MODERN TOOLS FOR SECURITY TESTING FROM OWASP

With the development of information technology, humanity is increasingly delving into the world of gadgets, cloud technology, virtual reality, and artificial intelligence. Through web applications, we receive and distribute information, including confidential. During the pandemic, most people switched to online work and study. As a result, most of the data stored on personal computers, company servers, and cloud storage needs protection from cyberattacks. The problem of cybersecurity at the moment is incredibly relevant due to the hacking of cryptocurrencies, websites of ministries, bitcoin wallets or social network accounts. It is necessary to conduct high-quality testing of developed applications to detect cyber threats, to ensure reliable protection of different information. The article states that when testing applications, it checks for vulnerabilities that could arise as a result of incorrect system setup or due to shortcomings in software products. The use of innovation is necessary to improve quality. Modern realities have become a challenge for the development of cybersecurity products. Improvement of technology requires modern companies to update their IT systems and conduct regular security audits. The research is devoted to the analysis of modern OWASP testing tools that contribute to data security, with a view to their further use. The Open Web Application Security Project is an open security project. The research revealed a list of the most dangerous vectors of attacks on Web-applications, in particular, OWASP ZAP performs analyzes the sent and received data system security scanning at the primary level, MSTG performs security testing of mobile applications iOS and Android mobile devices. The practical result of the work is to test a specially developed web-application and identify vulnerabilities of different levels of criticality.

Download Full-text

Research on Combine White-Box Testing and Black-Box Testing of Web Applications Security

Advanced Materials Research ◽

10.4028/www.scientific.net/amr.989-994.4542 ◽

2014 ◽

Vol 989-994 ◽

pp. 4542-4546 ◽

Cited By ~ 2

Author(s):

Jie Fan ◽

Peng Gao ◽

Cong Cong Shi ◽

Ni Ge Li

Keyword(s):

Web Application ◽

Web Applications ◽

New Technology ◽

Black Box ◽

Web Application Security ◽

Testing Tools ◽

Black Box Testing ◽

Code Security ◽

White Box Testing ◽

Test Result

Contrary to high false positives rate of use White-box testing tools for Web application source code security and unable to locate vulnerabilities of use Black-box testing tools for Web application security, propose an effective method for combine White-box and Black-box testing tools of Web applications. This method will put the new technology of “Associated Files Matching Engine” into White-box testing tools, this test result and Black-box test result will be statistical analyzed and combined. Argumentation show, this method reduce the positives rate of White-box test result and be able to locate vulnerabilities where it is in file.

Download Full-text

An Alternative Threat Model-based Approach for Security Testing

International Journal of Secure Software Engineering ◽

10.4018/ijsse.2015070103 ◽

2015 ◽

Vol 6 (3) ◽

pp. 50-64 ◽

Cited By ~ 4

Author(s):

Bouchaib Falah ◽

Mohammed Akour ◽

Samia Oukemeni

Keyword(s):

Web Application ◽

Web Applications ◽

Security Attacks ◽

Security Testing ◽

Security Risks ◽

Web Application Security ◽

Application Security ◽

Malicious Codes ◽

Testing Approach ◽

Interaction Web

In modern interaction, web applications has gained more and more popularity, which leads to a significate growth of exposure to malicious users and vulnerability attacks. This causes organizations and companies to lose valuable information and suffer from bad reputation. One of the effective mitigation practices is to perform security testing against the application before release it to the market. This solution won't protect web application 100% but it will test the application against malicious codes and reduce the high number of potential attacks on web application. One of known security testing approach is threat modeling, which provides an efficient technique to identify threats that can compromise system security. The authors proposed method, in this paper, focuses on improving the effectiveness of the categorization of threats by using Open 10 Web Application Security Project's (OWASP) that are the most critical web application security risks in generating threat trees in order to cover widely known security attacks.

Download Full-text

An Alternative Threat Model-Based Approach for Security Testing

Application Development and Design ◽

10.4018/978-1-5225-3422-8.ch018 ◽

2018 ◽

pp. 441-454

Author(s):

Bouchaib Falah ◽

Mohammed Akour ◽

Samia Oukemeni

Keyword(s):

Web Application ◽

Web Applications ◽

Security Testing ◽

Security Risks ◽

Web Application Security ◽

Threat Model ◽

Application Security ◽

Malicious Codes ◽

Testing Approach ◽

Interaction Web

Download Full-text

Using open source software for web application security testing

JITA - Journal of Information Technology and Applications (Banja Luka) - APEIRON ◽

10.7251/jit1602086z ◽

2017 ◽

Vol 12 (2) ◽

Author(s):

Ksenija Živković ◽

Ivan Milenković ◽

Dejan Simić

Keyword(s):

Open Source Software ◽

Web Application ◽

Web Applications ◽

Functional Testing ◽

Functional Requirements ◽

Security Testing ◽

Web Application Security ◽

High Expectations ◽

Application Security ◽

Web Application Testing

Web applications are a standard part of our everyday lives. Their purpose can vary significantly, from e-banking to social networks. However, one thing is similar - users have generally high expectations from different web applications. To assure such high expectations, proper web application testing is necessary. Non-functional testing is an important part of web application testing. As technology advances and requirements become more complex, the importance of non-functional application aspects becomes even greater. It is necessary to identify non-functional requirements of web applications which are important to users, implement those requirements and test them.

Download Full-text

ПРИМЕНЕНИЕ НЕЙРОСЕТЕЙ ДЛЯ ВЫБОРА ИНСТРУМЕНТАЛЬНЫХ СРЕДСТВ ТЕСТИРОВАНИЯ WEB-ПРИЛОЖЕНИЙ НА ПРОНИКНОВЕНИЕ

RADIOELECTRONIC AND COMPUTER SYSTEMS ◽

10.32620/reks.2018.4.09 ◽

2018 ◽

pp. 86-90

Author(s):

Артём Григорьевич Тецкий

Keyword(s):

Neural Networks ◽

Web Application ◽

Web Applications ◽

Data Sets ◽

Neural Net ◽

Choice Data ◽

Security Testing ◽

Data Set ◽

Testing Tools ◽

The One

Penetration testing is conducted to detect and further to fix the security problems of the Web application. During testing, tools are actively used that allows to avoid performing a large number of monotonous operations by the tester. The problem with selecting the tools is that there are a number of similar tools for testing the same class of security problems, and it is not known which tool is most suitable for a particular case. Such a problem is most often found among novice testers, more experienced testers use their own sets of tools to find specific security problems. Such kits are formed during the work, and each tester finds the most suitable tools for him. The goal of the paper is to create a method that will help to choose a tool for a particular case, based on the experience of experts in security testing of Web applications. To achieve the goal, it is proposed to create a Web service that will use the neural net-work to solve the problem of choice. Data for training a neural network in the form of a matrix of tools and their criteria are provided by experts in the field of security testing of Web applications. To find the most suitable tool, a vector of requirements should be formed, i.e. the user of service must specify the criteria for the search. As a result of the search, several most suitable for the request tools are shown to the user. Also, the user can save the result of his choice, if it differs from the proposed one. In this way, a set of learning examples can be extended. It is advisable to have two neural networks, the first one is trained only on data from experts; the second one is trained on data from experts and on data of users who have retained their choice. The usage of neural networks allows to realize correspondence between several input data sets to the one output data set. The described method can be used to select software in various applications.

Download Full-text

Methodology of Security testing of IKID website and Security Vulnerabilities

ACMIT Proceedings ◽

10.33555/acmit.v6i1.101 ◽

2021 ◽

Vol 6 (1) ◽

pp. 83-90

Author(s):

Mustofa Kamil

Keyword(s):

Web Application ◽

Web Applications ◽

Web Security ◽

Security Testing ◽

Security Vulnerabilities ◽

Web Application Security ◽

Systems Security ◽

Network Application ◽

The Right ◽

Day By Day

Due to the large amount of data stored in web applications and the increasing number of transactions on the web, the right Web Application Security Testing is very important day by day and web application is an important in business life. By increasing complexity of web systems, Security testing has become a very necessary and important activity of the life cycle of developing web applications, web security testing consists of searching for information about the network, application and looking for holes and weakness.

Download Full-text

Preventive Measures for Cross Site Request Forgery Attacks on Web-based Applications

International Journal of Engineering & Technology ◽

10.14419/ijet.v7i4.15.21434 ◽

2018 ◽

Vol 7 (4.15) ◽

pp. 130

Author(s):

Emil Semastin ◽

Sami Azam ◽

Bharanidharan Shanmugam ◽

Krishnan Kannoorpatti ◽

Mirjam Jonokman ◽

...

Keyword(s):

Web Application ◽

Web Applications ◽

Operating Cycle ◽

Web Application Security ◽

Web Based ◽

Business World ◽

Application Security ◽

Server Side ◽

Combined Solution ◽

Cross Site Request Forgery

Today’s contemporary business world has incorporated Web Services and Web Applications in its core of operating cycle nowadays and security plays a major role in the amalgamation of such services and applications with the business needs worldwide. OWASP (Open Web Application Security Project) states that the effectiveness of security mechanisms in a Web Application can be estimated by evaluating the degree of vulnerability against any of the nominated top ten vulnerabilities, nominated by the OWASP. This paper sheds light on a number of existing tools that can be used to test for the CSRF vulnerability. The main objective of the research is to identify the available solutions to prevent CSRF attacks. By analyzing the techniques employed in each of the solutions, the optimal tool can be identified. Tests against the exploitation of the vulnerabilities were conducted after implementing the solutions into the web application to check the efficacy of each of the solutions. The research also proposes a combined solution that integrates the passing of an unpredictable token through a hidden field and validating it on the server side with the passing of token through URL.

Download Full-text

DATABASE PROTECTION BASED ON WEB APPLICATION FIREWALL

Journal of Automation and Information sciences ◽

10.34229/0572-2691-2021-1-7 ◽

2021 ◽

Vol 1 ◽

pp. 84-90

Author(s):

Rustam Kh. Khamdamov ◽

◽

Komil F. Kerimov ◽

Keyword(s):

Web Application ◽

Web Applications ◽

Personal Information ◽

Database Security ◽

Security Threats ◽

Web Application Security ◽

Application Security ◽

Client Request ◽

Database Protection ◽

Information Bank

Web applications are increasingly being used in activities such as reading news, paying bills, and shopping online. As these services grow, you can see an increase in the number and extent of attacks on them, such as: theft of personal information, bank data and other cases of cybercrime. All of the above is a consequence of the openness of information in the database. Web application security is highly dependent on database security. Client request data is usually retrieved by a set of requests that request the application user. If the data entered by the user is not scanned very carefully, you can collect a whole host of types of attacks that use web applications to create security threats to the database. Unfortunately, due to time constraints, web application programmers usually focus on the functionality of web applications, but only few worry about security. This article provides methods for detecting anomalies using a database firewall. The methods of penetration and types of hacks are investigated. A database firewall is proposed that can block known and unknown attacks on Web applications. This software can work in various ways depending on the configuration. There are almost no false positives, and the overhead of performance is relatively small. The developed database firewall is designed to protect against attacks on web application databases. It works as a proxy, which means that requests for SQL expressions received from the client will first be sent to the developed firewall, rather than to the database server itself. The firewall analyzes the request: requests that are considered strange are blocked by the firewall and an empty result is returned to the client.

Download Full-text

Secure ASP.NET Web Application by Discovering Broken Authentication and Session Management Vulnerabilities

Oriental journal of computer science and technology ◽

10.13005/ojcst/10.02.15 ◽

2017 ◽

Vol 10 (2) ◽

pp. 359-363

Author(s):

Rupal Sharma ◽

Ravi Sheth

Keyword(s):

Web Service ◽

Web Application ◽

Web Applications ◽

The Other ◽

Web Application Security ◽

Application Security ◽

Security Vulnerability ◽

Session Management ◽

The Given ◽

The Web

Today, web application security is most significant battlefield between victim, attacker and resource of web service. The owner of web applications can’t see security vulnerability in web application which develops in ASP.NET. This paper explain one algorithm which aim to identify broken authentication and session management vulnerability. The given method of this paper scan the web application files. The created scanner generator relies on studying the source character of the application limited ASP.NET files and the code be beholden files. A program develop for this motive is to bring about a report which describes vulnerabilities types by mentioning the indict name, disclose description and its location. The aim of the paper is to discover the broken authentication and session management vulnerabilities. The indicated algorithm will uphold organization and developer to repair the vulnerabilities and recover from one end to the other security.

Download Full-text

AUTOMATED VULNERABILITY SEARCH IN A WEB APPLICATION BASED ON REINFORCEMENT LEARNING

CASPIAN JOURNAL Control and High Technologies ◽

10.21672/2074-1707.2021.53.1.091-097 ◽

2021 ◽

Vol 53 (1) ◽

pp. 91-97

Author(s):

OLGA N. VYBORNOVA ◽

◽

ALEKSANDER N. RYZHIKOV ◽

Keyword(s):

Reinforcement Learning ◽

Web Application ◽

Web Applications ◽

Subject Area ◽

Learning Technology ◽

Web Application Security ◽

Vulnerability Scanner ◽

Learning Agent ◽

Markov Decision ◽

Python Programming

We analyzed the urgency of the task of creating a more efficient (compared to analogues) means of automated vulnerability search based on modern technologies. We have shown the similarity of the vulnerabilities identifying process with the Markov decision-making process and justified the feasibility of using reinforcement learning technology for solving this problem. Since the analysis of the web application security is currently the highest priority and in demand, within the framework of this work, the application of the mathematical apparatus of reinforcement learning with to this subject area is considered. The mathematical model is presented, the specifics of the training and testing processes for the problem of automated vulnerability search in web applications are described. Based on an analysis of the OWASP Testing Guide, an action space and a set of environment states are identified. The characteristics of the software implementation of the proposed model are described: Q-learning is implemented in the Python programming language; a neural network was created to implement the learning policy using the tensorflow library. We demonstrated the results of the Reinforcement Learning agent on a real web application, as well as their comparison with the report of the Acunetix Vulnerability Scanner. The findings indicate that the proposed solution is promising.

Download Full-text