An Extensible Web Application Vulnerability Assessment and Testing Framework

Abstract

The process of identifying vulnerabilities in web services plays an integral role in reducing risk to an organisation that seeks to protect their intellectual property and data. The process itself generally involves an automated scan that looks for software misconfigurations, outdated services and exposures that may lead to defacement, data loss or system compromise. However, even with myriad open-source and commercial applications that provide automated vulnerability assessments, the frequency of large scale data breaches and exploitation by adversaries is continuing to increase. This thesis presents a framework that enables not only the skilled security professional to accurately assess the risk of vulnerabilities in web servers, but also empowers non-technical users to scan their web servers and find out the implications of vulnerabilities in their systems. This is achieved by building a user-centric solution which addresses the gaps identified in previous work, and focuses on the most critical vulnerabilities outlined by two major security research organisations.