Web Application Security

The web application attacks are increasing day by day. Different attacks like XSS, Sql Injections, CSRF, SSRF, etc. are being the dominant factor for different modern companies loss. The companies which run their business via web application system may be in danger if there security would be compromised. Cross site scripting, sql injection attacks, ssrf, csrf, etc. are the most dangerous attacks that could be injected into the system. In this research, in depth subdomain enumeration, fetching urls & endpoints, using custom built automated recon tool, exploitation and reporting were written. These methodologies, tools and techniques will act as a reference for all penetration testers and developers to minimize web application attacks and efficiently test the system. In conclusion,

2019

Safety of information is needed either in private sector or business for protection from market with competitive secrets or only for privacy. Advantages of internet and web applications is that they are accessible from everyone, but in business word data should be safe, reliable accessible. Although these are not new problems and always had different solutions to these problems, we always need to be on the cutting edge with new attacks that appear every day and to try to achieve a greater security. In this paper we present some of the most dangerous forms of risk which are risking web applications in year 2015/2016.we will demonstrate step by step how to achieve unauthorized access from web application inside server system and we will explain why is happened for our analysis that we have done. In testing stages we used some parts of real tests that we have done on several web applications, with Penetration Testing Methods which is procedure for testing and documentations including i...

International Journal of Computer Applications, 2014

Due to the increasing complexity of web systems, security testing has become indispensable and critical activity of web application development life cycle. Security testing aims to maintain the confidentiality of the data, to check against any information leakage and to maintain the functionality as intended. It checks whether the security requirements are fulfilled by the web applications when they are subjected to malicious input data. Due to the rising explosion in the security vulnerabilities, there occurs a need to understand its unique challenges and issues which will eventually serve as a useful input for the security testing tool developers and test managers for their relative projects.

This paper reviews the penetration test specifically in the field of web. For this purpose, it first reviews articles generally on penetration test and its associated methods. Then articles in the field of web penetration test are examined in three aspects: comparing automatic penetration test tools, introduction of new methods or tools for manual penetration test, and articles that presented a test environment for training or checking various instruments and methods. This article studied 4 different methodologies for web penetration test, 13 articles for comparing web vulnerability scanners, 10 articles that proposed a new method or tool for penetration test and 4 test environments.

International Journal of Computer and Information System (IJCIS)

Many businesses, organizations, and social institutions use websites to support their main tasks. The various benefits of the website must be supported by the security aspects of the website in order to avoid hacking. Cyber attacks or hackers can do dangerous things like get more valuable data. So it is necessary to test a good website to find out the level of vulnerability of application features in it. A suitable test for websites where the website is distributed over a network is the grey box penetration test. This study performs a grey box penetration testing technique using the OWASP method and the OWASP ZAP tool. The test steps are collecting test target information, performing automatic scanning with the help of OWASP ZAP, exploiting the scan results, reporting, and providing recommendations. The test results show the target application website has 12 vulnerabilities with 8.3% at the high level vulnerability or 1 alert, 41.7% at the medium level or 5 alerts, 33.3% at the low ...

1 Abstract—Web applications vulnerabilities allow attackers to perform malicious actions that range from gaining unauthorized account access to obtaining sensitive data. The number of reported web application vulnerabilities in last decade is increasing dramatically. The most of vulnerabilities result from improper input validation and sanitization. The most important of these vulnerabilities based on improper input validation and sanitization are: SQL injection (SQLI), Cross-Site Scripting (XSS) and Buffer Overflow (BOF). In order to address these vulnerabilities we designed and developed the WAPTT (Web Application Penetration Testing Tool) tool-web application penetration testing tool. Unlike other web application penetration testing tools, this tool is modular, and can be easily extended by end-user. In order to improve efficiency of SQLI vulnerability detection, WAPTT uses an efficient algorithm for page similarity detection. The proposed tool showed promising results as compared to six well-known web application scanners in detecting various web application vulnerabilities.

International Journal for Research in Applied Science and Engineering Technology IJRASET, 2020

As technology changes, it becomes increasingly challenging for businesses of all types to keep their personal and customer's information on the web secure. Web security is important to keeping hackers and cyber-thieves from accessing sensitive information. Without a proactive security strategy, businesses risk the spread and escalation of malware, attacks on other websites, networks, and other IT infrastructures. If a hacker is successful, attacks can spread from computer to computer, making it difficult to find the origin. This project deals with preventing the potential errors while developing a basic website in order to prevent it from possible cyber-attacks. Cyber-attacks will be performed on unsecured site and then its vulnerabilities will be compared with the secured site.

Computer Networks, 2005

The rapid development phases and extremely short turnaround time of Web applications make it difficult to eliminate their vulnerabilities. Here we study how software testing techniques such as fault injection and runtime monitoring can be applied to Web applications. We implemented our proposed mechanisms in the Web Application Vulnerability and Error Scanner (WAVES)-a black-box testing framework for automated Web application security assessment. Real-world situations are used to test WAVES and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.

International journal of safety and security engineering, 2024

The increasing use of the internet has led to a growing number of security threats. Computers, smartphones, smartwatches, and other mobile devices associated with the internet face different threats and exploits. In those cases, different services are provided through web applications only. Those applications are vulnerable to hacking. There are over 1.9 billion websites today, and everything is connected to the network. According to the new national vulnerability database update, 10,683 weaknesses were found in web applications in the first quarter of 2023. The websites have the most significant details of the clients, like personal details, financial details, and so on. Checking all the web application weaknesses is not a silver bullet. So, vulnerability scanners play a significant role in web application security. Vulnerability analysis and penetration testing are two distinct vulnerability types of testing. These tests can help identify all the vulnerabilities in a web application, even those not detected by vulnerability scanners. While certain users access this vulnerability analysis data with just honest goals, like creating some security measures to avoid those vulnerabilities, some utilize it to recognize ways of destroying significant information and records of websites. As it is notable, the term penetration testing is also ethical hacking. The current paper aims to investigate penetration testing on web applications. The paper discusses the different types of penetration testing, the tools and techniques used, and the benefits of penetration testing. It also suggests the challenges of penetration testing and the steps that can be taken to mitigate these challenges.

International Journal For Science Technology And Engineering, 2021

The Study on web penetration testing and vulnerability assessment focus on the evaluation of the various vulnerabilities, and tools required to penetrate these vulnerabilities. It focuses on the development of making web applications secure before the intruder tries to attack the web application. It also provides the idea to assess the vulnerabilities and introduce different preventive measures that will help in preventing intruders from accessing sensitive information. The experiments are done using open-source software which is freely available on the internet. OWASP WAP (Damn Vulnerable Web Application) and RIPS (Buggy Web Application) already have the vulnerabilities and are mainly used for the study purpose and analyses of the result. With this study, one can understand how ethical hacking activities are performed and also place necessary security measures in protecting the organization. A similar study practice can be performed over real-life websites and networks for testing the vulnerability and carry out the assessments.

2012

Abstract The paper proposes a security testing technique to detect known vulnerabilities of web applications using both static and dynamic analysis. We also present a process to improve the security of web applications by mitigating many of the vulnerabilities revealed in the testing phase, and address a new method for detecting unknown vulnerabilities by applying dynamic black-box testing based on a fuzzing technique.

A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug that allows an attacker to cause harm to the stakeholders of an application. There are many types of vulnerabilities in web application, each of which can be the target of web attack SQL injection and Cross-Site Scripting attack is a main-stream approach of web attacks. Our approach is mainly based on SQL Injection Detection method and Cross Site Scripting detection method with a crawling technique. Firstly, a user will enter an URL for checking vulnerability and click on the 'Start' to start the scanning process. After clicking on start, application start crawling for SQL injection vulnerability and Cross Site Scripting. If any vulnerability occurs it will generate in the spider log. And this detected vulnerabilities will be generated by a report so the user will get clear idea about weakness in the application.

owasp.org

Testing software during the development phase has become an important part of the development lifecycle and is key to agile methodologies. Code quality and maintainability is increased by adopting an integrated testing strategy that stresses unit tests, integration tests and acceptance tests throughout the project. But these tests are typically only focused on the functional requirements of the application, and rarely include security tests. Implementing security in the unit testing cycle means investing more in developer awareness of security and how to test for security issues, and less in specialised external resources. This is a long-term investment that can vastly improve the overall quality of software, and reduce the number of vulnerabilities in web applications, and consequently, the associated risks.

Proceedings of the International Conference on Dependable Systems and Networks, 2009

In this paper we propose a methodology to inject realistic attacks in web applications. The methodology is based on the idea that by injecting realistic vulnerabilities in a web application and attacking them automatically we can assess existing security mechanisms. To provide true to life results, this methodology relies on field studies of a large number of vulnerabilities in web applications. The paper also describes a set of tools implementing the proposed methodology. They allow the automation of the entire process, including gathering results and analysis. We used these tools to conduct a set of experiments to demonstrate the feasibility and effectiveness of the proposed methodology. The experiments include the evaluation of coverage and false positives of an Intrusion Detection System for SQL Injection and the assessment of the effectiveness of two Web Application Vulnerability Scanners. Results show that the injection of vulnerabilities and attacks is an effective way to evaluate security mechanisms and tools.

The using of information technology resources is rapidly increasing in organizations, businesses, and even governments, that led to arise various attacks, and vulnerabilities in the field. All resources make it a must to do frequently a penetration test (PT) for the environment and see what can the attacker gain and what is the current environment's vulnerabilities. This paper reviews some of the automated penetration testing techniques and presents its enhancement over the traditional manual approaches. To the best of our knowledge, it is the first research that takes into consideration the concept of penetration testing and the standards in the area.This research tackles the comparison between the manual and automated penetration testing, the main tools used in penetration testing. Additionally, compares between some methodologies used to build an automated penetration testing platform.