Analysis of Web Vulnerability Using Open-Source Scanners on Different Types of Small Entrepreneur Web Applications in Malaysia

Abstract

Most of Malaysia’s small entrepreneurs have switched to online platforms as an alternative to their physical businesses. Social media sites such as TikTok, Instagram, Twitter, and Facebook provide free advertising tools and convenient access to a broader global target. However, security issues on these websites remain questionable as users are exposed to web attacks due to the vulnerabilities on the websites. Considering the cost and lack of awareness of the importance of cybersecurity, some organizations find it not profitable to invest in securing their websites. Therefore, this paper aims to test Malaysian small entrepreneurs’ web applications using open-source scanners and analyse the results of web vulnerabilities detected. To do so, two types of open-source scanners, OWASP ZAP and IRONWASP, were installed to scan five websites found through advertisements on social media sites. The web vulnerability identification was based on the top 5 OWASP web vulnerability reports, and the results showed that five types of web vulnerabilities were detected. The analysis of the results showed that the top 5 web vulnerabilities in Malaysian small entrepreneurs’ websites are the ‘Missing Session Timeout’ vulnerability with 81.84 percent, the ‘Sensitive Information Passed as Clear Text in GET URL’ vulnerability with 14.74 percent, and the ‘Session ID Cookies not Marked Secure’ vulnerability with 2.47 percent. This paper provides security analysis on Small Medium Enterprise (SME) websites for future enhancement and consideration during development and implementation to avoid possible attacks. Therefore, developers are advised to handle these vulnerabilities by carefully managing the session timeout, and users are recommended to log out from the websites immediately after they are done.