Riesgos de seguridad en las pruebas de penetración de aplicaciones web : Security risks in web application penetration testing

Henry Raúl González Brito; Raydel Montesino Perurena

Autores/as

Henry Raúl González Brito Universidad de las Ciencias Informáticas
Raydel Montesino Perurena Universidad de Ciencias Informáticas

Palabras clave:

aplicaciones web; mitigación de riesgos; pruebas de penetración; riesgos de seguridad; seguridad web

Resumen

En el presente trabajo se realiza una sistematización de los principales riesgos de seguridad que pueden estar asociados a las pruebas de penetración en aplicaciones web. Para la realización del estudio se consultaron fuentes bibliográficas y reportes de un alto nivel científico y técnico. Se identificaron y describieron 31 riesgos clasificados en dos grupos: los asociados a daños directos a la confidencialidad, integridad y disponibilidad de la información de la aplicación web y aquellos relacionados con la realización de una prueba de penetración deficiente y cuyos resultados parciales también afectan de manera indirecta la seguridad web, estos últimos fueron dividido en cuanto a riesgos de alcance y tiempo, infraestructura tecnológica y personal. Para el tratamiento de los riesgos descritos, se brinda un conjunto de 14 recomendaciones bases para la conformación de una estrategia de mitigación en función de los escenarios de pruebas. Se particulariza también en los modos de aplicación de las herramientas automatizadas de evaluación de vulnerabilidades para limitar los daños en las aplicaciones web. Los resultados alcanzados tienen una alta pertinencia dada por la necesidad de los implicados en los procesos de pruebas de penetración de contar con una base de partida conceptual que favorezca el tratamiento de riesgos y contextualice mejor las decisiones tomados en función de solucionar las vulnerabilidades de seguridad halladas a través de este tipo de evaluación de seguridad.

Citas

Acunetix. (2019). Acunetix. Web Application Vulnerability Report 2019. Retrieved from http://bit.ly/3b8EBzc

Al-Matari, O. M., Helal, I. M., Mazen, S. A., & Elhennawy, S. (2018). Cybersecurity Tools for IS Auditing. In 2018 Sixth International Conference on Enterprise Systems (ES) (pp. 217-223). Nueva York, EE.UU: IEEE.

Alghofaili, R. (2018). Security Analysis of Open Source Content Management Systems Wordpress, Joomla, and Drupal. (Tesis de Maestría), California State Polytechnic University, EE.UU.

Alsmadi, I. (2019). The NICE Cyber Security Framework: Cyber Security Intelligence and Analytics. Gewerbestrasse, Suiza: Springer.

Anisetti, M., Asal, R., Ardagna, C. A., Comi, L., Damiani, E., & Gaudenzi, F. (2019). A Knowledge-Based IoT Security Checker. In Euro-Par 2018: Parallel Processing Workshops (pp. 299-311). Cham: Springer International Publishing.

Antunes, N., & Vieira, M. (2017). Designing vulnerability testing tools for web services: approach, components, and tools. International Journal of Information Security, 16(4), 435-457. doi:10.1007/s10207-016-0334-0

Barceló, M., & Herzog, P. (2010). OSSTMM: Open Source Security Testing Methodology Manual. Barcelona, España: Institute for Security and Open Methodologies (ISECOM).

Bari, M. A., & Ahamad, S. (2016). Study of Ethical Hacking and Management of Associated Risks. International Journal of Engineering and Applied Computer Science (IJEACS), 01(01), 7-11.

Bartoli, A., De Lorenzo, A., Medvet, E., Faraguna, M., & Tarlao, F. (2018). A Security-Oriented Analysis of Web Inclusions in the Italian Public Administration. Cybernetics and Information Technologies, 18(4), 94-110. doi:10.2478/cait-2018-0050

Bishop, D., & Rowland, P. (2019). Agile and Secure Software Development: An Unfinished Story. Issues in Information Systems, 20(1), 144-156.

Blackwell, C. (2014). Towards a Penetration Testing Framework Using Attack Patterns. In Cyberpatterns (pp. 135-148). Switzerland: Springer.

Brohi, A. B., Butt, P. K., & Zhang, S. (2019). Software Quality Assurance: Tools and Techniques. In Security, Privacy, and Anonymity in Computation, Communication, and Storage (pp. 283-291). Cham: Springer International Publishing.

Casola, V., De Benedictis, A., Rak, M., & Villano, U. (2018). Towards automated penetration testing for cloud applications. In 2018 IEEE 27th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE) (pp. 24-29). Nueva York, EE.UU: IEEE.

Cuzme-Rodríguez, F., León-Gudiño, M., Suárez-Zambrano, L., & Domínguez-Limaico, M. (2019). Offensive Security: Ethical Hacking Methodology on the Web. In Information and Communication Technologies of Ecuador (TIC.EC) (pp. 127-140). Cham: Springer International Publishing.

Dalalana Bertoglio, D., & Zorzo, A. F. (2017). Overview and open issues on penetration test. Journal of the Brazilian Computer Society, 23(1), 1-16. doi:10.1186/s13173-017-0051-1

DeMarco, J. V. (2018). An approach to minimizing legal and reputational risk in Red Team hacking exercises. Computer Law and Security Review, 34(4), 908-911. doi:10.1016/j.clsr.2018.05.033

Felderer, M., Büchler, M., Johns, M., Brucker, A. D., Breu, R., & Pretschner, A. (2016). Security Testing: A Survey. In A. Memon (Ed.), Advances in Computers (Vol. 101, pp. 1-51). EE.UU: Elsevier.

Flaus, J.-M. (2019). Cybersecurity of industrial systems. EE.UU: John Wiley & Sons.

González Brito, H. R., & Montesino Perurena, R. (2018). Capacidades de las metodologías de pruebas de penetración para detectar vulnerabilidades frecuentes en aplicaciones web. Revista Cubana de Ciencias Informáticas, 12(4), 52-65.

Haber, M. J., & Hibbert, B. (2018). Asset Attack Vectors: Building Effective Vulnerability Management Strategies to Protect Organizations. EE.UU: Apress.

Hasan, A., & Meva, D. (2018). Web Application Safety by Penetration Testing. International Journal of Advanced Studies of Scientific Research, 3(9), 159-163.

Horton, S. (2020). Are Software Security Issues a Result of Flaws in Software Development Methodologies? (Tesis de Maestría), Utica College, EE.UU.

Jamil, A., Asif, K., Ashraf, R., Mehmood, S., & Mustafa, G. (2018). A Comprehensive study of Cyber Attacks & Counter Measures for web systems. In Proceedings of the 2nd International Conference on Future Networks and Distributed Systems (pp. 1-7). Nueva York, EE.UU: ACM.

Jansen, S., Cusumano, M., & Popp, K. M. (2019). Managing Software Platforms and Ecosystems. IEEE Software, 36(3), 17-21. doi:10.1109/MS.2019.2891795

Kao, D., Wang, Y., Tsai, F., & Chen, C. (2018). Forensic analysis of network packets from penetration test toolkits. In 2018 20th International Conference on Advanced Communication Technology (ICACT) (pp. 363-368). Nueva York, EE.UU: IEEE.

Kaspersky. (2020). Kaspersky Security Bulletin 2020. Statistics. Retrieved from https://bit.ly/3alN5Ea

Kettani, H., & Wainwright, P. (2019). On the top threats to cyber systems. In 2019 IEEE 2nd International Conference on Information and Computer Technologies, ICICT 2019 (pp. 175-179). Nueva York, EE.UU: IEEE.

Knowles, W., Baron, A., & McGarr, T. (2016). The simulated security assessment ecosystem: Does penetration testing need standardisation? Computers & Security, 62, 296-316. doi:10.1016/j.cose.2016.08.002

Kothia, A., Swar, B., & Jaafar, F. (2019). Knowledge Extraction and Integration for Information Gathering in Penetration Testing. In 2019 IEEE 19th International Conference on Software Quality, Reliability and Security Companion (QRS-C) (pp. 330-335). Nueva York, EE.UU: IEEE.

Kumar, R., & Tlhagadikgora, K. (2019). Internal Network Penetration Testing Using Free/Open Source Tools: Network and System Administration Approach. In Advanced Informatics for Computing Research (pp. 257-269). Singapore: Springer Singapore.

Laidlaw, G., & Shoemaker, D. (2020). Software assurance: the things a manager needs to know. EDPACS, 61(4), 1-8. doi:10.1080/07366981.2020.1753283

Manaseer, S., K.Al Hwaitat, A., & Jabri, R. (2018). Distributed Detection and prevention of Web Threats in Heterogeneous Environment. Modern Applied Science, 12(10), 13-22. doi:10.5539/mas.v12n10p13

Mansfield-Devine, S. (2017). Open source software: determining the real risk posed by vulnerabilities. Network Security, 2017(1), 7-12. doi:10.1016/S1353-4858(17)30005-3

Mansfield-Devine, S. (2018). Friendly fire: how penetration testing can reduce your risk. Network Security, 2018(6), 16-19. doi:10.1016/S1353-4858(18)30058-8

Mehta, S., Raj, G., & Singh, D. (2018). Penetration Testing as a Test Phase in Web Service Testing a Black Box Pen Testing Approach. In Smart Computing and Informatics (pp. 623-635). Singapore: Springer Singapore.

Meucci, M., & Muller, A. (2014). OWASP Testing Guide 4.0 (4 ed.). EE.UU: OWASP Foundation.

Miaoui, Y., & Boudriga, N. (2019). Enterprise security investment through time when facing different types of vulnerabilities. Information Systems Frontiers, 21(2), 261-300. doi:10.1007/s10796-017-9745-3

Mohammed, N. M., Niazi, M., Alshayeb, M., & Mahmood, S. (2017). Exploring software security approaches in software development lifecycle: A systematic mapping study. Computer Standards & Interfaces, 50, 107-115. doi:10.1016/j.csi.2016.10.001

Muniz, R., Braz, L., Gheyi, R., Andrade, W., Fonseca, B., & Ribeiro, M. (2018). A Qualitative Analysis of Variability Weaknesses in Configurable Systems with# ifdefs. In Proceedings of the 12th International Workshop on Variability Modelling of Software-Intensive Systems (pp. 51-58). Nueva York, EE.UU: ACM.

Murthy, P., & Shilpa, R. (2018). Vulnerability Coverage Criteria for Security Testing of Web Applications. In 2018 International Conference on Advances in Computing, Communications and Informatics (ICACCI) (pp. 489-494). Nueva York, EE.UU: IEEE.

Negi, R., Kumar, P., Ghosh, S., Shukla, S. K., & Gahlot, A. (2019). Vulnerability Assessment and Mitigation for Industrial Critical Infrastructures with Cyber Physical Test Bed. In 2019 IEEE International Conference on Industrial Cyber Physical Systems (ICPS) (pp. 145-152). Nueva York, EE.UU: IEEE.

Nguyen, V. L., Lin, P. C., & Hwang, R. H. (2019). Web attacks: defeating monetisation attempts. Network Security, 2019(5), 11-19. doi:10.1016/S1353-4858(19)30061-3

Nieles, M., Dempsey, K., & Pillitteri, V. (2017). An introduction to information security. Maryland, EE.UU: National Institute of Standards and Technology.

Ojagbule, O., Wimmer, H., & Haddad, R. J. (2018). Vulnerability Analysis of Content Management Systems to SQL Injection Using SQLMAP. In SoutheastCon 2018 (pp. 1-7). Nueva York, EE.UU: IEEE.

Papadopoulos, E. P., Diamantaris, M., Papadopoulos, P., Petsas, T., Ioannidis, S., & Markatos, E. P. (2017). The long-standing privacy debate: Mobile websites vs mobile apps. In Proceedings of the 26th International Conference on World Wide Web (pp. 153-162). Republic and Canton of Geneva, Switzerland: International World Wide Web Conferences Steering Committee.

Patel, K. (2019). A Survey on Vulnerability Assessment & Penetration Testing for Secure Communication. In 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI) (pp. 320-325). Nueva York, EE.UU: IEEE.

PMI. (2017). A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (6 ed.). Pensilvania, EE.UU: Project Management Institute.

Positive_Technologies. (2020). PositiveTechnologies. Web Application Vulnerabilities Statistics for 2019. Retrieved from http://bit.ly/3ajwxwk

PTES. (2017). The Penetration Testing Execution Standard Documentation. Retrieved from http://bit.ly/3qmRJXY

Rahalkar, S. A. (2016). Certified Ethical Hacker (CEH) Foundation Guide. Pune, India: Springer.

Rathore, B., Brunner, M., Dilaj, M., Herrera, O., Brunati, P., Subramaniam, R. K., . . . Chavan, U. (2006). Information Systems Security Assessment Framework (ISSAF). Colorado Springs, EE.UU: Open Information Systems Security Group.

Rodríguez, G. E., Torres, J. G., Flores, P., & Benavides, D. E. (2020). Cross-site scripting (XSS) attacks and mitigation: A survey. Computer Networks, 166, 1-43. doi:10.1016/j.comnet.2019.106960

Saha, S., Das, A., Kumar, A., Biswas, D., & Saha, S. (2020). Ethical Hacking: Redefining Security in Information System. In Proceedings of International Ethical Hacking Conference 2019 (pp. 203-218). Singapore: Springer Singapore.

Schmittner, C., Griessnig, G., & Ma, Z. (2018). Status of the Development of ISO/SAE 21434. In Systems, Software and Services Process Improvement (pp. 504-513). Cham: Springer International Publishing.

Shah, M., Ahmed, S., Saeed, K., Junaid, M., Khan, H., & Ata Ur, R. (2019). Penetration testing active reconnaissance phase - Optimized port scanning with nmap tool. In 2019 2nd International Conference on Computing, Mathematics and Engineering Technologies, iCoMET 2019 (pp. 1-6). Nueva York, EE.UU: IEEE.

Shon, M. D. (2019). Information Security Analysis as Data Fusion. In 2019 22th International Conference on Information Fusion (FUSION) (pp. 1-8). Nueva York, EE.UU: IEEE.

Sina, B. J. (2019). Identifying the Efficacy of Various Penetration Testing Practices. (Tesis de Maestría), Utica College, EE.UU.

Stallings, W., & Brown, L. (2018). Computer Security: Principles and Practice (4 ed.). New York, EE.UU: Pearson.

Stouffer, K., Falco, J., & Scarfone, K. (2008). NIST SP 800-115: Technical Guide to Information Security Testing and Assessment. Maryland, EE.UU: National Institute of Standards and Technology.

Such, J. M., Gouglidis, A., Knowles, W., Misra, G., & Rashid, A. (2016). Information assurance techniques: Perceived cost effectiveness. Computers & Security, 60, 117-133. doi:10.1016/j.cose.2016.03.009

Sucuri.net. (2020). Web Professsionals Security Survey. How agencies approach website security and protect their clients´ websites. Retrieved from https://bit.ly/3b5ZScP

Swathy Akshaya, M., & Padmavathi, G. (2019). Taxonomy of Security Attacks and Risk Assessment of Cloud Computing. In Advances in Big Data and Cloud Computing (pp. 37-59). Singapore: Springer Singapore.

Telefónica. (2020). Informe de Tendencias: Ciberamenazas Hacktivistas. Retrieved from https://bit.ly/3ddFA40

Tetskyi, A., Kharchenko, V., & Uzun, D. (2018). Neural networks based choice of tools for penetration testing of web applications. In 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT) (pp. 402-405). Nueva York, EE.UU: IEEE.

Thai, N. D., & Hieu, N. H. (2019). A framework for website security assessment. In ACM International Conference Proceeding Series (pp. 153-157). Nueva York, EE.UU: ACM.

Thakre, S., & Bojewar, S. (2018). Studying the Effectiveness of Various Tools in Detecting the Protecting Mechanisms Implemented in Web-Applications. In 2018 International Conference on Inventive Research in Computing Applications (ICIRCA) (pp. 1316-1321). Nueva York, EE.UU: IEEE.

Touseef, P., Alam, K. A., Jamil, A., Tauseef, H., Ajmal, S., Asif, R., . . . Mustafa, S. (2019). Analysis of Automated Web Application Security Vulnerabilities Testing. In Proceedings of the 3rd International Conference on Future Networks and Distributed Systems (pp. 1-8). Nueva York, EE.UU: ACM.

Türpe, S., & Eichler, J. (2009). Testing Production Systems Safely: Common Precautions in Penetration Testing. In 2009 Testing: Academic and Industrial Conference - Practice and Research Techniques (pp. 205-209). Nueva York, EE.UU: IEEE.

Venson, E., Guo, X., Yan, Z., & Boehm, B. (2019). Costing Secure Software Development: A Systematic Mapping Study. In Proceedings of the 14th International Conference on Availability, Reliability and Security (pp. 1-11). Canterbury, Reino Unido: ACM

Wang, Y., & Yang, J. (2017). Ethical Hacking and Network Defense: Choose Your Best Network Vulnerability Scanning Tool. In 2017 31st International Conference on Advanced Information Networking and Applications Workshops (WAINA) (pp. 110-113). Nueva York, EE.UU: IEEE.

Work, J. (2019). In wolf's clothing: Complications of threat emulation in contemporary cyber intelligence practice. In 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security) (pp. 1-8). Nueva York, EE.UU: IEEE.

Wu, Y., Sun, Y., Huang, C., Jia, P., & Liu, L. (2019). Session-Based Webshell Detection Using Machine Learning in Web Logs. Security and Communication Networks, 2019, 1-11. doi:10.1155/2019/3093809

Yin, J., Lv, H., Zhang, F., Tian, Z., & Cui, X. (2018). Study on Advanced Botnet Based on Publicly Available Resources. In Information and Communications Security (pp. 57-74). Cham: Springer International Publishing.