A Systematic Literature Review on the Characteristics and Effectiveness of Web Application Vulnerability Scanners

Web applications have been a significant target for successful security breaches in the last few years. They are currently secured, as primary method, by searching their vulnerabilities with specialized tools referred to Application Vulnerability Scanners (WVS’s). Although, these dynamic approaches of testing some advantages, there is still scarcity studies that explore features and detection capabilities systematic way. This article reports findings from Systematic Literature Review (SLR) look into characteristics effectiveness most frequently used WVS’s. A total 90 research papers were carefully evaluated. Thirty (30) WVS’s collected reported, only 12 having at least one quantitative assessment effectiveness. These evaluated 15 original evaluation studies. We found evaluations tested mostly two Open Security Project (OWASP) Top Ten vulnerability types: SQL injection (SQLi) (13/15) Cross-Site Scripting (XSS) (8/15). Additionally, work six OWASP types scanner. also reported rates highly dissimilar between evaluations. Based on surprising results we suggest avenues future directions.