Request analysis

The heatmap of requests from various scanners across different web applications

Xray, ZAP: Xray and ZAP show brighter colors than other scanners, indicating a higher frequency of erroneous requests. In WackoPicko, Xray records an average error request ratio of 0.8622. While both scanners generate the most erroneous requests, their distribution patterns differ significantly. Xray’s errors are evenly distributed throughout the scan, whereas ZAP’s are concentrated in the middle stages. As commercial scanners are widely used in the industry, they are expected to generate numerous requests through dictionary and brute-force tests to detect sensitive file leaks. However, Xray disperses these tests uniformly across the scanning stages, while ZAP centralizes and intensifies testing in specific phases. As shown in Figure, ZAP's erroneous requests reach nearly 100% in certain phases, particularly in the middle and later stages, suggesting a focused effort to detect sensitive file leaks during these periods.

w3af, BurpSuite: Both w3af and BurpSuite exhibit a notable proportion of erroneous requests, though their request strategies are more conservative compared to Xray and ZAP. Interestingly, both tools demonstrate a relatively uniform distribution of erroneous requests. However, a closer analysis reveals that these errors stem from fundamentally different scanning strategies. For w3af, a significant portion of erroneous requests arises from appending random strings to standard request URLs, a technique used to detect discrepancies in web pages and identify potential vulnerabilities. In contrast, BurpSuite's erroneous requests, like those of Xray and ZAP, are primarily generated through dictionary and brute-force testing aimed at detecting sensitive files. The key distinction lies in BurpSuite’s more restrained approach—it minimizes excessive repetition and maintains a broader focus, avoiding overconcentration on specific files.

BlackWidow, Hoyen: Our vulnerability identification approach aligns similarly with BlackWidow’s strategy, starting with small-scale testing during web application modeling and crawler exploration, followed by a comprehensive vulnerability assessment at identified paths. As a result, both approaches generate fewer erroneous requests compared to other scanners, with most errors in our approach occurring during vulnerability determination. However, Z-Blog and DVWA show a slight increase in erroneous requests due to broader efforts to identify additional vulnerabilities, requiring more testing requests. In Z-Blog, this is evident in the significant number of testing requests generated toward the end of the scan. For DVWA, the higher error rate stems from detecting more pages than BlackWidow, leading to increased testing requests. Nevertheless, our scanning strategy maintains relatively high accuracy throughout.

WebExplor: WebExplor has limited capability in exploring applications, with its test requests primarily concentrated on a single application page and minimal additional requests made to other pages.