A Survey on Web Application Penetration Testing

Round 1

Reviewer 1 Report

General Comments:

·       The authors must check the English mistakes very carefully. The authors have to significantly improve the technical writing and presentation of the paper.

·       Many of the cited papers do not directly concern the problem of the paper.

·       Even author failed to give proper justification for the title of the paper

·       There are a lot of typos.

·       The paper shows considerable mistakes related to written and explanations

·       In some of the sections the paper needs shortening and very attentive content and language editing

 

 

ABSTRACT:

§  Kindly rewrite the abstract highlighting objective, contribution of the paper.

§  Specify 5-6 proper Index terms.

 

1.     INTRODUCTION:

Since it is a survey article elaborate what is Pen_test, objective of Pen test, comparison of Manual VS Automated Penetration Tests and a UML diagram of Manual VS Automated Penetration test in the introduction part only. Not in separate section.

 

2.     Methodology: Authors lacks in presenting the approach.

Need precise and neat use case explanation of the method indicating the entire process should be explored. It is difficult and confusing in most of the part in this section

For Ex: line no 91 and 92 : Figure 1 shows that 22,2110 articles were recognized during the identification stage, with 22,2110 papers remaining after duplication was removed..  is it the count is same after duplication is removed ?

What is the outcome of Methodology section? R u performing any analysis on this? Clarify it

3.     Penetration Testing: I suggest include this in the introduction part.

In table 2: The authors are suggested to add more discussions and the  comparisons

4.     Literature Review:

Some previous works (Recent works in this area) about this research area should also be reviewed

In summary of related works table:  The publication year of article by Muhammed et.al [7] is wrongly specified.

5.     Web App Vulnerabilities

Typos mistake in Line No:269-270: Web programs normally communicate with the user using the FORM components, such as buttons and text fields. and the GET or POST variables.

Line no:288: Figure 2 lists the top ten OWASP vulnerabilities. From where you got this? Cite the reference

Line no 299-300: The following are some examples of attacks that might take advantage of this flaw.  I suggest authors to write separate paragraph which contains the Example

Top 10 Top Ten Security Threats for Web Environment :I suggest authors to include examples for each vulnerability in each sub section (i.e. 5.2.1. to 5.2.10).

6.     Web penetration test

To my understanding, some of the trending Pen test tools are Wireshark, Metasploit, BeEF,Aircrack, Acunetix Scanner, Burp Suite, Ettercap, W3af, Nessus, SQLmap, SET, Zed Attack proxy, Wapiti, Cain & Abel.  Can these tools used as web penetration? Need clarity and discuss on this?

 

7.     Conclusions and Future work

Line No 576-77: We utilize a set of criteria to evaluate any method or instrument in the field of penetration testing. To my understanding I did’t find any criteria to evaluate any method or instrument? Pls give clarity about this.

·       Conclusion lacks proper academic writing.

 

8.     REFERENCES

                                                    i.          I 'm sure authors may add more recent citation related to this topic.

                                                  ii.          References aren't up to date

                                                iii.          Cited papers specified in references 4,5, 9,12,13,16,34,37,45,49 are not proper.

Comments for author File: Comments.pdf

Author Response

Dear expert,

We are thankful for your careful review and valued suggestions. Please find the attachment is the response to all your valued comments.

Best regards,

 

 

 

Author Response File: Author Response.pdf

Reviewer 2 Report

The authors have chosen an important topic and made an effort to provide a review of penetration testing approaches and tools that are used for web applications. The problem is important both from the scientific and industrial points of view. The presented results should help the project managers, architects, and engineers to make better decisions before the project starts.
Since penetration testing is a well-known and mature paradigm, I suggest referencing more sources in the introduction part to point out the background and significance of the research.
The methodology is well-explained, and the set of exclusion rules is defined in a logical and expected manner. However, some reference to the methodology itself will be beneficiary for the readers. It would be also good to provide a deeper explanation of a stage when you reduced the number of available studies from 680 to 10 (as stated in the diagram) or 11 (as stated in the text, line 95).
The literature review is according to the standards, but I would like to see an expanded explanation on references marked 9 and 13. My opinion is that they are a bit more significant than presented in the paper.
For items 5 and 10 is claimed that no limitation was found, so it would be required to explain this fact in more detail.
The overview of the penetration test tools is pretty weak. To bring the relevant decision, the project leader must have more info on a tool. Also, the introduction of some metrics that would rank tools based on multiple criteria will be helpful.

Author Response

Dear expert,

We are thankful for your careful review and valued suggestions. Please find the attachment is the response to all your valued comments.

Best regards,

 

Author Response File: Author Response.pdf

Reviewer 3 Report

I am pleased to have the opportunity to review this research paper. This study attempted to explore a Survey on Web Application Penetration Testing. Although the topic of this research study is interesting and fits within the journal scope, I think authors should apply the comments indicated below to increase the quality of research justification, contributions and findings. The manuscript know lacks in scientific style and structure.

First of all, paper research gap. Please improve this part in introduction section. Introduction is very general and lacked alignment to the research findings, no discussion was provided to derive the implication from. Theoretical and pragmatics implication are vague and need to be better aligned with this paper theoretical underpinnings and proposed process. Furthermore, there is insufficient support and weak arguments in support of the objective that is proposed as well as the model developed. In the final part of the introduction the objectives proposed, originality and gap that would be better covered. Also how the author will perform the methodology.

 

the topic of this research study is interesting and fits within the journal scope, I think authors should apply the comments indicated to increase the quality of research justification, contributions and findings

What is the originality of this research?  Paper research gap and originality should be better presented at the end of introduction section

Please consider this structure for manuscript final part.

-Discussion

-Conclusion

-Managerial Implication

-Practical/Social Implications

-Discussion needs to be a coherent and cohesive set of arguments that take us beyond this study in particular, and help us see the relevance of what authors have proposed. Authors should create an independent “Discussion” section. Author need to contextualize the findings in the literature, and need to be explicit about the added value of your study towards that literature. Also other studies should be cited to increase the theoretical background of each of the method used. Findings should be contextualized in the literature and should be explicit about the added value of the study towards the literature. Limitations and future research

Questions to be answered:

What practical/professional and academic consequences will this study have for the future of scientific literature (theoretical contributions)?

Why is this study necessary? should make clear arguments to explain what is the originality and value of the proposed model. This should be stated in the final paragraphs of introduction and conclusion sections.

Author Response

Dear expert,

We are thankful for your careful review and valued suggestions. Please find the attachment is the response to all your valued comments.

Best regards,

 

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

This manuscript is a revised one and it has well addressed all my concerns. Based on the reply and my own reading, this paper can be accepted

Author Response

Dear expert,

Thank you very much for your careful review and valuable suggestions those helped us to improve our research. Furthermore, we are grateful for your suggestion to accept our manuscript.

Regards, 

 

Reviewer 2 Report

I suggest to accept the paper in its present form

Author Response

Dear expert,

Thank you very much for your careful review and valuable suggestions those helped us to improve our research. Furthermore, we are grateful for your suggestion to accept our manuscript.

Regards, 

 

Reviewer 3 Report

your work is now better, I ask you to better explain the need for your study, and explain the contribution of your study to the literature and academia

Author Response

Dear expert,

We are thankful for your careful review and valued suggestions. Please find the attachment is the response to your valued comments.

Best regards,

 

 

Author Response File: Author Response.pdf