Enhancing Web Application Penetration Testing with a Static Application Security Testing (SAST) Tool

• Published in: 8th International Conference on Recent Advances and Innovations in Engineering: Empowering Computing, Analytics, and Engineering Through Digital Innovation, ICRAIE 2023
• Main Author: Darus M.Y.; Farhan Bin Bolhan M.; Kurniawan A.; Muliono Y.; Pardomuan C.R.; Mohamad Hata M.
• Format: Conference paper
• Language: English
• Published: Institute of Electrical and Electronics Engineers Inc. 2023
• Online Access: https://www.scopus.com/inward/record.uri?eid=2-s2.0-85189929488&doi=10.1109%2fICRAIE59459.2023.10468317&partnerID=40&md5=a53ccfdae937fa33cb070ec7ccc762f4

Static Application Security Testing (SAST) is a crucial methodology employed to assess the security posture of an organization's applications by scrutinizing source code for vulnerabilities susceptible to exploitation. Typically, SAST tools adopt rule-based techniques to meticulously scan source code for security shortcomings, ultimately enhancing the overall quality of applications. Notably, Java and PHP stand as two widely used languages in the development of open-source web applications, each bearing distinct security reputations. In the contemporary landscape, the sheer volume of code makes it increasingly challenging to conduct exhaustive line-by-line vulnerability assessments. This research introduces a novel SAST methodology implemented in the Python programming language. This approach is tailored to pinpoint vulnerabilities within the application layer, with a particular focus on identifying SQL injection and Cross-Site Scripting (XSS) vulnerabilities within both Java and PHP codebases. Thus, this research seeks to validate the system's efficacy in detecting these critical vulnerabilities in PHP and Java programming languages. To evaluate the system's performance, penetration testing techniques are employed to establish proof of concept. These techniques entail conducting sample tests on vulnerable web applications, such as DVWA (PHP) and WebGoat (Java). Subsequently, an in-depth analysis of the testing outcomes is conducted using confusion matrices, recall, and precision metrics. The proposed SAST methodology presents a valuable resource for software developers, facilitating the analysis of source code or compiled code versions to unearth security flaws. The testing results indicate an accuracy rate of 20.7% for the SAST, underscoring its potential to contribute significantly to the enhancement of application security. Cross-site scripting (XSS), SQL Injection, Web Vulnerability, Web Security, Static Application Security Testing (SAST) © 2023 IEEE.