Conceptual foundation for an automated pentester based on a single board computer
PDF

Keywords

OWASP
Pentesting
Security, SBC (Single Board Computer)
Scripts

How to Cite

Vergara Fajardo, G., Montaño, D., Amado Donado, S., & Villalba, K. (2019). Conceptual foundation for an automated pentester based on a single board computer. Ingeniería Solidaria, 15(28), 1-16. Retrieved from https://revistas.ucc.edu.co/index.php/in/article/view/2751

Abstract

Introduction: This article is the product of the research entitled "Automated Concept Tests on Web Applications Based on OWASP", carried out during 2017 and 2018 in the city of Popayan, capital of the Department of Cauca. Problem: Establish and identify a theoretical support for the research topic that will help to solve the problem question of the research work. Is it necessary to develop scripts that automate the concept testing process for the detection of vulnerabilities corresponding to the Top 10 of OWASP 2017. Objective: Propose a conceptual and background component, through the study of primary and secondary sources along with inclusion and exclusion factors, which helps determine the relevance to the proposed problem which in turn will assist in the construction of a solution. Methodology: The methodology used was documentary, so several sources of databases were consulted, in order to determine the conceptual, theoretical and relevant background information that will support this research work. Results: As a result, a very significant analysis was obtained, given that it was possible to obtain relevant conceptual bases that contributed to the solution of the problem. Conclusion: Despite the existence of tools designed to perform web pentesting, none solve the problems posed in this article, however, the articles did contribute towards the solution of the objective. Originality: Automation of the pentesting process, under the OWASP methodology, in an SBC, using free software, to reduce costs to entrepreneurs when testing the security of web applications. Limitations: Access to databases in the institution, time and money used to perform tests on other SBC devices.
PDF

References

K. Linux, Kali Linux Official Documentation, 2016. [Online]. Available: http://es.docs.kali.org/introduction-es/que-es-kali-linux.

OWASP, OWASP Top Ten Project, 2017. [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

P. &. T. Pino, “Gestión y desarrollo de proyectos de investigación distribuidos en ingeniería del software por medio de investigación-acción,” Revista Facultad de Ingeniería Universidad de Antioquia, Vol. 1, 2013.

Muñoz S. & Perez A, Pentester de Aplicaciones web alineado a la metodología Owasp basados en un Cluster de SBC, Facultad de Ingenieria, UNICAUCA, 2018.

OWASP, OWASP Testing Project, 2017. [Online]. Available: https://www.owasp.org/index.php/OWASP_Testing_Project.

AndrewTang, “A guide to penetration testing”, Science Direct, vol. 1, no. 2, pp. 8-11, 2014. [Online]. doi: https://doi.org/10.1016/S1353-4858(14)70079-0

N. A. A. G. K. A. F. H. M. T. F. A. R. “Ain Zubaidah MohdSaleha, A Method for Web Application Vulnerabilities Detection by Using Boyer-Moore String Matching Algorithm”, Science Direct, vol. vol. 72. pp. 112-121, 2015. [Online]. doi: https://doi.org/10.1016/j.procs.2015.12.111.

P. E. H. K. Neha Sharma, “A Review of Information Security using Cryptography Technique”, International Journal of Advanced Research in Computer Science, vol. 8. [Online]. Available: https://www.ijarcs.info/index.php/Ijarcs/article/download/3760/3246, 2017.

L. J. G. V. Fernando Román Muñoz, “An algorithm to find relationships between web vulnerabilities”, The Journal of Supercomputing, vol. 74, no. 3. [Online]. doi: https://doi.org/10.1007/s11227-016-1770-3, pp. 1061-1089 , 2018.

S. J. Johnston, M. Apetroaie-Cristea, M. Scott & S. J. Cox, “Applicability of commodity, low cost, single board computers for Internet of Things devices”, IEEE XPLORE Digital Library. [Online]. doi: https://doi.org/10.1109/WF-IoT.2016.7845414, 2016.

G. D. S. T. A. K. P. R. P. Palsetia, “Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications”, International Journal of Information Security, vol. 17, no.1. [Online]. doi: https://doi.org/10.1007/s10207-016-0359-4, pp. 105-120, 2018.

G. R. D. S. Aruina Jaiswal, “Blackbox Penetration Testing on Web Applications”, International Journal of Computer Applications, vol. 88, no. 3, 2014.

Q. DuPont & B. Fidler, “Edge Cryptography and the Codevelopment of Computer Networks and Cybersecurity,” IEEE XPLORE Digital Library, vol. 38. [Online]. doi: https://doi.org/ 10.1109/MAHC.2016.49, pp. 55 - 73, 2016.

P. K. DaljitKaur, “Empirical Analysis of Web Attacks,” Science Direct, vol. 78, no. [Online]. doi: https://doi.org/10.1016/j.procs.2016.02.057, pp. 298-306, 2016.

S. S. Kanchana Natarajan, “Generation of Sql-injection Free Secure Algorithm to Detect and Prevent Sql-Injection Attacks,” Science Direct, vol. 4, no. 4. [Online]. doi: https://doi.org/10.1016/j.protcy.2012.05.129, pp. 790-796, 2012.

M. M. W. M. T. A. M. K. I. K. Y. H. Hidemasa Naruoka, “ICS Honeypot System (CamouflageNet) Based on Attacker's Human Factors,” Science Direct, vol. 3. [Online]. doi: https://doi.org/10.1016/j.promfg.2015.07.175, pp. 1074 - 1081, 2015.

S. R. C. A. O. William & G. J. Halfond, “Improving penetration testing through static and dynamic analysis,” Published online in Wiley Online Library (wileyonlinelibrary.com). [Online]. doi: https://doi.org/10.1002/stvr.450 , 2011.

S. A. T. H. Lee Allen, Kali Linux – Assuring Security by Penetration Testing, Packt Publishing, volumen 2014, Issue 8, https://doi.org/10.1016/S1353-4858(14)70077-7, 2014.

M. F. R. B. Philipp Zech, “Knowledge-based security testing of web applications by logic programming” International Journal on Software Tools for Technology Transfer, vols. 1, no. 2. [Online]. doi: https://doi.org/10.1007/s10009-017-0472-3, pp. 1-26, 2017.

R. C. L. C. N. D. A. A. U. M. Avinash Sudhodanan, “Large-Scale Analysis & Detection of Authentication Cross-Site Request,” IEEE XPLORE Digital library. [Online]. doi: https://doi.org/10.1109/EuroSP.2017.45, 2017.

J. H. R. F. J. H. Lukas Malina, “On perspective of security and privacy-preserving solutions in the internet of things,” Science Direct, vol. 102. [Online]. doi: https://doi.org/10.1016/j.comnet.2016.03.011, pp. 83-95, 2016.

A. F. Z. Daniel Dalalana Bertoglio, “Overview and open issues on penetration test,” Journal of the Brazilian Computer Society. [Online]. doi: https://doi.org/10.1186/s13173-017-0051-1, 2017.

B. Chacos, “Raspberry Pi 3: The revolutionary $35 mini-PC cures its biggest headaches,” PcWorld, vol. 9, no. 9. 2016. [Online]. Available: https://www.pcworld.com/article/3057888/computers/raspberry-pi-3-review-the-revolutionary-35-mini-pc-cures-its-biggest-headaches.html. [Último acceso: 2 12 2017].

A. Manu Kumar, “Reverse Engineering and Vulnerability Analysis in Cyber Security,” International Journal of Advanced Research in Computer Science, vol. 8, no. 5. pp. 950- 953, 2017. [Online]. Availablbe: https://www.ijarcs.info/index.php/Ijarcs/article/viewFile/3502/3456

P. S. E. M. M.I, “Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security,” Science Direct, vol. 302, no. 25. [Online]. doi: https://doi.org/10.1016/j.entcs.2014.01.024, pp. 133-154, 2014.

D. M. D. M. S. M. B. Alie El-Din Mady, “Towards resilient cyber security for embedded devices on Internet,” IEEE Computer Society - IEEE 3rd World Forum on Internet of Things (WF-IoT), pp. 1-2, 2016. [Online]. Available: http://www.computer.org/csdl/proceedings/wf-iot/2016/4130/00/07845439-abs.html,

B. Jai Narayan Goel, “Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology,” Science Direct, vol. 57. [Online]. doi: https://doi.org/10.1016/j.procs.2015.07.458, pp. 710-715, 2015.

A. Cardazzone and C. Carlini, Understanding security policies in the Cyber warfare domain through system dynamics, no. 1, p. 5. [Online]. Available: https://www.systemdynamics.org/assets/conferences/2014/proceed/papers/P1262.pdf

Ministerio de Interior y Justicia et al., Conpes 3701 Lineamientos de Política para Ciberseguridad y Ciberdefensa, p. 43, 2011. [Online]. Available: https://www.mintic.gov.co/portal/604/articles-3510_documento.pdf

OCDE, Directrices de la ocde para la seguridad de sistemas y redes de información, pp. 1–12, 2002. [Online]. Available: https://www.oecd.org/sti/ieconomy/34912912.pdf

R. Cort, Estado actual de la política pública de ciberseguridad y ciberdefensa en Colombia, no. 14, p. 4, 2015. [Online]. doi: htp://dx.doi.org/10.15425/redecom.14.2015.06

S. Morgan, 2017 Cybercrime Report, p. 14, 2017. [Online]. Available: https://cybersecurityventures.com/2015-wp/wp-content/uploads/2017/10/2017-Cybercrime-Report.pdf

World Economic Forum, The global risks report 2018, p. 6, 2018. [Online]. Available: http://www3.weforum.org/docs/WEF_GRR18_Report.pdf

Ministerio de Interior y Justicia et al., Conpes 3854 - Política Nacional De Seguridad Digital, p. 63, 2016. [Online]. Available: https://colaboracion.dnp.gov.co/CDT/Conpes/Econ%C3%B3micos/3854.pdf

D. M. Cappelli, A. Desai, A. P. Moore, T. J. Shimeall, E. A. Weaver, and B. J. Willke, “Management and Education of the Risk of Insider Threat (MERIT),” Proc. 24th Int. Conf. Syst. Dyn. Soc., vol. 0389, pp. 52–53, 2006. [Online]. Available: https://apps.dtic.mil/dtic/tr/fulltext/u2/a632604.pdf

E. Canzani and S. Pickl, “Cyber Epidemics: Modeling Attacker-Defender Dynamics in Critical Infrastructure Systems,” in Advances in Human Factors in Cybersecurity, pp. 377–389. vol 501,.2016, [Online]. doir: https://doi.org/10.1007/978-3-319-41932-9_31

A. Flórez, L. Serrano, U. Gómez, L. Suárez, A. Villarraga, and H. Rodríguez, “Analysis of Dynamic Complexity of the Cyber Security Ecosystem of Colombia,” Futur. Internet, vol. 8, no. 3, p. 33, 2016. [Online]. Available: https://res.mdpi.com/futureinternet/futureinternet-08-00033/article_deploy/futureinternet-08-00033.pdf?filename=&attachment=0

M. Porrúa and B. Contreras, Ciberseguridad ¿Estamos preparados en América Latina y el Caribe?, pp. 37 - 46, 2016. [Online]. Available: https://publications.iadb.org/publications/spanish/document/Ciberseguridad-%C2%BFEstamos-preparados-en-Am%C3%A9rica-Latina-y-el-Caribe.pdf

J. W. Forrester, System Dynamics, Systems Thinking, and Soft OR, vol. 10, no. 2, pp. 1–14, 1992. [Online]. doi: https://doi.org/10.1002/sdr.4260100211

P. A. Ferrillo and C. Veltsos, “Next-Level Cybersecurity Incident Response Trends 2016.,” Corp. Gov. Advis., vol. 24, no. 3, pp. 6–8, 2016. [Online]. Available: https://www.dandodiary.com/2016/03/articles/cyber-liability/guest-post-next-level-cybersecurity-incident-response-trends-2016/

P. Cichonski, “Computer Security Incident Handling Guide : Recommendations of the National Institute of Standards and Technology,” NIST Spec. Publ., vol. 800–61, p. 79, 2012. [Online]. doi: https://doi.org/10.6028/NIST.SP.800-61r2

NIST, “Framework for Improving Critical Infrastructure Cybersecurity,” Natl. Inst. S, pp. 1–41, 2014. [Online]. doi: https://doi.org/10.6028/NIST.CSWP.04162018

K. Kossakowski, J. Allen, C. Alberts, C. Cohen, and G. Ford, Responding to Intrusions.,February, p. 44, 1999. [Online]. Available: https://resources.sei.cmu.edu/asset_files/SecurityImprovementModule/1999_006_001_16679.pdf

Real Options Valuation, Risk Simulator. 2017. [Online]. Available: https://www.software-shop.com/producto/risk-simulator

T. Holdings, Trustwave global security report. p. 21, 2016. [Online]. Available: https://www2.trustwave.com/GSR2016.html

T. Holdings, Trustwave Global Security Report. p. 16, 2017. [Online]. Available: https://www2.trustwave.com/2017-Trustwave-Global-Security-Report.html

D. Vose, Risk Analysis - A quantitative guide, John Wiley & Sons, Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, England, p. 405, 2008.

J. D. Sterman, Systems Thinking and Modeling for a Complex World. pp. 166 - 167, 2003.

J. D. W. Morecroft, Strategic modelling and business dynamics. A feedback system aproach. pp. 55 - 57, 2015.

A. García Zaballos and F. González Herranz, From Cybersecurity to Cybercrime: A Framework for Analysis and Implementation, September, p. 14, 2013. [Online]. Available: https://publications.iadb.org/publications/english/document/From-Cybersecurity-to-Cybercrime-A-Framework-for-Analysis-and-Implementation.pdf

C. Young, Information Security Science: Measuring the Vulnerability to Data Compromises. p. 21, 2016.

J. Vacca, Cyber Security and IT Infrastructure Protection. Steven Elliot, p. 287, 2014.

D. Smith, “Forming an Incident Response Team,” Proc. FIRST Annu. Conf., no. January 1995, pp. 1–37, 1994. [Online]. Available: http://tech.uh.edu/conklin/IS7033Web/7033/Week11/form-irt.pdf

H. Jindal, “Cyber security: Risk management,” J. Insur. Inst. India, no. June, pp. 95–103, 2014. [Online]. Available: http://web.a.ebscohost.com.consultaremota.upb.edu.co/ehost/pdfviewer/pdfviewer?vid=0&sid=4b2b548e-fc7e-4283-aac0-b677603fe726%40sdc-v-sessmgr05

E. Luiijf, Cyber Crime and Cyber Terrorism Investigator’s Handbook, p. 48, 2014. [Online]. doi: https://doi.org/10.1016/B978-0-12-800743-3.00003-7

A. Aguiar Rodríguez, “Understanding the dynamics of Information Security Investments. A Simulation-Based Approach,” Universitetet i Bergen,Radboud Universiteit Nijmegen, p. 8, 2017. [Online]. Available: http://www.scopus.com/inward/record.url?eid=2-s2.0-67249152401&partnerID=40&md5=c9da6feaf998ef1eac82ba852ac50af8

B. Akhgar and H. R. Arabnia, Emerging Trends in ICT Security Emerging Trends in ICT Security, p. 401, 2014. [Online]. doi: http://dx.doi.org/10.1016/B978-0-12-411474-6.00006-2

A. Ahmad, J. Hadgkiss, and A. B. Ruighaver, “Incident response teams - Challenges in supporting the organisational security function,” Comput. Secur., vol. 31, no. 5, pp. 643–652, 2012. [Online]. doi: http://dx.doi.org/10.1016/j.cose.2012.04.001

N. Adams, N. & Heard, Data Analysis For Network Cyber-Security, p. 36, 2014. [Online]. doi: https://doi.org/10.1142/p919

S. Chabinsky, “NIST CRIED: The Four Steps of Incident Mitigation,” SecurityMagazine.com, March, pp. 1 - 2, 2017. [Online]. Available: http://web.a.ebscohost.com.consultaremota.upb.edu.co/ehost/pdfviewer/pdfviewer?vid=0&sid=ffe0a307-b06e-43d6-b88d-d8e3269f98c3%40sessionmgr4008

D. P. Giraldo, Análisis de la dinámica de la seguridad alimentaria en un país en desarrollo -caso colombiano-. Tesis Doctoral, Escuela de Ingeniería. Universidad Pontificia Bolivariana, p. 114, 2013.

License

Downloads

Download data is not yet available.