NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.
Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.
An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Building a Test Suite for Web Application Scanners
Published
Author(s)
Elizabeth N. Fong, Romain Gaucher, Vadim Okun, Paul E. Black, Eric Dalci
Abstract
This paper describes the design of a test suite for thorough evaluation of web application scanners. Web application scanners are automated, black-box testing tools that examine web applications for security vulnerabilities. For several common vulnerability types, we classify defense mechanisms that can be implemented to prevent corresponding attacks. We combine the defense mechanisms into ''levels of defense'' of increasing strength. This approach allows us to develop an extensive test suite that can be easily configured to switch on and off vulnerability types and select a level of defense. We evaluate the test suite experimentally using several web application scanners, both open-source and proprietary. The experiments suggest that the test suite is effective at distinguishing the tools based on their vulnerability detection rate; in addition, its use can suggest areas for tool improvement.
Proceedings Title
Proceedings of Hawaii International Conference on System Sciences (HICSS)
Conference Location
, USA
Conference Title
Hawaii International Conference on System Sciences (HICSS)
Pub Type
Conferences
Citation
Fong, E.
, Gaucher, R.
, Okun, V.
, Black, P.
and Dalci, E.
(2008),
Building a Test Suite for Web Application Scanners, Proceedings of Hawaii International Conference on System Sciences (HICSS), , USA
(Accessed October 9, 2025)