ICSEA 2022 : The Seventeenth International Conference on Software Engineering Advances

Automated Testing: Testing Top 10 OWASP

Vulnerabilities of Government Web Applications in
Bangladesh
Azaz Ahamed Nafiz Sadman Touseef Aziz Khan
Computer Science & Engineering Silicon Orchard Ltd. Computer Science & Engineering
Independent University, Bangladesh Bangladesh Independent University, Bangladesh
[email protected] [email protected] [email protected]

Mahfuz Ibne Hannan Farzana Sadia Mahady Hasan

Computer Science & Engineering Dept. of Software Engineering Computer Science & Engineering
Independent University, Bangladesh Daffodil International University, Bangladesh Independent University, Bangladesh
[email protected] sadia [email protected] [email protected]

Abstract—With an increase in the popularity of the Internet, exploited during April 2021. Before this, according to another
there is also a rise in the number of security threats and vulner- article in 2019 [4], 3 private banks were targeted and exploited
abilities. The Open Web Application Security Project (OWASP) to steal almost $3 million. In 2016 in a similar type of heist,
is an online community-driven project that provides a set of
10 most crucial security vulnerabilities to monitor and mitigate the hackers stole approximately $81 million from Bangladesh
to have safer Internet connectivity. Automated software testing Bank’s federal reserve. These are only a handful of the
provides invaluable insights into the current situation regarding reported attacks.
OWASP Top 10 2017 vulnerabilities for Web applications from This paper provides a selection of three automated vulnera-
the five sectors of the Bangladesh Government. In this research,
comprehensive testing has been carried out using BurpSuite,
bility testing tools to find the OWASP Top 10 2017 vulnerabil-
ZAP and Netsparker to see recurring vulnerabilities among the ities [5], [6]. The tools used in this research were: Netsparker,
sections of Web applications. We draw data-driven comparisons BurpSuite, and ZAP. The main motivations for selecting these
between these tools and evaluate them against Web applications three tools were the availability of existing security research
from respective sectors and the results are presented accordingly. [7], OWASP compliant threat detection features, reporting,
We found the Services and the Transportation sectors to be most
vulnerable.
and documentation of usage. According to past research, they
Index Terms—Software Testing; Automated Testing; OWASP; are fast and reliable, especially when tested against known
Web Vulnerability; Testing Tools vulnerabilities [8]. The different sectors of government Web
applications that were tested using the tools are Services,
I. INTRODUCTION Telecommunication, Welfare, Health, and Transportation. Each
With the advancement and adoption of Web technology, test was run three times on the same Web application using
more and more government services are provided by online the same tool. This methodology was adapted to mitigate any
Web applications these days. Sophisticated online portals are inconsistencies and establish a measurement of correctness
visited by thousands of citizens every day as they become for each testing tool. The results were averaged to come to
more and more reliant on their convenience. Naturally, Web a consistent comparison between the sectors, and testing tools
applications like these store sensitive user information. With were carefully compared for consistency. Common vulnerabil-
such adoption, comes great concern for security to protect the ities among the Web applications are pointed out and different
data and privacy of the users of such platforms [1]. Newer sectors are compared against one another based on how secure
and more sophisticated attacks need to be monitored around they are.
the clock due to the advancements in Web technology [2]. In this paper, we intend to:
Current issues remain where Web applications like these are
not properly or regularly tested for OWASP (Open Web Appli- • Explore the three popular OWASP compliant testing tools
cation Security Project) vulnerabilities as seen in test results and their effectiveness in finding and recording OWASP’s
disseminated in later sections of this paper. Our purpose is top 10 vulnerabilities.
to understand how the selected government Web applications • Test live Bangladesh Government Web applications, find
from different sectors fare against the testing tools. their vulnerabilities and draw a comparison between
According to a news article [3], approximately 147–200 them.
Bangladeshi entities, including government agencies, were Our target is to find answers to the following questions:

Copyright (c) IARIA, 2023. ISBN: 978-1-61208-997-3 46

 ICSEA 2022 : The Seventeenth International Conference on Software Engineering Advances

• What is the current status of Bangladesh’s sensitive be better equipped to deal with the most common attacks and
Government Websites in terms of vulnerabilities? design strategies to avoid future attacks on their Web apps. The
• Which testing tools used in this research can best detect author tested 10 vulnerabilities listed in OWASP (Open Web
the most vulnerabilities of the Bangladeshi Government Application Security Project) Top 10 [9] designed and devel-
Websites? oped a secure Web application by following the guidelines of
• What do these vulnerabilities tell us about the Websites? the OWASP. The paper focused on the mitigation of Web appli-
The organization of the paper is as follows: In Section 2, we cation vulnerabilities through configuration changes, coding,
present a brief technical background on OWASP and its list and patch application. SQL injection, broken authentication,
of top 10 vulnerabilities. In Section 3, we look into different sensitive data exposure, broken access control, and XML
literature reviews. We present our research methodology in external entities are among the OWASP top ten vulnerabilities.
Section 4 and discuss the results in Section 5. Finally, we The Web application’s security has been tested and proven to
conclude our research and future scope in Section 6. have a defense mechanism in place for the aforementioned
vulnerabilities. There are several Web application vulnerability
II. TECHNICAL BACKGROUND testing works [10]–[12]. Yulianton et al. [13] proposed a
In this section, we briefly introduce OWASP. It is a non- framework to detect Web application vulnerabilities using a
profit, community-driven project whose primary aim is to combination of Dynamic Taint Analysis, Static Taint Analysis,
study contemporary vulnerabilities in modern Web applica- and Black-box testing. The research showed that the combi-
tions. The foundation present a set of standards for identifying nation of Dynamic and Static Taint Analysis fed to Black-box
the severity of the vulnerabilities, their possible causes, and testing as metadata yielded greater accuracy and fewer false
their mitigation plans. positives of vulnerabilities. The aforementioned research gives
Table I summarizes the Top 10 OWASP 2017 Vulnerabilities us the potential attacks on Websites and potential mitigations.
with their acronyms. Throughout this paper, we will use these However, the importance of testing during the development
acronyms to denote corresponding vulnerabilities. period is emphasized by Rangau et al. [14], who explained
the emergence of DevSecOps [15] and how it has come to be
TABLE I important due to fast-paced deployment and a lack of proper
SUMMARY OF TOP 10 OWASP 2017 security documentation. Afterward, they introduced tools like
Vulnerabilities Description Denotations ZAP, JMeter, Selenium, etc., to implement dynamic testing
A1:2017 Injection A1 for Web applications in CI/CD pipelines. Interestingly, the
A2:2017 Broken Authentication A2
A3:2017 Sensitive Data Exposure A3
authors in [16] initially expressed concern regarding manual
A4:2017 XML External Entities (XXE) A4 testing how many resource it requires, and the complications
A5:2017 Broken Access Control A5 it introduces. Later the advantages of the Automated Testing
A6:2017 Security Misconfiguration A6
A7:2017 Cross-Site Scripting (XSS) A7 tools are explored and the findings indicate to 68-75% increase
A8:2017 Insecure Deserialization A8 in efficiency when it comes to time and effort in testing.
A9:2017 Using Components with Known Vulnerabilities A9
A10:2017 Insufficient Logging & Monitoring A10 In this research, we test the effectiveness of three different
testing tools namely Netsparker, BurpSuite, and ZAP on
The OWASP Top 10 is a list of the ten most important Bangladeshi Government Service Websites based on OWASP
and common vulnerabilities that may be found in most Web Top 10 2017 Web vulnerabilities. Comparative analysis of
applications. The popularity of the Top 10 list enabled its testing tools [1], [6], [17]–[19] focused on determining the
adoption as a standard in many vulnerability testing tools. efficiency of load testing and detection of several Web attacks,
In Table 1, we can see the list of the OWASP Top 10 studying pen testing on several Web applications, and how
vulnerabilities and their denotations. All the tools used in this network information is gathered using various tools about
research adhere to the Top 10 classes of OWASP to report Websites to find the possibility of cyberattacks. Anantharaman
found vulnerabilities. BurpSuite, Netsparker, and ZAP are all et al. [8] discussed OWASP A09:2017 (i.e., Using Components
OWASP compliant. They provide rich reports which accurately with Known Vulnerabilities) and pointed out several ways
identify vulnerabilities according to the OWASP Top 10 clas- software can be component-based vulnerable proof by having
sification. After finding the class of a vulnerability, we can updated technological stacks and secure SSL. They have also
refer to the OWASP Website to get a better understanding of noted some standard developer and tester practices and tools
its severity and possible mitigation ideas. like BurpSuite that can help prevent vulnerabilities.
Various scanners have also been compared to check which
III. LITERATURE REVIEW type of scanners can detect the maximum vulnerabilities. [20]
Deployed Websites often come with several vulnerability presented a systematic comparison between ZAP and Arachni
issues. These vulnerabilities have been extensively studied testing tools across four vulnerabilities (SQL injection, XSS,
and systematically categorized into vulnerability standards. CMDI, and LDAP). The authors used OWASP and WAVSEP
Batch-Nutman [5] studied the most frequent Web application as benchmarks. The authors conclude that ZAP outperformed
vulnerabilities that can help firms better secure their data from Arachini and recommended that OWASP be used as standard
such threats. The research aimed to help users and developers benchmarking to evaluate testing results. [21] presented a

Copyright (c) IARIA, 2023. ISBN: 978-1-61208-997-3 47

 ICSEA 2022 : The Seventeenth International Conference on Software Engineering Advances

comparative study of 8 Web vulnerability scanners (Acunetix, were thoroughly tested with the testing tools for OWASP Top
HP WebInspect, IBM AppScan, OWASP ZAP, SNLS-VK, 10 vulnerabilities. The sectors are:
Arachni, Vega, and Iron WASP) and tested on WebGoat and • Services
Damn Vulnerable Web Application (DVWA) which have pre- • Transportation
built vulnerabilities. Precision, recall, Youden index, OWASP • Welfare
Web benchmark evaluation (WBE), and the Web application • Healthcare
security scanner evaluation criteria (WASSEC) were used to • Telecommunications
evaluate the performances of the tools. The authors concluded After collecting the data found through testing, all the
that all of the testing tools require improvement in terms of vulnerabilities were cross-matched with their corresponding
code coverage, detection rate, and reducing the number of OWASP vulnerabilities category and presented in a graphical
false positives. Karangle et al. [22] compared modern security format. There, we see the severity of the vulnerabilities: vul-
scanning tools, such as Uniscan and ZAP tools for testing nerabilities found in sectors by tool and overall vulnerabilities
vulnerabilities in Web applications through experimentation on found in different sectors.
20 Websites. The paper goes into detail about penetration test- Figure 1 represents our methodology workflow.
ing using these tools and how the Website URL’s information
is gathered to find the possibility of cyberattacks. Ultimately,
they found that the ZAP tool performed faster than Uniscan,
but Uniscan performed a deeper vulnerability analysis.
The scope of our research involves comparing the effective-
ness of the three tools in terms of capturing the vulnerabilities
listed in OWASP Top 10 2017 on the Bangladeshi Government
Web services. Setiawan et al. [23] performed vulnerability
analysis for government website applications and carried out
using the Interactive Application Security Testing (IAST)
approach. The study used three tools, namely Jenkins, API
ZAP, and SonarQube. Moniruzzaman et al. [24] performed a
systemized combination of black box and white box testing
to detect vulnerabilities of different Bangladeshi Government
and popular Websites using most of the common testing tools. Fig. 1. Workflow of our methodology.
They have found out that about 64% of the selected Websites
are at risk of vulnerabilities. However, we also explicitly point We can break down the process into 5 steps.
out in our study the consistencies and inconsistencies in these 1) Tool Discovery: In this initial phase, the tools we
tools. selected were the most popular among their class for
OWASP, as they had many resources and documentation
IV. RESEARCH METHODOLOGY and also, according to [7].
To ensure proper documentation of vulnerabilities reported 2) Target Application: In the target application phase, we
by each tool for each Website, an individual tool was run three chose some government Web applications that were used
times on each Website to give a proper baseline. The following by citizens of the country and narrowed it down to the
data was collected from every test run: top 5 government Web applications.
• Number of runs (number of test runs on the same Website 3) Scanning: Several activities are carried out during this
using the same tool). phase to perform vulnerability scanning. The vulnerabil-
• Time taken to complete the test (in minutes). ity scan’s goal is to identify a list of vulnerabilities in
• Counts of vulnerabilities found for severities: Low, the test target. This study uses three tools: Netsparker,
Medium, and High. BurpSuite, and ZAP.
• Total number of vulnerabilities. 4) Reporting: During this phase, the tester/developer will
Multiple tests were run this way to understand the consis- document the possible results generated by the three
tency of vulnerability reporting for each tool for a particular tools throughout the vulnerability assessment process.
Website. Running multiple tests also helped to understand the 5) Result Analysis: In this final phase, the tester/developer
UI/UX of the individual tools, which essentially gave us a analyzes the discovered vulnerability under the OWASP
way to judge their usability, accessibility, and applicability for Top Ten 2017.
finding OWASP Top 10 vulnerabilities. [24] tested several Bangladeshi Government Websites, but
Another goal was to determine how the government Web the vulnerability was mapped with Common Vulnerabilities
applications compare to each other in terms of vulnerabilities and Exposures (CVE) and the test category was limited to 5
and determine if there is a correlation between the popularity vulnerabilities. In this study, we covered major Bangladeshi
of a Website and the number of vulnerabilities found there. For Government Websites and presented an overview of vulnera-
this, five government Web applications from different sectors bilities as per OWASP Top 10 2017 in the selected sites.

Copyright (c) IARIA, 2023. ISBN: 978-1-61208-997-3 48

 ICSEA 2022 : The Seventeenth International Conference on Software Engineering Advances

(a) High Vulnerability (b) Medium Vulnerability

(c) Low Vulnerability

Fig. 2. Vulnerability statistics of each of the testing tools on our targeted Websites.

Our classification of High, Medium and Low vulnerabilities applications that deal with millions of sensitive user data every
was aided by the OWASP Risk Factor (RF) table documented day.
by [25]. Here, the top 10 vulnerability classes are given a If we take Figure 2 into account, we can observe that
Risk Factor score based on exploitability, security weakness Netsparker can record the highest number of threats compared
detectability, and their technical impact on business. We have to BurpSuite and ZAP. According to the findings in Figure
classified severity based on RF scores in the following manner: 2a, Netsparker records 5 times more high vulnerability threats
• LOW if 4 ≤ RF < 5 than BurpSuite and ZAP. From Figure 2b, we can also observe
• MEDIUM if 5 ≤ RF < 7 that BurpSuite did not detect any Medium level threats which
• HIGH if RF ≥ 7 indicate that BurpSuite might not have enough features to test
As all the testing tools report the classes of OWASP parameters when compared to Netsparker or ZAP. In Figure
vulnerabilities, they are directly comparable to the RF scores 2c, we can conclude that Netsparker had recorded the highest
and their corresponding severity classes. number of low vulnerability threats followed by ZAP then
Using the 2017 OWASP standard may seem like a limitation BurpSuite.
of this research when OWASP has announced 2021 standards. In Figure 3, we can see a breakdown of vulnerabilities and
All the tools used to test vulnerabilities in this research have their severity for each sector of Web applications. OWASP
the option to generate reports for OWASP Top 10 2017. vulnerabilities found by all the tools are aggregated for each
Therefore, we have selected OWASP 2017 as it is compatible sector of Web applications and classified into severity cate-
with all the tools and the results can be compared consistently. gories, as discussed earlier, based on RF scores. As we can see
OWASP 2021 classifications are not yet fully integrated with from the graph, Transportation and Services have the highest
most vulnerability assessment tools on the market. numbers of high-severity vulnerabilities. The high-severity
vulnerabilities in Transportation and Service Web applications
V. RESULT ANALYSIS may result in the following scenarios:
In this section, we dive deep into our findings in this re- 1) A1 - Injection: Where unauthorized users can gain access
search. We believe that the collected data gives us an accurate to sensitive data to discover personal National Identity
picture of the security and testing aspects of Government Web or License Information with malicious intent.

Copyright (c) IARIA, 2023. ISBN: 978-1-61208-997-3 49

 ICSEA 2022 : The Seventeenth International Conference on Software Engineering Advances

Fig. 3. Severity of OWASP Vulnerability in Web Applications by Sector.

result in false reports of ailments and also theft of user

credentials.
These scenarios hold for the other sectors of Web applica-
tions. Low-severity vulnerabilities are not actively threatening,
but may be exploitable in niche cases. Web applications
from the Telecommunication sector had the lowest number of
high/medium-severity vulnerabilities. We have an assumption
that it may be more secure as the sector relies almost entirely
on current technology and practices. Surprisingly, Welfare
reported the lowest number of vulnerabilities in general,
though it had a higher number of high-severity vulnerabilities
than the Telecommunication sector. We think this may be due
to smaller and relatively newer Web applications built with
Fig. 4. OWASP 2017 Top 10 Vulnerabilities (Count across all Web applica-
tions). current tools and practices, whereas the applications in the
Telecommunication sector were relatively mature.
According to Figure 4, we can observe that Netsparker
2) A2 - Broken Authentication: Where attackers can use detected the most vulnerabilities among the three tools, while
brute force to potentially gain access to make unau- ZAP was second and BurpSuite detected the least amount. It
thorized changes to user identity information or forge must also be noted that even though Netsparker and ZAP have
official documents. similar results, Netsparker found more vulnerabilities such as
3) A3 - Sensitive Data Exposure Attackers exploit weak A1 and A7, which ZAP did not detect. ZAP also failed to scan
public/private key generation to gain access to data Welfare and Telecommunication Web applications, whereas
in transit using man-in-the-middle attacks to steal user Netsparker managed to scan all the Web applications. Burp-
details for illegal promotional material. Suite failed to scan the Transportation Web application after
4) A4 - XML External Entities Older XML may enable running for a long time. This indicates that ZAP and BurpSuite
uploading of hostile XML code through Uniform Re- only executed surface-level scanning, while Netsparker did
source Identifier (URI) network requests. This may allow much deeper vulnerability analysis while scanning the Web
remote code execution and possible denial-of-service applications. However, BurpSuite detected A2, which neither
attacks. This may result in system service downtime, Netsparker nor ZAP were able to detect. If we observe the
causing very difficult circumstances. time taken by the testing tools to scan each Web application,
Consequently, if we take a look at the medium/high-severity ZAP is the fastest among all the tools, while BurpSuite comes
vulnerabilities in Healthcare, the following attack scenarios in second and Netsparker takes the longest overall.
might also be true: Across three runs for each Website with each testing tool,
1) A5 - Broken Access Control: Where unauthorized users the test run with the highest number of classified vulnerabili-
can make changes without any required permission. ties is kept. In this Figure 4, we can see the total number of
Here, the medical information of a user can be altered to OWASP Top 10 vulnerability classes found with each testing
make fake prescriptions to purchase unauthorized drugs. tool across all the tested applications.
2) A7 - Cross Site Scripting: Here, attackers can directly Figure 5 illustrates the vulnerabilities discovered in various
manipulate a user’s browser to alter information using sectors. According to the chart, A6 (Security Misconfigura-
their credentials with remote code execution. This might tion) appears to be the most common vulnerability, closely

Copyright (c) IARIA, 2023. ISBN: 978-1-61208-997-3 50

 ICSEA 2022 : The Seventeenth International Conference on Software Engineering Advances

• Not maintaining up-to-date documentation of the project

• Not updating software packages used in software devel-
opment
These are some of the steps that help catch 99% of the security
issues or bugs in Software Development.
It is positively alarming to discover a high number of
high-severity vulnerabilities in 3 out of 5 selected sectors of
government Web applications. We hypothesize that this is due
to the current state of maturity in technology in Bangladesh.
More in-depth analysis and studies are required to validate this
hypothesis, and we believe this to be an interesting arena for
future research.
VI. CONCLUSIONS
Fig. 5. OWASP 2017 Top 10 Vulnerabilities (Found across individual sectors). In this research, we have compiled, compared, and con-
trasted the data collected to see how effectively BurpSuite,
Netsparker and Zap record OWASP Top 10 vulnerabilities and
followed by A3 (Sensitive Data Exposure) and A9 (Using report them. We have also seen OWASP vulnerabilities across
Components With Known Vulnerabilities). According to the all tested applications and common vulnerabilities and referred
remediation provided in [5], we can resolve these issues for to their remediation possibilities.
all of the vulnerabilities. Based on our targeted applications, The driving purpose of this study was to understand OWASP
we can see that Transportation is the most vulnerable, followed vulnerabilities and their impact on the sectors of Government
by Services. Web applications in Bangladesh. Our target was to run as
Transportation plays a major role in the daily lives of citi- many tests using as many tools as possible to find consistent
zens. According to Bangladesh Transport Data [26], there are results of vulnerabilities. Additionally, during this research,
approximately 4.5 million registered vehicles in Bangladesh as we understood and learned how automated testing tools work.
of June 2020. Based on this relevant data, we can conclude that Though only three testing tools are used, in the future we
there are approximately 4.5 million users of these applications intend to expand the list and draw a comparison between many
whose information is at high risk. The second most dangerous other popular tools. In future research, we would like to find
application we discovered was Services, which includes busi- if specific tools are better for a specific type of Website e.g.,
ness information, citizen information, banking services, etc. Lighthouse [27] for Progressive Web Applications).
Bangladesh’s current population is 164.7 million as of 2020, All the tests done in this paper are exclusively black box
with some of them directly or indirectly using services whose testing with a specified scan policy. This is due to not having
data are at risk. Vulnerabilities in healthcare are much lower direct access to source code to perform any static analysis. We
than what we found in Transportation and Service sectors. believe that a combination of both black box and static analysis
Telecommunications and Welfare have the lowest number white box testing will provide better and deeper insight.
of vulnerabilities. According to our findings, Severity can Yulianton et al. [13] For now, black-box testing only provides
manifest itself in a variety of ways, such as A3, SSL (Secure us with information about what and how many vulnerabilities
Sockets Layer) certificates about to expire, session cookies are there, but the crux of the issue might arise from the more
not marked as secured, and weak ciphers enabled, and so on. apt question, “Why are the vulnerabilities there in the first
For A6, it could be an insecure framework or a DB (database) place?”
user with administrative privileges, among other things. In A9, Our next task is to broaden the scope of Websites used
it typically deals with Apache, Tomcat, Bootstrap, JQuery, for testing vulnerabilities and use the latest OWASP Top 10
OpenSSL, PHP, Nginx, and other versions. These are some 2021 guidelines. Along with black-box testing, we also look
of the most common threats discovered in our research that forward to adding white-box and grey-box testing. Having
developers may have overlooked. This has a domino effect, more insights can provide solutions toward better software
putting sensitive information at risk, such as registered holders’ development methodologies with strict adherence to testing
data, etc. guidelines.
From the vulnerability results we discovered in this re- R EFERENCES
search, we can see that government Web applications in [1] L. F. de Lima, M. C. Horstmann, D. N. Neto, A. R. Grégio, F. Silva,
Bangladesh suffer from important security oversights. Most of and L. M. Peres, “On the challenges of automated testing of web vul-
the vulnerabilities arise from common software development nerabilities,” in 2020 IEEE 29th International Conference on Enabling
Technologies: Infrastructure for Collaborative Enterprises (WETICE).
pitfalls such as: IEEE, 2020, pp. 203–206.
• Not writing maintainable code [2] A. Sołtysik-Piorunkiewicz and M. Krysiak, “The cyber threats analysis
for web applications security in industry 4.0,” in Towards Industry
• Not writing reusable code 4.0—Current Challenges in Information Systems. Springer, 2020, pp.
• Not writing unit or integration tests 127–141.

Copyright (c) IARIA, 2023. ISBN: 978-1-61208-997-3 51

 ICSEA 2022 : The Seventeenth International Conference on Software Engineering Advances

[3] S. Rahman, “Latest cyber attack hit at least 147 bangladeshi entities,” ence on Electrical, Computer and Communication Engineering (ECCE).
2021. [Online]. Available: shorturl.at/qrz36 IEEE, 2019, pp. 1–7.
[4] S. Rehman, “Three banks hit by cyberattacks,” 2016. [Online]. [25] A. van der Stock, B. Glas, N. Smithline, and T. Gigler, “Owasp top
Available: https://www.thedailystar.net/frontpage/news/three-banks-hit- 10 2017: The ten most critical web application security risks,” OWASP
cyberattacks-1760629 Foundation, p. 23, 2017.
[5] M. Bach-Nutman, “Understanding the top 10 owasp vulnerabilities,” [26] A. M. A. Obaida, “Number of motor vehicles,” Aug 2022. [Online].
arXiv preprint arXiv:2012.09960, 2020. Available: http://dsce.edu.bd/db/Number of Motor Vehicles
[6] R. S. Devi and M. M. Kumar, “Testing for security weakness of web [27] “Overview - lighthouse,” May 2022. [Online]. Available:
applications using ethical hacking,” in 2020 4th International Conference https://developer.chrome.com/docs/lighthouse/overview/
on Trends in Electronics and Informatics (ICOEI)(48184). IEEE, 2020,
pp. 354–361.
[7] F. Ö. Sönmez and B. G. Kiliç, “Holistic web application security
visualization for multi-project and multi-phase dynamic application
security test results,” IEEE Access, vol. 9, pp. 25 858–25 884, 2021.
[8] N. Anantharaman and B. Wukkadada, “Identifying the usage of known
vulnerabilities components based on owasp a9,” in 2020 International
Conference on Emerging Smart Computing and Informatics (ESCI).
IEEE, 2020, pp. 88–91.
[9] S. K. Lala, A. Kumar, and T. Subbulakshmi, “Secure web development
using owasp guidelines,” in 2021 5th International Conference on
Intelligent Computing and Control Systems (ICICCS). IEEE, 2021,
pp. 323–332.
[10] D. Omeiza and J. Owusu-Tweneboah, “Web security investigation
through penetration tests: A case study of an educational institution
portal,” arXiv preprint arXiv:1811.01388, 2018.
[11] N. Abdinurova, M. Galiyev, and A. Aitkulov, “Owasp vulnerabilities
scanning of a private university websites,” Suleyman Demirel University
Bulletin: Natural and Technical Sciences, 2021.
[12] F. Holı́k and S. Neradova, “Vulnerabilities of modern web applications,”
in 2017 40th International Convention on Information and Communi-
cation Technology, Electronics and Microelectronics (MIPRO). IEEE,
2017, pp. 1256–1261.
[13] H. Yulianton, A. Trisetyarso, W. Suparta, B. S. Abbas, and C. H.
Kang, “Web application vulnerability detection using taint analysis and
black-box testing,” in IOP Conference Series: Materials Science and
Engineering, vol. 879, no. 1. IOP Publishing, 2020, p. 012031.
[14] T. Rangnau, R. v. Buijtenen, F. Fransen, and F. Turkmen, “Continuous
security testing: A case study on integrating dynamic security testing
tools in ci/cd pipelines,” in 2020 IEEE 24th International Enterprise
Distributed Object Computing Conference (EDOC). IEEE, 2020, pp.
145–154.
[15] “What is devsecops?” Apr 2018. [Online]. Available:
https://www.redhat.com/en/topics/devops/what-is-devsecops
[16] M. Hanna, A. E. Aboutabl, and M.-S. M. Mostafa, “Automated soft-
ware testing framework for web applications,” International Journal of
Applied Engineering Research, vol. 13, no. 11, pp. 9758–9767, 2018.
[17] R. Abbas, Z. Sultan, and S. N. Bhatti, “Comparative analysis of auto-
mated load testing tools: Apache jmeter, microsoft visual studio (tfs),
loadrunner, siege,” in 2017 International Conference on Communication
Technologies (ComTech). IEEE, 2017, pp. 39–44.
[18] S. Tyagi and K. Kumar, “Evaluation of static web vulnerability analysis
tools,” in 2018 Fifth International Conference on Parallel, Distributed
and Grid Computing (PDGC). IEEE, 2018, pp. 1–6.
[19] D. Dagar and A. Gupta, “A comparison of vulnerability assessment tools
owasp 2.7. 0 & pentest on demo web application,” CPJ Global Review
A National Journal of Chanderprabhu Jain College of Higher Studies,
pp. 46–50.
[20] B. Mburano and W. Si, “Evaluation of web vulnerability scanners
based on owasp benchmark,” in 2018 26th International Conference
on Systems Engineering (ICSEng). IEEE, 2018, pp. 1–6.
[21] R. Amankwah, J. Chen, P. K. Kudjo, and D. Towey, “An empirical
comparison of commercial and open-source web vulnerability scanners,”
Software: Practice and Experience, vol. 50, no. 9, pp. 1842–1857, 2020.
[22] N. Karangle, A. K. Mishra, and D. A. Khan, “Comparison of nikto
and uniscan for measuring url vulnerability,” in 2019 10th International
Conference on Computing, Communication and Networking Technolo-
gies (ICCCNT). IEEE, 2019, pp. 1–6.
[23] H. Setiawan, L. E. Erlangga, and I. Baskoro, “Vulnerability analysis
using the interactive application security testing (iast) approach for gov-
ernment x website applications,” in 2020 3rd International Conference
on Information and Communications Technology (ICOIACT). IEEE,
2020, pp. 471–475.
[24] M. Moniruzzaman, F. Chowdhury, and M. S. Ferdous, “Measuring
vulnerabilities of bangladeshi websites,” in 2019 International Confer-

Copyright (c) IARIA, 2023. ISBN: 978-1-61208-997-3 52