Riesgos de seguridad en las pruebas de penetración de aplicaciones web
Security risks in web application penetration testing
Keywords:
aplicaciones web; mitigación de riesgos; pruebas de penetración; riesgos de seguridad; seguridad webAbstract
This paper systematizes the main security risks that may be associated with penetration testing in web applications. Bibliographic sources and reports of a high scientific and technical level were consulted for the study. Thirty-one risks were identified and described, classified into two groups: those associated with direct damage to the confidentiality, integrity and availability of web application information and those related to the performance of a deficient penetration test and whose partial results also indirectly affect the security of web portals, the latter were divided into risks of scope and time, technological infrastructure and personnel. For the treatment of the described risks, a set of 14 basic recommendations is provided for the conformation of a mitigation strategy according to the existing test scenarios. It also focuses on how to apply automated vulnerability assessment tools to limit damage to web applications. The results achieved are highly relevant given the need for those involved in penetration testing processes to have a conceptual starting point that favors the treatment of risks and better contextualizes the decisions taken in order to solve the security vulnerabilities found through this type of security assessment.
References
Acunetix. (2019). Acunetix. Web Application Vulnerability Report 2019. Retrieved from http://bit.ly/3b8EBzc
Al-Matari, O. M., Helal, I. M., Mazen, S. A., & Elhennawy, S. (2018). Cybersecurity Tools for IS Auditing. In 2018 Sixth International Conference on Enterprise Systems (ES) (pp. 217-223). Nueva York, EE.UU: IEEE.
Alghofaili, R. (2018). Security Analysis of Open Source Content Management Systems Wordpress, Joomla, and Drupal. (Tesis de Maestría), California State Polytechnic University, EE.UU.
Alsmadi, I. (2019). The NICE Cyber Security Framework: Cyber Security Intelligence and Analytics. Gewerbestrasse, Suiza: Springer.
Anisetti, M., Asal, R., Ardagna, C. A., Comi, L., Damiani, E., & Gaudenzi, F. (2019). A Knowledge-Based IoT Security Checker. In Euro-Par 2018: Parallel Processing Workshops (pp. 299-311). Cham: Springer International Publishing.
Antunes, N., & Vieira, M. (2017). Designing vulnerability testing tools for web services: approach, components, and tools. International Journal of Information Security, 16(4), 435-457. doi:10.1007/s10207-016-0334-0
Barceló, M., & Herzog, P. (2010). OSSTMM: Open Source Security Testing Methodology Manual. Barcelona, España: Institute for Security and Open Methodologies (ISECOM).
Bari, M. A., & Ahamad, S. (2016). Study of Ethical Hacking and Management of Associated Risks. International Journal of Engineering and Applied Computer Science (IJEACS), 01(01), 7-11.
Bartoli, A., De Lorenzo, A., Medvet, E., Faraguna, M., & Tarlao, F. (2018). A Security-Oriented Analysis of Web Inclusions in the Italian Public Administration. Cybernetics and Information Technologies, 18(4), 94-110. doi:10.2478/cait-2018-0050
Bishop, D., & Rowland, P. (2019). Agile and Secure Software Development: An Unfinished Story. Issues in Information Systems, 20(1), 144-156.
Blackwell, C. (2014). Towards a Penetration Testing Framework Using Attack Patterns. In Cyberpatterns (pp. 135-148). Switzerland: Springer.
Brohi, A. B., Butt, P. K., & Zhang, S. (2019). Software Quality Assurance: Tools and Techniques. In Security, Privacy, and Anonymity in Computation, Communication, and Storage (pp. 283-291). Cham: Springer International Publishing.
Casola, V., De Benedictis, A., Rak, M., & Villano, U. (2018). Towards automated penetration testing for cloud applications. In 2018 IEEE 27th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE) (pp. 24-29). Nueva York, EE.UU: IEEE.
Cuzme-Rodríguez, F., León-Gudiño, M., Suárez-Zambrano, L., & Domínguez-Limaico, M. (2019). Offensive Security: Ethical Hacking Methodology on the Web. In Information and Communication Technologies of Ecuador (TIC.EC) (pp. 127-140). Cham: Springer International Publishing.
Dalalana Bertoglio, D., & Zorzo, A. F. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23(1), 1-16. doi:10.1186/s13173-017-0051-1
DeMarco, J. V. (2018). An approach to minimizing legal and reputational risk in Red Team hacking exercises. Computer Law and Security Review, 34(4), 908-911. doi:10.1016/j.clsr.2018.05.033
Felderer, M., Büchler, M., Johns, M., Brucker, A. D., Breu, R., & Pretschner, A. (2016). Security Testing: A Survey. In A. Memon (Ed.), Advances in Computers (Vol. 101, pp. 1-51). EE.UU: Elsevier.
Flaus, J.-M. (2019). Cybersecurity of industrial systems. EE.UU: John Wiley & Sons.
González Brito, H. R., & Montesino Perurena, R. (2018). Capacidades de las metodologías de pruebas de penetración para detectar vulnerabilidades frecuentes en aplicaciones web. Revista Cubana de Ciencias Informáticas, 12(4), 52-65.
Haber, M. J., & Hibbert, B. (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. EE.UU: Apress.
Hasan, A., & Meva, D. (2018). Web Application Safety by Penetration Testing. International Journal of Advanced Studies of Scientific Research, 3(9), 159-163.
Horton, S. (2020). Are Software Security Issues a Result of Flaws in Software Development Methodologies? (Tesis de Maestría), Utica College, EE.UU.
Jamil, A., Asif, K., Ashraf, R., Mehmood, S., & Mustafa, G. (2018). A Comprehensive study of Cyber Attacks & Counter Measures for web systems. In Proceedings of the 2nd International Conference on Future Networks and Distributed Systems (pp. 1-7). Nueva York, EE.UU: ACM.
Jansen, S., Cusumano, M., & Popp, K. M. (2019). Managing Software Platforms and Ecosystems. IEEE Software, 36(3), 17-21. doi:10.1109/MS.2019.2891795
Kao, D., Wang, Y., Tsai, F., & Chen, C. (2018). Forensic analysis of network packets from penetration test toolkits. In 2018 20th International Conference on Advanced Communication Technology (ICACT) (pp. 363-368). Nueva York, EE.UU: IEEE.
Kaspersky. (2020). Kaspersky Security Bulletin 2020. Statistics. Retrieved from https://bit.ly/3alN5Ea
Kettani, H., & Wainwright, P. (2019). On the top threats to cyber systems. In 2019 IEEE 2nd International Conference on Information and Computer Technologies, ICICT 2019 (pp. 175-179). Nueva York, EE.UU: IEEE.
Knowles, W., Baron, A., & McGarr, T. (2016). The simulated security assessment ecosystem: Does penetration testing need standardisation? Computers & Security, 62, 296-316. doi:10.1016/j.cose.2016.08.002
Kothia, A., Swar, B., & Jaafar, F. (2019). Knowledge Extraction and Integration for Information Gathering in Penetration Testing. In 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C) (pp. 330-335). Nueva York, EE.UU: IEEE.
Kumar, R., & Tlhagadikgora, K. (2019). Internal Network Penetration Testing Using Free/Open Source Tools: Network and System Administration Approach. In Advanced Informatics for Computing Research (pp. 257-269). Singapore: Springer Singapore.
Laidlaw, G., & Shoemaker, D. (2020). Software assurance: the things a manager needs to know. EDPACS, 61(4), 1-8. doi:10.1080/07366981.2020.1753283
Manaseer, S., K.Al Hwaitat, A., & Jabri, R. (2018). Distributed Detection and prevention of Web Threats in Heterogeneous Environment. Modern Applied Science, 12(10), 13-22. doi:10.5539/mas.v12n10p13
Mansfield-Devine, S. (2017). Open source software: determining the real risk posed by vulnerabilities. Network Security, 2017(1), 7-12. doi:10.1016/S1353-4858(17)30005-3
Mansfield-Devine, S. (2018). Friendly fire: how penetration testing can reduce your risk. Network Security, 2018(6), 16-19. doi:10.1016/S1353-4858(18)30058-8
Mehta, S., Raj, G., & Singh, D. (2018). Penetration Testing as a Test Phase in Web Service Testing a Black Box Pen Testing Approach. In Smart Computing and Informatics (pp. 623-635). Singapore: Springer Singapore.
Meucci, M., & Muller, A. (2014). OWASP Testing Guide 4.0 (4 ed.). EE.UU: OWASP Foundation.
Miaoui, Y., & Boudriga, N. (2019). Enterprise security investment through time when facing different types of vulnerabilities. Information Systems Frontiers, 21(2), 261-300. doi:10.1007/s10796-017-9745-3
Mohammed, N. M., Niazi, M., Alshayeb, M., & Mahmood, S. (2017). Exploring software security approaches in software development lifecycle: A systematic mapping study. Computer Standards & Interfaces, 50, 107-115. doi:10.1016/j.csi.2016.10.001
Muniz, R., Braz, L., Gheyi, R., Andrade, W., Fonseca, B., & Ribeiro, M. (2018). A Qualitative Analysis of Variability Weaknesses in Configurable Systems with# ifdefs. In Proceedings of the 12th International Workshop on Variability Modelling of Software-Intensive Systems (pp. 51-58). Nueva York, EE.UU: ACM.
Murthy, P., & Shilpa, R. (2018). Vulnerability Coverage Criteria for Security Testing of Web Applications. In 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI) (pp. 489-494). Nueva York, EE.UU: IEEE.
Negi, R., Kumar, P., Ghosh, S., Shukla, S. K., & Gahlot, A. (2019). Vulnerability Assessment and Mitigation for Industrial Critical Infrastructures with Cyber Physical Test Bed. In 2019 IEEE International Conference on Industrial Cyber Physical Systems (ICPS) (pp. 145-152). Nueva York, EE.UU: IEEE.
Nguyen, V. L., Lin, P. C., & Hwang, R. H. (2019). Web attacks: defeating monetisation attempts. Network Security, 2019(5), 11-19. doi:10.1016/S1353-4858(19)30061-3
Nieles, M., Dempsey, K., & Pillitteri, V. (2017). An introduction to information security. Maryland, EE.UU: National Institute of Standards and Technology.
Ojagbule, O., Wimmer, H., & Haddad, R. J. (2018). Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP. In SoutheastCon 2018 (pp. 1-7). Nueva York, EE.UU: IEEE.
Papadopoulos, E. P., Diamantaris, M., Papadopoulos, P., Petsas, T., Ioannidis, S., & Markatos, E. P. (2017). The long-standing privacy debate: Mobile websites vs mobile apps. In Proceedings of the 26th International Conference on World Wide Web (pp. 153-162). Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee.
Patel, K. (2019). A Survey on Vulnerability Assessment & Penetration Testing for Secure Communication. In 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI) (pp. 320-325). Nueva York, EE.UU: IEEE.
PMI. (2017). A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (6 ed.). Pensilvania, EE.UU: Project Management Institute.
Positive_Technologies. (2020). PositiveTechnologies. Web Application Vulnerabilities Statistics for 2019. Retrieved from http://bit.ly/3ajwxwk
PTES. (2017). The Penetration Testing Execution Standard Documentation. Retrieved from http://bit.ly/3qmRJXY
Rahalkar, S. A. (2016). Certified Ethical Hacker (CEH) Foundation Guide. Pune, India: Springer.
Rathore, B., Brunner, M., Dilaj, M., Herrera, O., Brunati, P., Subramaniam, R. K., . . . Chavan, U. (2006). Information Systems Security Assessment Framework (ISSAF). Colorado Springs, EE.UU: Open Information Systems Security Group.
Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, 1-43. doi:10.1016/j.comnet.2019.106960
Saha, S., Das, A., Kumar, A., Biswas, D., & Saha, S. (2020). Ethical Hacking: Redefining Security in Information System. In Proceedings of International Ethical Hacking Conference 2019 (pp. 203-218). Singapore: Springer Singapore.
Schmittner, C., Griessnig, G., & Ma, Z. (2018). Status of the Development of ISO/SAE 21434. In Systems, Software and Services Process Improvement (pp. 504-513). Cham: Springer International Publishing.
Shah, M., Ahmed, S., Saeed, K., Junaid, M., Khan, H., & Ata Ur, R. (2019). Penetration testing active reconnaissance phase - Optimized port scanning with nmap tool. In 2019 2nd International Conference on Computing, Mathematics and Engineering Technologies, iCoMET 2019 (pp. 1-6). Nueva York, EE.UU: IEEE.
Shon, M. D. (2019). Information Security Analysis as Data Fusion. In 2019 22th International Conference on Information Fusion (FUSION) (pp. 1-8). Nueva York, EE.UU: IEEE.
Sina, B. J. (2019). Identifying the Efficacy of Various Penetration Testing Practices. (Tesis de Maestría), Utica College, EE.UU.
Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4 ed.). New York, EE.UU: Pearson.
Stouffer, K., Falco, J., & Scarfone, K. (2008). NIST SP 800-115: Technical Guide to Information Security Testing and Assessment. Maryland, EE.UU: National Institute of Standards and Technology.
Such, J. M., Gouglidis, A., Knowles, W., Misra, G., & Rashid, A. (2016). Information assurance techniques: Perceived cost effectiveness. Computers & Security, 60, 117-133. doi:10.1016/j.cose.2016.03.009
Sucuri.net. (2020). Web Professsionals Security Survey. How agencies approach website security and protect their clients´ websites. Retrieved from https://bit.ly/3b5ZScP
Swathy Akshaya, M., & Padmavathi, G. (2019). Taxonomy of Security Attacks and Risk Assessment of Cloud Computing. In Advances in Big Data and Cloud Computing (pp. 37-59). Singapore: Springer Singapore.
Telefónica. (2020). Informe de Tendencias: Ciberamenazas Hacktivistas. Retrieved from https://bit.ly/3ddFA40
Tetskyi, A., Kharchenko, V., & Uzun, D. (2018). Neural networks based choice of tools for penetration testing of web applications. In 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT) (pp. 402-405). Nueva York, EE.UU: IEEE.
Thai, N. D., & Hieu, N. H. (2019). A framework for website security assessment. In ACM International Conference Proceeding Series (pp. 153-157). Nueva York, EE.UU: ACM.
Thakre, S., & Bojewar, S. (2018). Studying the Effectiveness of Various Tools in Detecting the Protecting Mechanisms Implemented in Web-Applications. In 2018 International Conference on Inventive Research in Computing Applications (ICIRCA) (pp. 1316-1321). Nueva York, EE.UU: IEEE.
Touseef, P., Alam, K. A., Jamil, A., Tauseef, H., Ajmal, S., Asif, R., . . . Mustafa, S. (2019). Analysis of Automated Web Application Security Vulnerabilities Testing. In Proceedings of the 3rd International Conference on Future Networks and Distributed Systems (pp. 1-8). Nueva York, EE.UU: ACM.
Türpe, S., & Eichler, J. (2009). Testing Production Systems Safely: Common Precautions in Penetration Testing. In 2009 Testing: Academic and Industrial Conference - Practice and Research Techniques (pp. 205-209). Nueva York, EE.UU: IEEE.
Venson, E., Guo, X., Yan, Z., & Boehm, B. (2019). Costing Secure Software Development: A Systematic Mapping Study. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 1-11). Canterbury, Reino Unido: ACM
Wang, Y., & Yang, J. (2017). Ethical Hacking and Network Defense: Choose Your Best Network Vulnerability Scanning Tool. In 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA) (pp. 110-113). Nueva York, EE.UU: IEEE.
Work, J. (2019). In wolf's clothing: Complications of threat emulation in contemporary cyber intelligence practice. In 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security) (pp. 1-8). Nueva York, EE.UU: IEEE.
Wu, Y., Sun, Y., Huang, C., Jia, P., & Liu, L. (2019). Session-Based Webshell Detection Using Machine Learning in Web Logs. Security and Communication Networks, 2019, 1-11. doi:10.1155/2019/3093809
Yin, J., Lv, H., Zhang, F., Tian, Z., & Cui, X. (2018). Study on Advanced Botnet Based on Publicly Available Resources. In Information and Communications Security (pp. 57-74). Cham: Springer International Publishing.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 Henry Raúl González Brito, Raydel Montesino Perurena
This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.