Reinforced WAVSEP: a Benchmarking Platform for Web Application Vulnerability Scanners

Web applications do represent one of the main targets of cyber attacks. Detection systems such as Web Application Firewalls (WAFs) can help detect web application attacks and allow IT teams to respond rapidly. However, this approach is usually far from optimal, implying that a vulnerability has been exploited and that the attacker has already compromised the vulnerable application. It is, therefore, crucial to detect web application vulnerabilities before an attacker is able to exploit them. One of the most valuable techniques to detect input handling vulnerabilities relies on the use of Web Application Vulnerability Scanners (WAVS), i.e., tools that send malicious payloads against the web application to detect vulnerabilities. Indeed, these tools should be assessed to evaluate their effectiveness. This is usually achieved by testing them against benchmarking platforms, i.e., web applications with both vulnerable and non-vulnerable test cases. One of the most widely deployed benchmarking platforms is WAVSEP, a web application with a lot of relevant vulnerable test cases. Unfortunately, the application has not been updated since 2014 and thus has a few intrinsic limitations. In particular, it does not offer relevant vulnerability classes, nor does it include non-vulnerable test cases, which prove fundamental in evaluating whether or not a web scanner generates a high number of false positives. The scope of this work is to propose a reinforced WAVSEP platform that addresses the problems mentioned above. We integrated 72 new cases in the existing vulnerability classes and created two new vulnerability classes while adding 40 non-vulnerable test cases. Finally, we tested web scanners against both the original WAVSEP and the reinforced one. As the reinforced platform covers a wider set o vulnerability test cases, web scanners were able to detect fewer vulnerabilities by confirming the effectiveness of our platform.