Evaluation of Web vulnerability scanners based on OWASP benchmark

Web applications have become an integral part of everyday life, but many of these applications are deployed with critical vulnerabilities that can be fatally exploited. Web Vulnerability scanners have been widely adopted for the detection of vulnerabilities in web applications by checking through the applications with the attackers’ perspectives. However, studies have shown that vulnerability scanners perform differently on detection of vulnerabilities. Furthermore, the effectiveness of some of these scanners has become questionable due to the ever-growing cyber-attacks that have been exploiting undetected vulnerabilities in some web applications. To evaluate the effectiveness of these scanners, people often run these scanners against a benchmark web application with known vulnerabilities. This thesis first presents our results on the effectiveness of two popular web vulnerability scanners based on the OWASP benchmark, which is a benchmark developed by OWASP (Open Web Application Security Project), a prestigious non-profit web security organization. The two scanners chosen in this thesis are OWASP Zed Attack Proxy (OWASP ZAP) and Arachni. As there are many categories of web vulnerabilities and we cannot evaluate the scanner performance on all of them due to time limitation, we pick the following four major vulnerability categories in our thesis: Command Injection, Cross-Site Scripting (XSS), Light Weight Access Protocol (LDAP) Injection, and SQL Injection. Moreover, we compare our results on scanner effectiveness from the OWASP benchmark with the existing results from Web Application Vulnerability Security Evaluation Project (WAVSEP) benchmark, another popular benchmark used to evaluate scanner effectiveness. We are the first to make this comparison between these two benchmarks in literature. The results mainly show that: - Scanners perform differently in different vulnerability categories. That is, no scanner can serve as the all-rounder in scanning web vulnerabilities. - The benchmarks also demonstrate different capabilities in reflecting the effectiveness of scanners in different vulnerability categories. It is recommended to combine the results from different benchmarks to determine the effectiveness of a scanner. - Regarding scanner effectiveness, OWASP ZAP performs the best in CMDI, SQLI, and XSS; Arachni performs the best in LDAP. - Regarding benchmark capability, OWASP benchmark outperforms WAVSEP benchmark in all the examined categories

Web application penetration testing: an analysis of a corporate application according to OWASP guidelines

During the past decade, web applications have become the most prevalent way for service delivery over the Internet. As they get deeply embedded in business activities and required to support sophisticated functionalities, the design and implementation are becoming more and more complicated. The increasing popularity and complexity make web applications a primary target for hackers on the Internet. According to Internet Live Stats up to February 2019, there is an enormous amount of websites being attacked every day, causing both direct and significant impact on huge amount of people. Even with support from security specialist, they continue having troubles due to the complexity of penetration procedures and the vast amount of testing case in both penetration testing and code reviewing. As a result, the number of hacked websites per day is increasing. The goal of this thesis is to summarize the most common and critical vulnerabilities that can be found in a web application, provide a detailed description of them, how they could be exploited and how a cybersecurity tester can find them through the process of penetration testing. To better understand the concepts exposed, there will be also a description of a case of study: a penetration test performed over a company's web application

Web application penetration test: Proposal for a generic web application testing methodology

Nowadays, Security Management is beginning to become a priority for most companies. The primary aim is to prevent unauthorized identities from accessing classified information and using it against the organization. The best way to mitigate hacker attacks is to learn their methodologies. There are numerous ways to do it, but the most common is based on Penetration Tests, a simulation of an attack to verify the security of a system or environment to be analyzed. This test can be performed through physical means utilizing hardware or through social engineering. The objective of this test is to examine, under extreme circumstances, the behavior of systems, networks, or personnel devices, to identify their weaknesses and vulnerabilities. This dissertation will present an analysis of the State of the Art related to penetration testing, the most used tools and methodologies, its comparison, and the most critical web application vulnerabilities. With the goal of developing a generic security testing methodology applicable to any Web application, an actual penetration test to the web application developed by VTXRM – Software Factory (Accipiens) will be described, applying methods and Open-Source software step by step to assess the security of the different components of the system that hosts Accipiens. At the end of the dissertation, the results will be exposed and analyzed.Atualmente, a Gestão de Segurança da Informação começa a tornar-se uma prioridade para a maioria das Empresas, com o principal objetivo de impedir que identidades não autorizadas acedam a informações confidenciais e as utilizem contra a organização. Uma das melhores formas de mitigar os possíveis ataques é aprender com as metodologias dos atacantes. Existem inúmeras formas de o fazer, mas a mais comum baseia-se na realização de Testes de Intrusão, uma simulação de um ataque para verificar a segurança de um sistema ou ambiente a ser analisado. Este teste pode ser realizado através de meios físicos utilizando hardware, através de engenharia social e através de vulnerabilidades do ambiente. O objetivo deste teste é examinar, em circunstâncias extremas, o comportamento de sistemas, redes, ou dispositivos pessoais, para identificar as suas fraquezas e vulnerabilidades. Nesta dissertação será apresentada uma análise ao estado da arte relacionada com testes de penetração, as ferramentas e metodologias mais utilizadas, uma comparação entre elas, serão também explicadas algumas das vulnerabilidades mais críticas em aplicações web. O objetivo é o desenvolvimento de uma metodologia genérica de testes de intrusão, ambicionando a sua aplicabilidade e genericidade em aplicações web, sendo esta aplicada e descrita num teste de intrusão real à aplicação web desenvolvida pela VTXRM – Software Factory (Accipiens), aplicando passo a passo métodos e softwares Open-Source com o objetivo de analisar a segurança dos diferentes componentes do sistema no qual o Accipiens está instalado. No final serão apresentados os resultados do mesmo e a sua análise

So You Think Your Router Is Safe?

A home router is a common item found in today’s household and is seen by most as just an Internet connection enabler. Users don’t realize how important this single device is in terms of privacy protection. The router is the centerpiece through which all the household Internet activities including ecommerce, tax filing and banking pass through. When this central device is compromised, users are at risk of having personal and confidential data exposed. Over the past decade, information security professionals have been shedding light on vulnerabilities plaguing consumer routers. Yet, most users are unaware of all the different ways a router can be compromised and tend to focus only on setting up a strong password to stop the neighbor from piggy backing on the Internet

How to deploy security mechanisms online (consistently)

To mitigate a myriad of Web attacks, modern browsers support client-side secu- rity policies shipped through HTTP response headers. To enforce these policies, the operator can set response headers that the server then communicates to the client. We have shown that one of those, namely the Content Security Policy (CSP), re- quires massive engineering effort to be deployed in a non-trivially bypassable way. Thus, many policies deployed on Web sites are misconfigured. Due to the capability of CSP to also defend against framing-based attacks, it has a functionality-wise overlap with the X-Frame-Options header. We have shown that this overlap leads to inconsistent behavior of browsers, but also inconsistent deployment on real-world Web applications. Not only overloaded defense mechanisms are prone to security inconsistencies. We investigated that due to the structure of the Web it- self, misconfigured origin servers or geolocation-based CDN caches can cause unwanted security inconsistencies. To not disregard the high number of misconfigurations of CSP, we also took a closer look at the deployment process of the mechanism. By conducting a semi-structured interview, including a coding task, we were able to shed light on motivations, strategies, and roadblocks of CSP deployment. However, due to the wide usage of CSP, drastic changes are generally considered impractical. Therefore, we also evaluated if one of the newest Web security features, namely Trusted Types, can be improved.Um eine Vielzahl von Angriffen im Web zu entschärfen, unterstützen moderne Browser clientseitige Sicherheitsmechanismen, die über sogenannte HTTP Response- Header übermittelt werden. Um jene Sicherheitsfeatures anzuwenden, setzt der Betreiber einer Web site einen solchen Header, welchen der Server dann an den Client ausliefert. Wir haben gezeigt, dass das konfigurieren eines dieser Mechanismen, der Content Security Policy (CSP), einen enormen technischen Aufwand erfordert, um auf nicht triviale Weise umgangen werden zu können. Daher ist jenes feature auf vielen Webseiten, auch Top Webseiten, falsch konfiguriert. Aufgrund der Fähigkeit von CSP, auch Framing-basierte Angriffe abzuwehren, überschneidet sich seine Funktionalität darüber hinaus mit der des X-Frame-Options Headers. Wir haben gezeigt, dass dies zu inkonsistentem Verhalten von Browsern, aber auch zu inkonsistentem Einsatz in realen Webanwendungen führt. Nicht nur überladene Verteidigungsmechanismen sind anfällig für Sicherheitsinkonsistenzen. Wir haben untersucht, dass aufgrund der Struktur desWebs selbst, falsch konfigurierte Ursprungsserver, oder CDN-Caches, die von der geographischen Lage abhängen, unerwünschte Sicherheitsinkonsistenzen verursachen können. Um die hohe Anzahl an Fehlkonfigurationen von CSP-Headern nicht außer Acht zu lassen, haben wir uns auch den Erstellungsprozess eines CSP-Headers genauer angesehen. Mit Hilfe eines halbstrukturierten Interviews, welches auch eine Programmieraufgabe beinhaltete, konnten wir die Motivationen, Strategien und Hindernisse beim Einsatz von CSP beleuchten. Aufgrund der weiten Verbreitung von CSP werden drastische Änderungen allgemein jedoch als unpraktisch angesehen. Daher haben wir ebenfalls untersucht, ob eine der neuesten und daher wenig genutzten,Web-Sicherheitsmechanismen, namentlich Trusted Types, ebenfalls verbesserungswürdig ist

A Cloud Based Approach for Data Security in IoT

The number of connected devices grows rapidly each year as more and more enterprises realize its potentials. Despite the benefits, data privacy and security in Internet of Things (IoT) remain a major issue. IoT devices generates massive data but are limited in resources. The proliferation of IoT devices and the increasing network traffic have heightened the attack surface. Moreover, the susceptibility of transmitted data to eavesdropping and man-in-the-middle attacks is a great concern to users and manufacturers. It is not all IoT devices that utilize encryption. IoT traffic from devices that transmit data in plain text will expose sensitive information if intercepted by an adversary. Such a vulnerability can be exploited to facilitate identity theft and implement other devasting cyber-attacks. This paper presents an implementation of a cloud-based security approach for transmitted data in IoT. The design is based on Lambda architecture using Amazon Web Services. The proposed approach effectively processes and analyzes real-time sensor data as well as historical data from a master database on the cloud. It also ensures the security of user’s information. Keywords: Internet of Things, Cloud computing, Data security, Lambda architecture DOI: 10.7176/CEIS/11-2-03 Publication date: February 29th 202