Evolutionary scanner of web application vulnerabilities

Abstract

With every passing year, there are more and more websites, which often process sensitive and/or valuable information. Due to models like Continuous Development, manual testing and code review are reduced to minimum, with new features implemented and deployed even on the same day. This calls for development of new automated testing methods, especially the ones that will allow for identification of potential security issues. In this article such a new method, which is based on automated web pages comparisons, clustering and grammatical evolution is proposed. This method allows for automated testing of a website and can identify outstanding (unusual) web pages. Such pages can then be further investigated by checking if they are legitimate, contain some unused modules or potential threats to application security. The proposed method can identify such anomalous pages within the set of interlinked web pages, but can also find web pages that are not linked to any other web page on the server by utilizing genetic-based generation of URLs.