Implementation of Open Web Application Security Project for Penetration Testing on Educational Institution Websites

The development of information technology cannot be separated from the development of website applications, as well as the threat of security attacks that will attack website applications. Educational Institution X uses a website application as an important medium in learning activities. Therefore, penetration testing is needed to find security holes in website applications. In this study, penetration testing will be carried out with the target website for student access at Educational Institution X based on the reason that there is sensitive student data that needs to be secure. The method used in this study is an experimental method with the OWASP TOP 10 2021 standard (Open Web Application Security Project). The penetration test results obtained on the website application at Educational Institution X found 11 vulnerabilities that could be tested. Of the 11 vulnerabilities, there is one vulnerability at the medium risk level, 7 at the low risk level, and 3 at the information risk level. The vulnerabilities found relate to token authentication, policy delivery, cookie attribute, cross-site script inclusion, authorization, clickjacking, and weak transport layer security. Based on the penetration testing activities obtained, it can be concluded that the vulnerability gaps found need to be further repaired by the website application system developer, in this case, the Educational Institution X. Therefore, the final result of this study is in the form of a report document containing a list of vulnerabilities, recommendations for vulnerability repairs, and vulnerability mitigation strategies as solutions for handling security systems on website applications to make them even better

Security of the internet of things: Home network security review and evaluation

Evrensel Tak ve Çalıştır (Universal Plug and Play, UPnP) ve IoT iletişim protokolleri sayesinde cihazların birbirleriyle ve ağ ile bağlantıları çok daha kolay ve hızlı yapılabildiğinden ev ağındaki bağlantı sayısı da artmıştır. Akıllı televizyonlar ve temizlik robotları gibi akıllı cihazlar, yaşam konforumuzu artırmakta ve ev ağı üzerinden tüm dünyaya bağlantı sağlar hale gelmiştir. Bu nedenle, ev ağının internete bağlı olduğu gerçeği ağdaki akıllı cihazların güvenlik durumlarının sorgulanması ihtiyacını ortaya çıkarmıştır. Bu çalışmada, ev ağı içerisindeki popüler cihazların güvenlik seviyelerinin analiz edilmesi sağlanmıştır. Ev Ağı içerisinde UPnP zafiyetine sahip cihazların varlığını tespit etmek için Python yazılım dili kullanılarak uygulama geliştirilmiştir. Geliştirilen uygulama kullanılarak ev ağı içerisindeki 15 adet cihazdan 3 adet cihazın UPnP açıklığına sahip olduğu görülmüştür. Bir senaryo içerisinde UpNP açıklığı kullanılarak saldırı uygulaması gerçekleştirilmiştir. Bu çalışma ile evdeki ağ ve iletişim yöntemleri güvenliğinin yanında her bir IoT cihazın güvenliğinin sağlanmasının gerekliliği ayrıntılı olarak sunulmuştur.As a result of Universal Plug-and-Play (UPnP) and Internet of Things (IoT) communication protocols, the number of connections in home networks has expanded, as devices can be connected to each other and to the network more easily and quickly. Over the home network, smart devices such as smart televisions and cleaning robots boost our living comfort and connect us to the entire globe. The fact that the home network is connected to the Internet has therefore revealed the necessity to question the security status of networked smart devices. This study provides an analysis of the security levels of popular home network devices. Using the Python programming language, a program has been developed to detect the presence of UPnP-vulnerable devices on a home network. Using the built application, it was discovered that three out of fifteen network devices support UPnP. In a scenario, an attack was built via the UpNP vulnerability. In this study, the necessity of guaranteeing the security of each IoT device, as well as the security of the home's network and communication techniques, is discussed in depth

Estudo de frameworks para pentest em IoT

TCC(graduação) - Universidade Federal de Santa Catarina. Centro Tecnológico. Sistemas de Informação.Possuindo bilhões de dispositivos, a Internet das Coisas (IoT - Internet of Things), já é uma realidade com forte presença em nossas vidas. O custo reduzido na produção destes dispositivos IoT permite uma fabricação em larga escala, sendo encontrados regularmente nos mais variados setores do mercado. Essa grande quantidade de dispositivos em circulação também significa maiores possibilidades de alvos para ataques maliciosos. Diferentemente de computadores convencionais, os dispositivos IoT possuem diversas características únicas, apresentando uma complexidade maior ao buscarmos uma padronização nas estratégias de segurança e prevenção de ataques. Pentest é um dos métodos que ajuda a identificar as possíveis vulnerabilidades deste dispositivo. O problema é que um pentest convencional não consegue detectar múltiplos hosts e ataques multinível. É por isso que existe a necessidade da utilização de frameworks para pentest próprios para dispositivos IoT. Este trabalho tem o objetivo de apresentar as principais vulnerabilidades conhecidas em dispositivos IoT e também estudar sobre alguns frameworks de pentest em dispositivos IoT existentes. Além disso, a ferramenta Ragnar 2 foi escolhida para executar pentests em dispositivos IoT vulneráveis encontrados na plataforma Shodan, tendo seus resultados catalogados e avaliados. Por fim, a confiabilidade da ferramenta foi avaliada pelo autor de acordo com seus resultados que foram analisados utilizando ferramentas semelhantes

Implementation of Open Web Application Security Project for Penetration Testing on Educational Institution Websites

The development of information technology cannot be separated from the development of website applications, as well as the threat of security attacks that will attack website applications. Educational Institution X uses a website application as an important medium in learning activities. Therefore, penetration testing is needed to find security holes in website applications. In this study, penetration testing will be carried out with the target website for student access at Educational Institution X based on the reason that there is sensitive student data that needs to be secure. The method used in this study is an experimental method with the OWASP TOP 10 2021 standard (Open Web Application Security Project). The penetration test results obtained on the website application at Educational Institution X found 11 vulnerabilities that could be tested. Of the 11 vulnerabilities, there is one vulnerability at the medium risk level, 7 at the low risk level, and 3 at the information risk level. The vulnerabilities found relate to token authentication, policy delivery, cookie attribute, cross-site script inclusion, authorization, clickjacking, and weak transport layer security. Based on the penetration testing activities obtained, it can be concluded that the vulnerability gaps found need to be further repaired by the website application system developer, in this case, the Educational Institution X. Therefore, the final result of this study is in the form of a report document containing a list of vulnerabilities, recommendations for vulnerability repairs, and vulnerability mitigation strategies as solutions for handling security systems on website applications to make them even better