As the popularity of the web increases and web applications become tools of everyday use, the role of web security has been gaining importance as well. The last years have shown a significant increase in the number of web-based attacks. For example, there has been extensive press coverage of recent security incidences involving the loss of sensitive credit card information belonging to millions of customers.Many web application security vulnerabilities result from generic input validation problems. Examples of such vulnerabilities are SQL injection and Cross-Site Scripting (XSS). Although the majority of web vulnerabilities are easy to understand and to avoid, many web developers are, unfortunately, not security-aware. As a result, there exist many web sites on the Internet that are vulnerable.This paper demonstrates how easy it is for attackers to automatically discover and exploit application-level vulnerabilities in a large number of web applications. To this end, we developed SecuBat, a generic and modular web vulnerability scanner that, similar to a port scanner, automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. Using SecuBat, we were able to find many potentially vulnerable web sites. To verify the accuracy of SecuBat, we picked one hundred interesting web sites from the potential victim list for further analysis and confirmed exploitable flaws in the identified web pages. Among our victims were well-known global companies and a finance ministry. Of course, we notified the administrators of vulnerable sites about potential security problems. More than fifty responded to request additional information or to report that the security hole was closed.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Abdulkader A. Alfantookh. An automated universal server level solution for SQL injection security flaw. International Conference on Electrical, Electronic and Computer Engineering, pages 131--135, September 2004.
	2	CERT. Advisory CA-2000-02: malicious HTML tags embedded in client web requests. http://www.cert.org/advisories/CA-2000-02.html, 2000.
	3	W3C World Wide Web Consortium. HTTP - Hypertext Transfer Protocol. http://www.w3.org/Protocols/, 2000.
	4	Microsoft Corporation. Architecture and Design Review for Security. http://msdn.microsoft.com/library/default.asp? url=/library/en-us/dnnetsec/html/THCMCh05.asp, 2005.
	5	Microsoft Corporation. ISAPI Server Extensions and Filters. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore%98/HTML/_core_isapi_server_extensions_and_filters.asp, 2005.
	6	Microsoft Corporation. Microsoft .NET Framework Development Center. http://msdn.microsoft.com/netframework/, 2005.
	7	Microsoft Corporation. System.Reflection Namespace. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemreflection.asp, 2005.
	8	David Cruwys. C Sharp/VB - Automated WebSpider / WebRobot. http://www.codeproject.com/csharp/DavWebSpider.asp, March 2004.
	9	David Endler. The Evolution of Cross Site Scripting Attacks. Technical report, iDEFENSE Labs, 2002.
	10	Carlo Ghezzi , Mehdi Jazayeri , Dino Mandrioli, Fundamentals of software engineering, Prentice-Hall, Inc., Upper Saddle River, NJ, 1991
	11	Yao-Wen Huang , Fang Yu , Christian Hang , Chung-Hung Tsai , Der-Tsai Lee , Sy-Yen Kuo, Securing web application code by static analysis and runtime protection, Proceedings of the 13th international conference on World Wide Web, May 17-20, 2004, New York, NY, USA  [doi>10.1145/988672.988679]
	12	Yao-Wen Huang , Shih-Kun Huang , Tsung-Po Lin , Chung-Hung Tsai, Web application security assessment by fault injection and behavior monitoring, Proceedings of the 12th international conference on World Wide Web, May 20-24, 2003, Budapest, Hungary  [doi>10.1145/775152.775174]
	13	Insecure.org. NMap Network Scanner. http://www.insecure.org/nmap/, 2005.
	14	Rachael Lininger and Russell D. Vines. Phishing. Wiley Publishing Inc., May 2005.
	15	Acunetix Ltd. Acunetix Web Vulnerability Scanner. http://www.acunetix.com/, 2005.
	16	Ken Moody , Marco Palomino, SharpSpider: Spidering the Web through Web Services, Proceedings of the First Conference on Latin American Web Congress, p.219, November 10-12, 2003
	17	Information Technology Industry Council NCITS. SQL-92 standard. http://www.ncits.org/, 1992.
	18	Nikto. Web Server Scanner. http://www.cirt.net/code/nikto.shtml, 2005.
	19	RSnake. XSS cheatsheet. http://sec.drorshalev.com/dev/xss/xssTricks.htm.
	20	David Scott , Richard Sharp, Abstracting application-level web security, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511498]
	21	SelfHtml. JavaScript Tutorial. http://www.selfhtml.de, 2005.
	22	Tenable Network SecurityTM. Nessus Open Source Vulnerability Scanner Project. http://www.nessus.org/, 2005.
	23	Paolo Tonella , Filippo Ricca, A 2-Layer Model for the White-Box Testing of Web Applications, Proceedings of the Web Site Evolution, Sixth IEEE International Workshop on (WSE'04), p.11-19, September 11-11, 2004
	24	Xprobe. Xprobe: active os fingerprinting tool. http://xprobe.sourceforge.net/, 2005.