Adaptive Entry Point Discovery for Web Vulnerability Scanning

Entry point collection is crucial to web vulnerability scanning since the collected en-try points may contain serious web vulnerabilities such as SQL injection and Cross-Site Scripting (XSS). Most Web Vulnerability Scanners (WVSs) are equipped with crawlers to collect and locate the web pages for testing. The crawlers are intended to discover all links of the web applications being tested. However, exhaustive crawling may not be feasible when time and computation resources are limited, especially for large websites with rap-idly and dynamically generated new content. Research studies regarding generic selection policies for web crawlers have been attempted. However, these studies are neither suitable for the search of entry points, nor for WVSs given that their selection policies are intended for content comparison, not for maximizing the test coverage and diversity of functionali-ties. In this paper, an adaptive entry point crawler named VulCrawl is proposed for WVSs to discover web pages distinct in terms of functionality and code-wise structure. VulCrawl extends the entry point collection and improves WVS code coverage of a target web ap-plication. The effectiveness and efficiency of VulCrawl are evaluated using two famous websites. In the experiments, VulCrawl found 2 to 3 times more distinct entry points than those crawled by the web crawler without adopting the adaptive entry point crawling. The results indicate that the proposed selection policy enables web crawling to discover more entry points suitable for WVSs.