Benchmarking Vulnerability Detection Tools for Web Services



Vulnerability detection tools are frequently considered the silver-bullet for detecting vulnerabilities in web services. However, research shows that the effectiveness of most of those tools is very low and that using the wrong tool may lead to the deployment of services with undetected vulnerabilities. In this paper we propose a benchmarking approach to assess and compare the effectiveness of vulnerability detection tools in web services environments. This approach was used to define a concrete benchmark for SQL Injection vulnerability detection tools. This benchmark is demonstrated by a real example of benchmarking several widely used tools, including four penetration-testers, three static code analyzers, and one anomaly detector. Results show that the benchmark accurately portrays the effectiveness of vulnerability detection tools and suggest that the proposed approach can be applied in the field.

Received the Best Paper Award at the IEEE 8th International Conference on Web Services (ICWS 2010)

Download from IEEE Xplore


Security, Vulnerabilities, Benchmarking, SQL Injection, Penetration Testing, Static Code Analysis, Web Services, Runtime Anomaly Detection


Web Services Security


IEEE International Conference on Web Services (ICWS 2010), July 2010

Cited by

Year 2015 : 3 citations

 M.-A. Laverdiere, B. J. Berger, and E. Merloz, “Taint analysis of manual service compositions using Cross-Application Call Graphs,” in 2015 IEEE 22nd International Conference on Software Analysis, Evolution and Reengineering (SANER), 2015, pp. 585–589.

 S. Deng, L. Huang, Y. Yin, and W. Tang, “Trust-based Service Recommendation in Social Network,” Applied Mathematics & Information Sciences, vol. 9, no. 3, pp. 1567–1574, 2015.

 M. H. A. N. and C. Miao, “Structured Query Language Injection Penetration Test Case Generation Based on Formal Description,” Journal of Donghua University(English Edition), vol. 32, no. 3, pp. 446–452, 2015.

Year 2014 : 7 citations

 Zhang Jing and Peng Xinguang, “Research On Penetration Test For Android-Based Smartphone,” ????????, vol. 31, no. 12, pp. 29–32, 2014.

 P. D. Buck, Q. Shi, and B. Zhou, “Monitoring and Testing Web Services,” 2014.

 S. Shah and B. M. Mehtre, “An overview of vulnerability assessment and penetration testing techniques,” Journal of Computer Virology and Hacking Techniques, 2014.

 Y.-H. Tung, S.-S. Tseng, J.-F. Shih, and H.-L. Shan, “W-VST: A Testbed for Evaluating Web Vulnerability Scanner,” in Quality Software (QSIC), 2014 14th International Conference on, 2014, pp. 228–233.

 H. Holm, “A Framework and Calculation Engine for Modeling and Predicting the Cyber Security of Enterprise Architectures,” KTH Royal Institute of Technology, Stockholm, 2014.

 S. R. Kesharwani and A. Deshpande, “A Survey On XML-Injection Attack Detection Systems,” International Journal of Science and Research (IJSR), vol. 3, no. 5, 2014.

 S. Shah and B. M. Mehtre, “A Modern Approach to Cyber Security Analysis Using Vulnerability Assessment and Penetration Testing,” International Journal of Electronics Communication and Computer Engineering, vol. 4, no. 6, pp. 47–52.

Year 2013 : 6 citations

 A. Nakamura, “Towards Unified Vulnerability Assessment with Open Data,” in IEEE 37th Annual Computer Software and Applications Conference Workshops (COMPSACW), 2013, 2013, pp. 248–253.

 M. E. Ruse, “Model checking techniques for vulnerability analysis of Web applications,” Ph.D. Thesis, Iowa State University, Ames, Iowa, 2013.

 H. Holm, M. Ekstedt, and T. Sommestad, “Effort estimates on web application vulnerability discovery,” in Hawaii International Conference on System Sciences 46 (HICSS), Grand Wailea, Maui, Hawaii, 2013.

 Z. Wenfeng, X. Shengwei, P. Yaping, and F. Yong, “Design of a Penetration Testing Model for Mobile Internet Web Application,” Journal of Beijing Electronic Science & Technology Institute, vol. 20, no. 4, 2013.

 T. Mattos, A. Santin, and A. Malucelli, “Mitigating XML Injection Zero-Day Attack through Strategy-based Detection System,” IEEE Security & Privacy, vol. 11, no. 4, pp. 46–53, 2013.

 Y.-H. Tung, S.-S. Tseng, J.-F. Shih, and H.-L. Shan, “A cost-effective approach to evaluating security vulnerability scanner,” in 15th Asia-Pacific Network Operations and Management Symposium (APNOMS), 2013, 2013, pp. 1–3.

Year 2012 : 3 citations

 H. Holm, T. Sommestad, U. Franke, and M. Ekstedt, “Success Rate of Remote Code Execution Attacks-Expert Assessments and Observations,” Journal of Universal Computer Science, vol. 18, no. 6, pp. 732–749, 2012.

 J. L. Perea Ramos, D. A. Franco Borré, and J. C. Rodríguez Ribón, “Estado del arte de vulnerabilidades de las IT,” INGENIATOR, vol. 2, no. 3, Apr. 2012.

 M. I. P. Salas, “Metodologia de Testes de Segurança para Análise de Robustez de Web Services pela Injeção de Ataques,” MSc Thesis, IC-UNICAMP, Campinas, Brasil, 2012.

Year 2011 : 3 citations

 Jeff Stuckman, James Purtilo, "A Testbed for the Evaluation of Web Intrusion Prevention Systems", 2011 Third International Workshop on Security Measurements and Metrics, Metrisec, September 2011.

 Liang-Jie (LJ) Zhang, "Guest Editor's Introduction", Services Computing, Computing Now, January 2011.

 J.L. Perea, D.A. Franco, “Estado del Arte de la Seguridad de las Aplicaciones Web”, Décima Conferencia Iberoamericana en Sistemas, Cibernética e Informática, CISCI 2011, Orlando, Florida, 2011.