). Fonseca et al.
ners with fault tolerance and performance degradation technique have targeted the root causes identification of web security vulner-
(Fonseca, Vieira, and Madeira, 2009; Fonseca, Vieira, and Madeira, abilities and proposed various intelligent solutions for the mitiga-
2014; Fonseca and Matarese, 2013; Tung et al., 2013). Besides tion of web security vulnerabilities. It presents the analysis of 655
this, other qualitative and quantitative metrics are surveyed com- secure codes. Comparative analysis highlights the general security
prehensively to rank existing web security scanning tools. True oriented software faults (fuzzing, 2022). Soska et al. specified the
duplication and false duplication are introduced for describing malicious web content with the help of the implementation of the
the web-based application duplicate outcomes (Di Lucca and Fa- classification system that gives predictions for webserver compro-
solino, 2006). Not only this, the sensitive data flow coverage for the mise in the future (Leszczyna, 2015).

4
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Alsaleh et al. states performance evaluation four vulnerabil- lowing are the detailed stage of the proposed OCVA scanning tool
ity detection tools, followed by comparative assessment of two in Algorithm 3.1.
open source web vulnerability scanners, resulting comparative The OCVA scanning tool algorithm is categorized into the fol-
evaluation could not outstand significantly in terms of perfor- lowing different stages:
mance between various scanners while the case study evaluation
• Initialization Stage
highlighted substantial disagreement between different scanners.
• Fitness Evaluation of Vulnerability Stage
Therefore these inconsistencies could not conclude the correlated
• Vulnerability Verification Stage
performance properties (Sönmez, 2018).
• Application Evaluation Stage
Following are the gaps and challenges identified in the existing
vulnerability scanning tools during the exhaustive literature sur- In this algorithm, the target application is fed to the scanner,
vey: which starts with the initialization stage and calls the VDAs. These
VDAs evaluate the fitness (severity) of vulnerabilities in the fitness
• Most of the scanning tools use one method of vulnerability de- evaluation of vulnerability stage. Further, the detected and eval-
tection i.e. is engineered for checking certain types of vulnera- uated vulnerabilities are verified to check the false positive rate
bilities, i.e. vulnerability coverage issue is not addressed prop- (FPR) by inducing the attenuation in the fitness calculated and
erly. For instance, for SQL detection, some algorithms simply comparing it with the threshold. Finally, RSI is computed in the
check the application for the special characters only without Application Evaluation Stage as shown in Fig. 1. Following is a de-
checking for Boolean values. tailed description of all the stages.
• These scanning tools are not able to discover all the vulnerabil-
ities that exist in web-based applications. Besides, the random 3.1. Initialization Stage: VDA
data generated by the fuzzing component during the scanning
process may not discover all the vulnerabilities. Vulnerability The proposed scanning tool works by crawling or scanning all
detection rate is not considered. web pages within a domain and automating the security testing
• There is a limitation of accuracy in web vulnerability scanners, process by randomly simulating attacking scenarios (Program and
as these tools are not 100%. These bogus findings are called Management, 2018). As in the case of the spider web, the social
"false positives". In conclusion, there is no single solution. Most spider senses any kind of vibration generated either by another
open-source web vulnerability scanners have a lot of limitations neighbor spider or by some external agent i.e. prey captured in the
in vulnerability detection rate, false-positive rate, accuracy, and spider web. To get information about its neighboring social spider
consistency. or prey, whenever they generate the vibration intensity, each social
spider remembers the source position and others characteristics of
Therefore, these gaps and challenges become significant moti-
the vibration source. During this stage, the social spider can gain
vation and objectives of the OCVA vulnerability scanning tool.
knowledge about the existence of the number of spiders/prey of
the social spider web. Hence stores information about their posi-
3. Orchestrated Continuous Vulnerability Assessment (OCVA) tions on the web. The Initialization stage i.e. Vulnerability detec-
tion agent (VDA) is executed as shown in Algorithm 3.2:
The proposed orchestrated continuous vulnerability assessment Similarly, when this biological concept is emulated in the pro-
(OCVA) scanner is designed to improve the performance and chal- posed OCVA scanner, these social spiders act as the Vulnerability
lenges faced by the existing vulnerability scanning and detection detection agent (VDA). Multiple VDAs perform the same task of
tools. Most of the existing tools check the entry point in the ap- scanning by crawling and detecting vulnerabilities to gather knowl-
plication with various payloads and monitor the malicious behav- edge about the various web pages and the hyperlinks present in
ior in the output. But still, some vulnerabilities could not be cap- the application. This stage is the information gathering stage of
tured. The accuracy rate and the false positive rate directly depend the OCVA scanner, wherein VDAs will crawl or scan the application
on the method of detecting the vulnerabilities. Hence the vulner- and find out the detailed sitemap of the application. Therefore, ini-
ability detection rate, as well as the reliability of the vulnerability tial foot printing is performed to know the vital information such
scanner, decreases. Therefore, the vulnerability detection approach as hostname, IP, DNS, Open Ports, email disclosure, HTTPS/HTTP,
of the vulnerability scanner must be focused on to get a reliable Other SSL related vulnerabilities, cookie/ session scan, etc.
and accurate vulnerability count. In this direction, a novel OCVA Description
scanner based on the social spider communicating behavior is pro- The initialization stage of OCVA includes the execution of VDA
posed that adopts a black-box approach for the demonstration of using a top-down approach. Primarily, the target URL is given to
the improved performance capability and accuracy. VDA for crawling and scanning various web pages for given ma-
The social spider communication strategy is mimicked in the licious keywords. It is commonly used by search engines, such as
proposed OCVA scanner. The social spiders communicate through Google, to scan web pages for titles, descriptions, keywords, and
the spider web with each other. They generate vibration on the links. The data that the VDA collects from the web page is then
spider web to convey messages to other spiders. Thus vibration in- stored in a database. It is recommended that there is a need for
tensity is sensed all over the web. Not only this, whenever any in- more complex algorithms to track the state of the application un-
sect i.e. prey is captured in the web, these spiders evaluate the der test and execute "deep "crawling. VDA inspection or crawl-
fitness of the prey with its vibration intensity generated on the ing in this phase focuses on gathering information about the web
web. Due to this vibration intensity generated, communication on application or footprinting. It crawls up to three levels. The VDA
the web is possible. Hence, the spider web acts as the communi- crawling includes simple and deep crawling.
cation channel among the spiders and helps in the fitness eval- After all these levels, it also distinguishes the HTTP and HTTPS
uation of the prey. This social spider communication and sensing web applications and checks for SSL-related vulnerabilities using
strategy is emulated in the OCVA scanning tool to scan and detect an SSL decoder otherwise it is skipped. Proposed OCVA constitutes
the vulnerabilities in the application. In the proposed scanner, the SSL decoder described four approaches to decrypting SSL/TLS con-
spiders will act as the vulnerability detection agents (VDAs) and nections: 1) performing a check on the server itself; 2) the proxy
prey/s will act as the vulnerabilities in the application, while the server of the terminals; 3) decryption; 4) autonomous tool for de-
entire spider web is emulated as the web/mobile application. Fol- crypting the connection. The SSL decoder Algorithm performs the

5
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Algorithm 3.1 OCVA scanning tool.

Input: Enter the web/ Mobile application URL

1: [Initialization Stage]
call VDA [Refer Algorithm 3.2]
2: [Fitness evaluation of vulnerability Stage]
Vibration intensity computation
(δmax − − f(Pp ) ) f or maximum risk
Ixp (t ) = {
log( 1
) f or minimum risk
f(Pp )−δmin
3: [Vulnerability verification Stage]
Attenuation in Vibration intensity
−Dx,p +C
4: TA(Ixp (t ) ) = Ixp (t ).[e σ R ] + N
5: If TA(Ixp (t )) >η, Report vulnerability and add in TPR
Else add in FPR
6: If TA(Ixp (t )) >η, Report vulnerability and add in TPR
Else add in FPR

7: [Application Evaluation Stage]

Risk Score Index (RSI) Computation
δ = TA(Ixp (t )).[( A(s)+2a A(a) ) + ( A(t)+2aA(b) )]

Algorithm 3.2 Vulnerability detection agent (VDA).

Input: Enter the web/ Mobile application URL

1: Verify the hostname, IP (using Alexa.com), DNS, Open Ports
[top ports /all ports using Nmap and FSocket]
3: Crawl with Simple crawler (Internal and external crawler)and Deep Crawler
[Check internal and External URLs count]
4: Check for Email disclosure with fuzzing technique, possible sensitive
information disclosure, IP Blacklisting Verification
5: Check for Version Disclosure using Regex, unwanted HTTP methods, Missing
Headers
6: if (URL=HTTPS)
{
Check for SSL decoder using OpenSSL for cipher, Key length, Service
provider.
Get the certificate information, Primary IP, primary port, Heart Beat
Extension, Heart Bleed Vulnerability status, SSL Protocols details, Chain
certificate, and validity.
Check for HASH, CSR generation, and scanning, SSL vulnerabilities(Poodle,
Beast, Heart bleed, RC4, etc), SSL header scans, key length detection,
and TLS check
SSL vulnerabilities(BEAST, BREACH, CCS injection, CRIME, DROWN, LOGJAM,
Lucky 13, secure renegotiation, OpenSSL padding oracle, SLOTH, Sweet
32Heartbleed, FREAK, POODLE, CRACK, etc)using testssl.sh to check
cryptographic flaws and TLS/SSL Ciphers on any Ports
Warning and errors, Chain missing alerts, and Run handshake using OpenSSL
compiled with enable-ssl-traceInvalid certificate chain
HTTPS security header Scanning: ALPN, HPKP, HSTS
Certificate transparency check using API(RC4, DHA, DHE, Certificate
expired)
}
7: Cookie and Session Scan
8: SQL injection Scan using Regex and payloads
{Enter URL
Identify parameters
Put SQL_payloads in parameters
If Vulnerable then report vulnerability
Else move to next SQL_payload}
9: XSS Scan
{Enter URL
Identify parameters
Put XSS_payloads in parameters If Vulnerable then report the vulnerability
Else move to next XSS_payload}
10: Check for Code Injection, Remote file execution, Unrestricted File upload, HTML
injection, CSRF, File inclusion
Output: List of Vulnerabilities detected.

CSR Chain certificate check along with the Validity check including compatibility as shown in Fig. 2. More details found at this stage
Valid from and Valid to along with issue information, Cert expiry lead to the successful scanning process.
alert, Open SSL version disclosure, Hostname and specifies the Val- A Certificate Signing Request is a crucial element when it comes
idation type (DV, EV, etc). Mixed content alert and OSCP stapling to getting an SSL certificate issued. The Certificate Signing Re-
are also provided in the SSL Decoder. It also includes the TLS Fall- quest (CSR) Decoder is a simple tool that decrypts information
back check, Certificate transparency check using API, Root certifi- about your Certificate Signing Request to verify that it contains
cate decoder, HTTPS security header scanning, and RFC Standard the correct information. CSRs are encrypted messages contain-

6
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Fig. 1. OCVA vulnerability scanning tool flowchart.

ing identifying information sent to a Certificate Authority to ap- Mixed contention scanning is also performed in the proposed
ply for an SSL Certificate. SSL decoder also includes the SSL con- SSL decoder. It focuses on the HTTPS protocol and checks for
verter that converts the SSL certificate to PEM file to DER, P7B, the internal URLs with HTTP protocols. It looks for warnings on
and then to PFX using OpenSSL commands. SSL converter de- HTTPS and compares it with HTTP pages to find insecure or bro-
codes the certificate from server to plain text. For this reason, it ken links. Chain missing alerts are checked by the SSL Decoder.
is also called a certificate decoder. Then it checks for the hash- It performs handshake using OpenSSL. Further, it checks the in-
ing algorithm and SSL certificate for the SHA-2 hash algorithm, valid certificate chain. It evaluates the SSL vulnerabilities (BEAST,
which is followed by the Signature Algorithm check. It represents BREACH, CCS injection, CRIME, DROWN, LOGJAM, Lucky 13, secure
the hash algorithm used to sign the SSL certificate along with renegotiation, OpenSSL padding oracle, SLOTH, Sweet 32, Heart-
other information on the hash function used in the certificate bleed, FREAK, POODLE, CRACK, etc)using testssl.sh to check cryp-
signature. tographic flaws and TLS/SSL Ciphers on any Ports. Protocol vali-

7
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Fig. 2. OCVA vulnerability scanning tool.

dation check includes all cipher including local cipher check re- 3.2. Fitness Evaluation of Vulnerability Stage: Vibration Intensity
motely. The proposed SSL Decoder also scans the TLS Fallback Computation
check along with the HTTPS security header including ALPN, HPKP,
and HSTS. Once the first phase of the OCVA vulnerability scanning In the spider web, when social spiders sense the vibration
tool is completed, the Scanning process begins, which involves rec- caused by the prey, they come to know about the vibration
ognizing the weaknesses or vulnerabilities as per OWASP standards source’s fitness characteristics by focusing on the sensed vibration
that exist in the web application. The vulnerabilities such as XSS, intensity of the prey (Abrol, Gupta, and Kaur, 2015). Through vi-
CSRF, HTML injections, SQL injections, Session-related vulnerabili- bration intensity of the prey, the fitness evaluation of the prey can
ties, etc., are discovered in this scanning phase and are analyzed in be computed which will help the social spiders to evaluate that
the next phase. the prey sense can fulfill the hunger of spiders (Abrol, Gupta, and
The scanning process includes detecting and classifying system Kaur, 2016). This characteristic of the social spider is emulated in
weaknesses. In addition to identifying vulnerabilities, it also pre- the OCVA scanning tool. Now in this stage, VDA computes the vi-
dicts how effective countermeasures are in case of a threat or at- bration intensity of the vulnerability and evaluates the fitness f(Pp )
tack. It uses various payloads to embed in requests and check for i.e. severity of the vulnerability as per OWASP standards. The sever-
its response to know the target attack surface. These payloads are ity can be defined as exploitation potential or risk posed by the
known flaws, coding bugs, packet construction anomalies, default vulnerability. Hence, in other words, the vibration intensity of vul-
configurations, and potential paths to sensitive data that can be nerability is computed as follows:
exploited by attackers. The reporting phase includes the genera-
tion of a vulnerability scan report which is displayed at the end of (δmax − f(Pp ) ) for maximum risk
Ixp (t ) =
the entire process. After the algorithm checks for possible vulnera- log( f(Pp )1−δ ) for minimum risk
min
bilities in the web application, the findings in the report can then
be analyzed and interpreted to identify opportunities for an orga- Using Eq. (1), f(Pp ) is the severity as per OWASP standards,
nization to improve its security posture. This means that the code δmax and δmin are two control parameters, i.e. maximum and min-
is engineered to crawl all the WebPages in a web application and imum computed RSI such that(δmax , δmin )  (1, 10). The vibration
scan for the various vulnerabilities independently. All the vulnera- intensity of the vulnerability is directly proportional to the sever-
bilities are scanned by a module in the source code independently. ity. Greater will be the value of severity, greater will be the vibra-
After crawling for three levels of internal URLs, Security headers tion intensity and larger will be the risk to the application. Hence
are checked for their values and validation. Vulnerability related to more will be the vibration intensity sensed to VDA.
SQL injection is scanned using various default arrays of payloads.
These payloads are fired on all the entry fields wherein data con-
3.3. Vulnerability Verification Stage: Attenuation in Vibration
nectivity with the database is established for aiming to compro-
Intensity
mise the database. Further, Cross-site scripting (XSS) scan is per-
formed with the payloads in the entry points and even at the net-
In this stage, the social spider detects the existence of the prey
work to check the authenticity of data sent across the network. It
captured in the spider web. They have to ensure themselves that
is followed by a Cross-site request forgery (CSRF) and command in-
the vibration being sensed is due to the squirm of the prey but not
jection scan. Further, SSL is followed by Remote File Inclusion Scan-
due to other external factors such as air, any other spider move-
ning, Local File Inclusion Scanning, HTTP Splitting, Session Manage-
ment, or some animal passing by. It is performed by adding the
ment, X- path and LDAP injection scanning. After the entire vul-
attenuation in the vibration intensity calculated. Logically attenua-
nerability scans, the scanned vulnerabilities are listed and stored
tion is the fading of the vibration intensity concerning distance and
by VDA to evaluate the fitness of the vulnerability in the next
time. Farther is the prey from the spider, more attenuation in the
stage.
vibration intensity will be sensed (Abrol, Gupta, and Singh, 2020).

8
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Similarly, in the OCVA scanning tool, this stage ensures the oc- 2) is used as an analytical server wherein the proposed OCVA is
currence of the vulnerability by introducing attenuation in the vi- implemented.
bration intensity of the vulnerability. The attenuated intensity of Following are the server configuration details s shown in
vulnerability will be checked for threshold intensity. If an attenu- Table 1.
ated intensity is less than the threshold intensity, then that vulner- The screenshot of the proposed OCVA scanning tool where the
ability will be considered a false positive. Otherwise, it will be con- target URL is entered to scan the complete application is as shown
sidered a true positive. This step is included in the scanning tool in Fig. 3.
to improve its accuracy by reinsuring the vulnerabilities detected. After the complete scan, the report can be generated in the cus-
Hence the total attenuated vibration intensity of the vulnerability tomized format. In this way, the proposed nature-inspired social
marks the occurrence rate of vulnerability. It will be calculated as: spider communication based OCVA scanning tool provides the re-
−Dx,p +c porting facility of the vulnerabilities also.
TA(Ixp (t ) ) = Ixp (t ) · [e( σR ) ]+ Using Eq. (5)
4.1. Qualitative Metrics
Where C=R2 σ is Constant and N is the noise or delay added
due to attenuation. The True positive (TP), False positive (FP), False negative (FN)
TA(Ixp (t ) ) > η , where η is a threshold value of TA(Ixp (t ) ) such and True negative (TN) rates are the four standardized metrics that
that η e [0,10] are used to compute and evaluate the performance of the proposed
Now if TA(Ixp (t ) ) is greater than the threshold value (η) of approach as shown in Table 2.
TA(Ixp (t ) ) then this vulnerability is true positive otherwise this
vulnerability will not be considered. The threshold value η leads 4.2. Case study 1: Comparative analysis of proposed OCVA tool with
to the nullify the vulnerabilities with low TA(Ixp (t ) ), resulting in existing vulnerability detection methods
the accurate performance of the OCVA scanner by reducing the
false positives. In the vulnerability verification stage, some vulner- For evaluation, 485 state government web applications are
abilities with lesser TA(Ixp (t ) ) will be eradicated as they are the taken as a sample for evaluation of the proposed OCVA vulnerabil-
dependent vulnerabilities, hence increasing the true positive, de- ity scanner and their comparative analysis with existing research
creasing the false positive. Therefore the accuracy of the OCVA is algorithms for vulnerability scanning tools. Comparative analysis
increased. of proposed OCVA tool with existing vulnerability detection meth-
ods i.e. Fuzzing (Bennetts, 2014), BRICK (Ping et al., 2009), ACO
3.4. Application Evaluation Stage: Risk Score Index (RSI) Computation (Krishnakumar and Varughese, 2014; Hui and Min, 2009), PSO
(Chen, Xu, and Cui, 2021) and GA (Chen, Xu, and Cui, 2021). The
Intelligent aggregation of vulnerabilities can be highlighted by following are the benchmarks for evaluating the vulnerability de-
the Risk Score Index (RSI). VDA identifies and prioritizes risky as- tection methods: Accuracy, FPR, vulnerability Detection Rate and
sets as per fitness evaluation of the vulnerability, observes RSI TPR. For the purpose of patching the flaws of SAST and DAST ap-
changes, analyzes the source of increased risk, and determines an proach, so as to decrease FPR and increase the vulnerability de-
appropriate course of action. As per the traditional protocol, the tection rate as well as accuracy, a novel proposed approach based
RSI is calculated. The maximum RSI is 10. on the swarm intelligent social spider communicating technique
Risk score index = P robabilit y o f at tack ∗ Impact (6) is integrated for the better performance of the vulnerability scan-
ner. The proposed tool helps to scan and detect the vulnerabilities.
Hence the RSI (δ ) is calculated as:
    Details of the performance comparison including vulnerability de-
A (s ) + A (a ) A (t ) + A (b ) tection rate, accuracy, FPR and TPR of the vulnerability detection
δ= +
methods.
2a 2a
   
A (s ) + A (a ) A (t ) + A (b ) 4.2.1. Algorithm based Vulnerability Detection Rate analysis
δ = TA(Ixp (t )) · + Algorithm based Vulnerability Detection Rate analysis is shown
2a 2a
in Fig. 4. The experimental result analyses that the OCVA outper-
Where δ is a risk score index, A(a) is Vulnerability factor, A(s) forms for vulnerability detection rate. It proves that OCVA outper-
is attacker’s strength factor that constitutes security auditor skill forms Fuzzing, BRICK, ACO, PSO and GA. The peak difference per-
set, purpose of attack, leverage to attack, and team type and team centage is approximately 50% at 100 applications and in case of ex-
size. A(t) (Technical impact factor) including confidentiality loss, ecution of 485 applications, the difference between ACO and OCVA
integrity loss, availability loss, and accountability loss. A(b) (Busi- is about 9%. Hence, the proposed scanning tool outperforms among
ness impact factor) consists of reputational impact, non- compli- all the existing algorithmic techniques.
ance, privacy impact, and financial impact. All of them are rated
between 0-10. By implementing the nature-inspired communicat- 4.2.2. Algorithm based FPR and TPR analysis for 485 applications
ing approach of social spider in the OCVA, the performance an ac- The FPR and TPR rate analysis also specifies OCVA performance
curacy of the proposed scanning tool can be increased in compari- as the standing out one. The Peak difference between OCVA and
son to other existing tools. ACO is 6.25%. Hence, the proposed OCVA scanning tool proves
to be the best among all the existing algorithmic approaches as
4. Implementation and Evaluation shown in Fig. 5.

The design of the proposed OCVA vulnerability scanning tool is 4.2.3. Algorithm based accuracy analysis for 485 applications
user-centric. It is developed in PHP, curl, and MySQL as the back The accuracy analysis performed for 485 applications is shown
end. Therefore, the proposed open source swarm intelligent OCVA in Fig. 6. The results show that when 485 applications are fed for
tool is executed to give a role-based web application scanning tool vulnerability scanning to various scanners, OCVA outshines among
experience. The entire setup is hosted on the server hosting two all in case of accuracy. It scores 96% accuracy based on the reduced
virtual machines (VM) with 32GB RAM each having Ubuntu oper- FPR and an increase in TPR. The peak percentage difference with
ating system. VM 1 acts as application server wherein the applica- the ACO based tool is 13.5% and with Fuzzing technique e is about
tions are deployed along with the tools while the other VM (VM 51%. Hence the proposed OCVA proves the highest accuracy rate.

9
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Table 1
Server configuration details of OCVA scanning tool.

Application Server VM 1 (Application Server) VM 1 (Analytics Server)

Size 300 GB 200 GB

RAM 32 GB 32 GB
Processor/Core 4/8 = 32 4/6 = 24
OS Ubuntu-21.10-desktop-amd64 Ubuntu-21.10-desktop-amd64
Software(s) NodeJs/Angular/Python/Nmap MongoDB

Fig. 3. Target URL input in OCVA scanning tool.

Table 2
Qualitative Metrics.

Metrics Description Formula

FP
False Positive Rate (FPR) The rate of correctly rejected malicious code. FPR = FP+TP
∗100
TP
True Positive Rate (TPR) The percentage of correctly identified benign codes TPR = FP+TP
∗100
FN
False Negative Rate (FNR) The rate of incorrectly rejected malicious code. FNR = FN+TP
∗100
TN
True Negative Rate (TNR) The percentage of correctly identified benign codes TNR = FP+TN
∗100
TN+TP
Accuracy To evaluate the accuracy of the classification results, namely, Accuracy = FN+FP+TP+TN
the proportion of the malicious codes that are accurately
classified into their categories.
TP
Precision The ratio of the correctly detected vulnerabilities to the precision = FP+TP
number of all the detected vulnerabilities
TP
Recall The ratio of the correctly detected vulnerabilities to the recall = TP+FN
number of known Vulnerabilities
2∗precision∗recall
F-measure Assuming the equal ratio of precision and recall F − measure = precision+recall
1, sample2,........samplen
Consistency A deviation is an application or a vulnerability that was Consistency = (samplesample
1, sample2,........sample n)+deviations
reported in some of the scans, but not in all scans. Then, the
samples (applications/ vulnerabilities) reported in all the
scans were counted.

4.3. Case Study 2: Comparative analysis of proposed OCVA tool with Table 3
existing vulnerability scanning open-source tools Vulnerability status in Web application Scanning tools.

Sr. No. Vulnerability Wapiti Arachni W3af OCVA ZAP

For evaluation, 485 state government web applications are
1 XSS Yes No No Yes No
taken as a sample for evaluation of the proposed vulnerability 2 SQL Injection Yes Yes Yes Yes Yes
scanner and their comparative analysis with existing open-source 3 CSRF No Yes Yes Yes Yes
vulnerability scanning tools i.e. Wapiti, Arachni, W3af, and ZAP. 4 Remote File Inclusion Yes Yes Yes Yes Yes
The Vulnerabilities handled by Wapiti, Arachni, W3af, ZAP, and 5 Local File Inclusion Yes No Yes Yes No
6 Command Injection Yes Yes Yes Yes Yes
OCVA are shown in Table 3.
7 LDAP Injection Yes Yes Yes Yes Yes
From the above-mentioned sample of 485 state government 8 Session Management No No No Yes No
web applications, 20 applications taken randomly for the metric 9 HTTP splitting Yes Yes Yes Yes Yes
analysis of the proposed and other scanners. This proves that the 10 X-Path Injection Yes Yes Yes Yes Yes

10
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Fig. 4. Algorithm based vulnerability detection rate analysis for 485 applications.

Fig. 5. Algorithm based FPR and TPR analysis for 485 applications.

Fig. 6. Algorithm based accuracy analysis for 485 applications.

proposed vulnerability scanning tool dealt with maximum vulnera- scanners, at least 27% of the websites have high-severity vulner-
bilities in comparison to the other tools. Following are the metrics abilities respectively. OCVA and Arachni have 16.36% and 15.73%
for which the proposed open source OCVA tool and other existing of the websites that are vulnerable to SSL attacks respectively.
open-source tools as shown in Table 4. The peak percentage difference in the efficiency of the OCVA
In this sample metric analysis having 20 applications, OCVA Vulnerability scanning tool is 55% more than the others. There-
outstands the entire set of open-source vulnerability tools. fore, it is observed that the proposed Vulnerability scanning tool
outstand others. Hence, it cannot only amplify the security per-
4.3.1. Tool based Vulnerability Detection Rate analysis for 485 spective but also orchestrates and advocates continuous assess-
applications ment leading to mitigation and in some cases remediation of
The proposed OCVA scanning tool is evaluated based on the vulnerabilities.
total vulnerabilities scanned in comparison to the existing open-
source tools as shown in Fig. 7. 4.3.2. Tool based True Positive Rate (TPR) & False Positive Rate (FPR)
The result states that the outstanding SSL vulnerability detec- analysis for 485 applications
tion rates obtained by OCVA are 100% of the SSL test cases. Af- True positive rate (TPR) is the ratio between the number of
ter scanning a sample of 485 websites using OCVA and other events that have been accurately classified as positive and the to-

11
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Fig. 7. Vulnerability scanned in 485 web applications.

Fig. 8. TPR and FPR analysis of Web application scanning tools.

Fig. 9. Accuracy analysis of Web application scanning tools.

tal number of events that can be classified as positive (Leszczyna, 4.3.3. Tool based Accuracy analysis for 485 applications
2015). False-positive rate (FPR) can be defined as the ratio be- In this experiment, the vulnerability scanning tools including
tween the number of events that are not accurately classified as Wapiti, Arachni, W3af, ZAP, and OCVA executed on the 485 web
positive and the total number of events that can be classified as applications, and the results are recorded. Accuracy analysis is as
positive (Ping, 2009). 485 web applications were fed to the open- shown in Fig. 9.
source vulnerability scanning tools to evaluate their TPR and FPR The analysis shows that the proposed scanning tool is 9% more
as shown in Fig. 8. accurate than Wapiti. The peak difference rate is about 16% among
The comparative analysis of OCVA among the other existing OCVA and ZAP. It outperforms in comparison to all the other scan-
open-source vulnerability scanners like wapiti, Arachni, W3af, and ning tools.
Zap is performed based on TPR FPR. It is found that the peak per-
centage of the TPR can be seen in the case of OCVA with 72%, 4.3.4. Tool based Consistency analysis for 485 applications
while the peak percentage of FPR is seen in wapiti. The FPR in the Consistency (Sönmez, 2018; Bennetts, 2014) of OCVA is as
case of OCVA is 1% which proves that the proposed OCVA outper- shown in Fig. 10.
forms other existing vulnerability tools. The proposed OCVA vulnerability scanning tool reported only
5% false positives in comparison to others. The comparative anal-

12
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Table 4
Open-source vulnerability metric analysis of 20 vulnerable application.

Web scanner False-positive False-negative License Precision (%) Recall (%) Accuracy (%)

w3af 100/220 35/220 v1.6.49 37 66 47.4

Arachni 18/230 25/230 v1.4 80 80 80
ZAP 14/250 29/250 v2.5.0 83 83 83
OCVA 00/230 00/230 v1.0 100 100 100
Wapiti 16/180 10/180 v2.3.0 75 37.5 50

Fig. 10. Consistency analysis of Web application scanning tools.

ysis shows that the proposed tool is 17% more consistent than Ethical approval
Wapiti and other open-source tools.
This article does not contain any studies with human partici-
pants performed by any of the authors.
5. Conclusions and future scope (Or) Ethical approval: This article does not contain any studies
with animals performed by any of the authors.
Using open source web vulnerability scanners in earlier stages (Or) Ethical approval: This article does not contain any studies
of the software development lifecycle will not only increase early with human participants or animals performed by any of the au-
detection rates, lower security assessment workloads performed thors.
before application deployment, and will also decrease total cost
over the product’s lifecycle by limiting expensive licensing costs .
The gaps found in the gap analysis motivated to implement a novel Contribution
swarm intelligent approach for vulnerability detection purpose,
that is never done before. This paper concludes that a low-cost Navdeep S. Chahal, Conceptualization, Methodology, and Imple-
alternative solution based on open-source vulnerability scanning mentation of the entire setup including the deployment of all the
tools that is supported with the swarm intelligent social spider vulnerability scanners and their comparative analysis with other
communication concept implementation combination improves the tools as well as the research based algorithms.
vulnerability detection, accuracy, TPR, consistency and reduces FPR Dr. Preeti Bali, Review and validation of analysis for both the
in comparison to existing open-source vulnerability scanners and case studies is carried out thoroughly.
research algorithms also. The results of this tool evaluation clearly Dr. Praveen Kumar Khosla, Review and validation of analysis for
show that OCVA vulnerability scanning tool outperforms than the both the case studies is carried out thoroughly.)
other dynamic and swarm intelligent algorithms as well as open-
source vulnerability scanners. The proposed OCVA promises the
Declaration of Competing Interest
identification of vulnerabilities and helps in evolving application
security. Future research and development will create an aggregate
Mr. Navdeep S. Chahal declares that he has no conflict of in-
tool (Zaman et al., 2021) for Artificial intelligence-machine learn-
terest. Dr. Preeti Bali declares that she has no conflict of interest.
ing based SIEM and vulnerability scanners along with a security
Dr. Praveen Kumar. Khosla declares that he has no conflict of inter-
dashboard (Goseva-Popstojanova and Perhinschi, 2015).
est. The authors whose names are listed immediately below certify
Author names: Navdeep S. Chahal, Dr. Preeti Bali, Dr. Praveen
that they have NO affiliations with or involvement in any organiza-
Kumar Khosla
tion or entity with any financial interest (such as honoraria; educa-
The authors whose names are listed immediately below report
tional grants; participation in speakers’ bureaus; membership, em-
the following details of affiliation or involvement in an organiza-
ployment, consultancies, stock ownership, or other equity interest;
tion or entity with a financial or non-financial interest in the sub-
and expert testimony or patent-licensing arrangements), or non-
ject matter or materials discussed in this manuscript. (The articles
financial interest (such as personal or professional relationships, af-
do not contain studies with human participants or animals by any
filiations, knowledge or beliefs) in the subject matter or materials
of the authors.)
discussed in this manuscript.

13
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

References Fonseca, J., Vieira, M., Madeira, H., 2007. Testing and comparing web vulnerabil-
ity scanning tools for SQL injection and XSS attacks. In: Proceedings of the
Abadi, M., Jalili, S., July 2006. An Ant Colony Optimization Algorithm for Network 13th Pacific Rim International Symposium on Dependable Computing. IEEE,
Vulnerability Analysis. Iranian J. Electric. Electron. Eng. 2, 106–120 Nos. 3 & 4. pp. 365–372.
Abrol, P, Gupta, S, Kaur, K, 2015. Social spider cloud web algorithm (SSCWA): a fuzzing, Cefuzz, 2022. An directed fuzzing framework for PHP RCE Vulnerability
new meta-heuristic for avoiding premature convergence in cloud. Int. J. Innov. Jiazhen Zhao 1,2, Yuliang Lu 1,2,∗ , Kailong Zhu 1,2, Zehan Chen 1,2 and Hui
Res. Comput. Commun. Eng. 3 (6), 5698–5704 ISSN (Online): 2320-9801, ISSN Huang. Electronics 11, 758. doi:10.3390/electronics11050758.
(Print): 2320-9798. Garnaeva, M., Chebyshev, V., Makrushin, D., Ivanov, A., 2015. IT threat evolution in
Abrol, Preeti, Gupta, Dr.Savita, Kaur, Karanpreet, 2016. Analysis of resource manage- Q1 2015. Tech. Rep., Kaspersky.
ment and placement policies using a new nature inspired meta heuristic SSCWA Gartner, “The next three years in security threats,” 2015 http://www.gartner.com/
avoiding premature convergence in cloud. In: 2016 International Conference on smarterwithgartner/the- next- hree- years- insecurity- threats, 2015.
Computational Techniques in Information and Communication Technologies (IC- Goseva-Popstojanova, K., Perhinschi, A., 2015. On the capability of static code anal-
CTICT). IEEE, pp. 127–132. ysis to detect security vulnerabilities. Information and Software Technology 68,
Abrol, Preeti, Gupta, Savita, Singh, Sukhwinder, 2020. A QoS aware resource place- 18–33.
ment approach inspired on the behavior of the social spider mating strategy in Halfond, William GJ, Orso, Alessandro, 2005. AMNESIA: analysis and monitoring
the cloud environment. WirelessPersonalCommunications 113, 2027–2065. for NEutralizing SQL-injection attacks. In: Proceedings of the 20th IEEE/ACM
AcunetixWeb, 2015. Vulnerability Scanner. http://www.acunetix.com/ international Conference on Automated software engineering. ACM, pp. 174–
vulnerability-scanner/. 183.
Alarifi, A., Alsaleh, M., December 2012. Web spam: a study of the page language Hin, David, Chen, Andrey Kan Huaming, Ali Babar, M., 2022. LineVD: statement-level
effect on the spam detection features. In: Proceedings of the 11th IEEE Interna- vulnerability detection using graph neural networks. Centre Res. Eng. Softw.
tional Conference on Machine Learning and Applications (ICMLA ’12), 2. IEEE, Technol..
pp. 216–221. Huang, Yao-Wen, Huang, Shih-Kun, Lin, Tsung-Po, Tsai, Chung-Hung, 2003. Web ap-
Alomar, N., Alsaleh, M., Alarifi, A., 2017. Social authentication applications, attacks, plication security assessment by fault injection and behavior monitoring. In:
defense strategies and future research directions: a systematic review. IEEE Proceedings of the 12th international conference on World Wide Web. ACM,
Commun. Surv. Tutor. (99) vol. PP. pp. 148–159.
Alsaleh, M., Alarifi, A., Alqahtani, A., Al-Salman, A., 2015. Visualizing web server at- Hui, Xie, Min, Wu, 2009. Zhang Zhi-ming,” using ant colony optimization to
tacks: patterns in PHPIDS logs. Secur. Commun. Netw. 8 (11), 1991–2003. modeling the network vulnerability detection and restoration system. Interna-
Alsaleh, Mansour, Alomar, Noura, Alshreef, Monirah, Alarifi, Abdulrahman, tional Conference on Industrial Mechatronics and Automation (ICIMA. IEEE 1
Al-Salman, AbdulMalik, 2017. Performance-based comparative assessment of 978-1-4244-3818-1/09/2009.
open-source web vulnerability scanners. Secur. Commun. Netw., Hindawi. IBM, 2015. AppScan. http://www-03.ibm.com/software/products/en. /appscan.
Antunes, N., Vieira, M., November 2009. Comparing the effectiveness of penetration Jurn, Jeesoo, Kim, Taeeun, Kim, Hwankuk, 2018. An automated vulnerability detec-
testing and static code analysis on the detection of SQL injection vulnerabili- tion and remediation method for software security. In Sustainability 10 (1652).
ties in web services. In: Proceedings of the 15th IEEE Pacific Rim International Kals, Stefan, Engin, Kirda, Christopher, Kruegel, Nenad, Jovanovic, 2006. Secubat: a
Symposium on Dependable Computing (PRDC ’09), pp. 301–306. web vulnerability scanner. In: Proceedings of the 15th international conference
Bau, J., Bursztein, E., Gupta, D., Mitchell, J., May 2010. State of the art: automated on World Wide Web. ACM, pp. 247–256.
black-box web application vulnerability testing. In: add Proceedings of the 31st khalid, Muhammad Noman, Iqbal, Muhammad, Alam, Muhammad Talha,
IEEE Symposium on Security and Privacy (SP ’10). IEEE, pp. 332–345. Jain, Vishal, Mirza, Hira, Rasheed, Kamran, 2017. Web Unique Method (WUM):
Bennetts, S., 2014. Zed Attack Proxy (Version 2.3.1). https://www.owasp.org/index. an open source blackbox scanner for detecting web vulnerabilities. (IJACSA) Int.
php/OWASP_Zed_AttackProxy_ProjectCenzic. J. Adv. Comput. Sci. Appl. 8 (12).
Böhm, Isabelle, Lolagar, Samuel, 2021. Open source intelligence: Introduction, legal, Krishnakumar, L, Varughese, Nisha Mariam, 2014. Detection of vulnerabilities using
and ethical considerations. Int. Cybersecur. Law Rev. 2, 317–337. ACO algorithm in cloud computing. GJRA - Global J. Res. Anal. 3 (2) ISSN No
Chen, Chen, Xu, Han, Cui, Baojiang, 2021. PSOFuzzer: a target-oriented software vul- 2277 –8160.
nerability detection technology based on particle swarm optimization. Appl. Sci. James A Kupsch, Barton P. Miller, “Manual vs. Automated vulnerability assessment:
11 (1095). doi:10.3390/app11031095. a case study”, at: https://www.researchgate.net/publication/228910960, 2014.
Chen, S., 2014. Security tools benchmarking: WAVSEP. Web Appl. Scanner Bench- R. Leszczyna, “Evaluation of open source SIEM for situation awareness platform in
mark. the smart grid environment,” 2015.
Curphey, M., Arawo, R., 2006. Web application security assessment tools. IEEE Secur. Liban, Abdilahi, Hilles, Shadi MS, 2014. Enhancing Mysql Injector vulnerability
Privacy 4 (4), 32–41. checker tool (Mysql Injector) using inference binary search algorithm for blind
Dass, Shuvalaxmi, Namin, Akbar Siami, 2012. Vulnerability coverage for secure con- timing-based attack. In: Control and System Graduate Research Colloquium (IC-
figuration. Comput. Sci.. SGRC), 2014 IEEE 5th. IEEE, pp. 47–52.
Di Lucca, G.A., Fasolino, A.R., 2006. Testing Web-based applications: The state of the Livshits, V.B., Lam, M.S., 2005. Finding security vulnerabilities in java applications
art and future trends. Inf. Softw. Technol. 48 (12), 1172–1186. with static analysis. In: Proceedings of the 14th Usenix Security Symposium,
Djuric, Zoran, 2013. A black-box testing tool for detecting SQL injection vulnerabil- pp. 271–286.
ities. In: Informatics and Applications (ICIA), 2013 Second International Confer- Loh, PK, Subramanian, D., 2010. Fuzzy classification metrics for scanner assess-
ence. IEEE, pp. 216–221. ment and vulnerability reporting. IEEE Trans. Inf. Forensics Secur. 5 (4), 613–
Doupé, A., Cavedon, L., Kruegel, C., Vigna, G., 2012. Enemy of the state: a state-aware 624.
black-boxweb vulnerability scanner. In: Proceedings of the USENIX Security Makino, Yuma, Klyuev, Vitaly, 2015. Evaluation of web vulnerability scanners. In:
Symposium, pp. 523–538. The 8th IEEE International Conference on Intelligent Data Acquisition and Ad-
Doupe, Ádam, Cavedon, Ludovico, Kruegel, Christopher, Vigna, Giovanni, 2012. En- vanced Computing Systems: Technology and Applications, pp. 399–402.
emy of the state: a state-aware black-box web vulnerability scanner. USENIX McQuade, K., 2014. Open source web vulnerability scanners: the cost effective
Security Symposium, 14. choice? In: Proceedings of the Conference for Information Systems Applied Re-
Elberzhager, F., Munch, J., Nha, V.T.N., 2012. A systematic mapping study on the search, 2167, p. 1508.
combination of static and dynamic quality assurance techniques. Inf. Softw. OWASP, 2013. the ten most critical web application security risks. OpenWeb Appl.
Technol. 54 (1), 1–15. Secur. Project.
Felmetsger, V., Cavedon, L., Kruegel, C., Vigna, G., 2010. Toward automated detec- OWSAP, 2017. Open Web Security Project. Available at https://www.owasp.org/
tion of logic vulnerabilities in web applications. In: Proceedings of the USENIX index.php/Category:VulnerabilitLScanningTools . Retrieved 24/09/.
Security Symposium, pp. 143–160. PHPWeb, 2015. Inspect. http://www8.hp.com/us/en/software-solutions/
Finifter, M., Wagner, D., 2011. Exploring the relationship between Web application webinspect- dynamic- analysis- dast/.
development tools and security. In: Proceedings of the USENIX Conference on D. Program and I. Management, “Thesis submitted in partial fulfillment of the re-
Web Application Development. quirements Degree Program Information Management and IT Security Detect-
Fonseca, J, Matarese, F., 2013. Using vulnerability injection to improve web secu- ing insider threats using Security Information and Event Management (SIEM),”
rity. In: In Innovative Technologies for Dependable OTS-based Critical Systems. 2018.
Springer, pp. 145–157. Ping, Chen, Yi, Wang, Zhi, Xin, Bing, Mao, Li, XieBRICK, 2009. [BRICK: a binary tool
Fonseca, J, Vieira, M, Madeira, H., 2009. Vulnerability & attack injection for web for run-time detecting and locating integer-based vulnerability. In: Conference:
applications. In: international Conference on Dependable Systems & Networks. Proceedings of the The Forth International Conference on Availability, Reliability
IEEE, p. 93102. and Security. ARES.
Fonseca, J, Vieira, M, Madeira, H., 2014. Evaluation of web security mechanisms us- Sagar1, Deepika, Kukreja2, Sahil, Brahma3, Jwngfu, Tyagi4, Shobha, Jain5∗ , Prateek,
ing vulnerability and attack injection. IEEE Trans. Depend. Secure Comput. 11 January 2018. Studying open source vulnerability scanners for vulnerabilities in
(5), 440–453. web applications. IIOAB Journal 9 (2), 43–49.
Fonseca, J., Vieira, M., June 2008. Mapping software faults with web security vul- Sekar, R., 2009. An efficient black-box technique for defeating web application at-
nerabilities. In: Proceedings of the IEEE International Conference on Dependable tacks. In: Proceedings of the 16th Annual Network and Distributed System Se-
Systems andNetworks with FTCS and DCC. IEEE, pp. 257–266. curity Symposium (NDSS ’09).
Fonseca, J., Vieira, M., Madeira, H., 2007. Testing and comparing web vulnerabil- Sönmez, F.Ö. “Evaluation of Security Information and Event Management Systems
ity scanning tools for SQL injection and XSS attacks. In: Proceedings of the for Custom Security Visualization Generation,” pp. 3–4, 2018.
13th Pacific Rim International Symposium on Dependable Computing. IEEE, Soska, K., Christin, N., 2014. Automatically detecting vulnerable websites before they
pp. 365–372. turn malicious. In: Proceedings of the USENIX Security.

14
N.S. Chahal, P. Bali and P.K. Khosla Computers & Security 122 (2022) 102886

Preeti Bali is Associate Director, Software Technology Di-

Su, Yunfei, Li, Mengjun, Tang, Chaojing, Shen, Rongjun, 2016. An overview of soft-
vision, C-DAC, Mohali, India. She mastered M.Tech (Com-
ware vulnerability detection. International Journal of Computer Science And
puter Science and Engineering) in 2005in Punjab Engi-
Technology (IJCST) 7 (3) ISSN: 0976-8491 (Online) | ISSN: 2229-4333 (Print).
neering College, Panjab University, Chandigarh. The area
Suteva, N., Zlatkovski, D., Mileva, A., 2013. Evaluation and testing of several
of research interests are Cloud Computing, swarm intel-
free/open source web vulnerability scanners. In: Proceedings of the 10th Con-
ligence, Network and application security, Vulnerabilities
ference for Informatics and Information Technology (CIIT ’13), pp. 221–224.
Assessments and Penetration Testing.
Suto, L. Analyzing the effectiveness and coverage of web application security scan-
ners. San Francisco, October, 2007.
Suto, L. “Analyzing the effectiveness and coverage of web application security scan-
ners”, October 2007.
Tung, YH, Tseng, SS, Shih, JF, Shan, HL, 2013. A cost- effective approach to evaluat-
ing security vulnerability scanner. In: In network operations and management
symposium. IEEE, pp. 1–3.
Vieira, M., Antunes, N., Madeira, H., 2009. Using web security scanners to detect Praveen Kumar Khosla is Pro Vice Chancellor (Research),
vulnerabilities in web services. In: Proceedings of the IEEE/IFIP International Chitkara University, Punjab, India.. He has been awarded
Conference on Dependable Systems & Networks. IEEE, pp. 566–571. with University Medal for being a topper in M.Tech.
Vieira, M., Antunes, N., Madeira, H., 2009. Using web security scanners to detect (Electronics & Communication) from National Institute of
vulnerabilities in web services. In: Proceedings of the IEEE/IFIP International Technology, Kurukshetra. He passed Ph.D. in Electronics
Conference on Dependable Systems & Networks. IEEE, pp. 566–571. & Communication from Thapar University and a course
Witschey, J., 2013. Secure development tool adoption in opensource. In: Proceedings in Advance Artificial Intelligence in Cyber Security from
of the 2013 Companion Publication for Conference on Systems, Programming, & Carnegie Melon University, USA. The areas of interests
Applications: Software for Humanity. ACM, pp. 105–106. are cyber security, healthcare technologies, e-governance,
Yu, James J.Q., Li, Victor O.K., 2015. A social spider algorithm for global optimization. agri-electronics and artificial intelligence.
Appl. Soft Comput. 30, 614–627.
Zaman, Shakila, Alhazmi, Khaled, Aseeri, Mohammed A., Ahmed, Muhammad
Raisuddin, Khan, Risala Tasin, Shamim Kaiser, M., Mahmud, Mufti, 2021. Security
threats and artificial intelligence based countermeasures for internet of things
networks: a comprehensive survey. IEEE Access 9, 94668–94690.

Navdeep S. Chahal is Associate Director & Coordinator,

Applied Information Security Group, C-DAC, Mohali, India.
He has been awarded with M.Tech in Computer Science &
Engineering from Punjab Technical University, 2013. He is
a Certified Security Analyst (ECSA) and Certified Informa-
tion Security Professional (CISP). He is an IT security spe-
cialist with a passion and talent for aligning network and
application security, Security Operations, Analytics & De-
ployment, Penetration Testing, Incident analysis, Incident
Management, Backup/ Log Management, Cloud comput-
ing.

15