Introduction: This article is the product of the research entitled "Automated Concept Tests on Web Applications Based on OWASP", carried out during 2017 and 2018 in the city of Popayan, capital of the Department of Cauca.
Problem: Establish and identify a theoretical support for the research topic that will help to solve the problem question of the research work. Is it necessary to develop scripts that automate the concept testing process for the detection of vulnerabilities corresponding to the Top 10 of OWASP 2017.
Objective: Propose a conceptual and background component, through the study of primary and secondary sources along with inclusion and exclusion factors, which helps determine the relevance to the proposed problem which in turn will assist in the construction of a solution.
Methodology: The methodology used was documentary, so several sources of databases were consulted, in order to determine the conceptual, theoretical and relevant background information that will support this research work.
Results: As a result, a very significant analysis was obtained, given that it was possible to obtain relevant conceptual bases that contributed to the solution of the problem.
Conclusion: Despite the existence of tools designed to perform web pentesting, none solve the problems posed in this article, however, the articles did contribute towards the solution of the objective.
Originality: Automation of the pentesting process, under the OWASP methodology, in an SBC, using free software, to reduce costs to entrepreneurs when testing the security of web applications.
Limitations: Access to databases in the institution, time and money used to perform tests on other SBC devices.
K. Linux, Kali Linux Official Documentation, 2016. [Online]. Available: http://es.docs.kali.org/introduction-es/que-es-kali-linux
OWASP, OWASP Top Ten Project, 2017. [Online]. Available: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
P. &. T. Pino, “Gestión y desarrollo de proyectos de investigación distribuidos en ingeniería del software por medio de investigación-acción,” Revista Facultad de Ingeniería Universidad de Antioquia, Vol. 1, 2013.
Muñoz S. & Perez A, Pentester de Aplicaciones web alineado a la metodología Owasp basados en un Cluster de SBC, Facultad de Ingenieria, UNICAUCA, 2018.
OWASP, OWASP Testing Project, 2017. [Online]. Available: https://www.owasp.org/index.php/OWASP_Testing_Project.
AndrewTang, “A guide to penetration testing”, Science Direct, vol. 1, no. 2, pp. 8-11, 2014. [Online]. doi: https://doi.org/10.1016/S1353-4858(14)70079-0
N. A. A. G. K. A. F. H. M. T. F. A. R. “Ain Zubaidah MohdSaleha, A Method for Web Application Vulnerabilities Detection by Using Boyer-Moore String Matching Algorithm”, Science Direct, vol. vol. 72. pp. 112-121, 2015. [Online]. doi: https://doi.org/10.1016/j.procs.2015.12.111.
P. E. H. K. Neha Sharma, “A Review of Information Security using Cryptography Technique”, International Journal of Advanced Research in Computer Science, vol. 8. [Online]. Available: https://www.ijarcs.info/index.php/Ijarcs/article/download/3760/3246, 2017.
L. J. G. V. Fernando Román Muñoz, “An algorithm to find relationships between web vulnerabilities”, The Journal of Supercomputing, vol. 74, no. 3. [Online]. doi: https://doi.org/10.1007/s11227-016-1770-3, pp. 1061-1089 , 2018.
S. J. Johnston, M. Apetroaie-Cristea, M. Scott & S. J. Cox, “Applicability of commodity, low cost, single board computers for Internet of Things devices”, IEEE XPLORE Digital Library. [Online]. doi: https://doi.org/10.1109/WF-IoT.2016.7845414, 2016.
G. D. S. T. A. K. P. R. P. Palsetia, “Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications”, International Journal of Information Security, vol. 17, no.1. [Online]. doi: https://doi.org/10.1007/s10207-016-0359-4, pp. 105-120, 2018.
G. R. D. S. Aruina Jaiswal, “Blackbox Penetration Testing on Web Applications”, International Journal of Computer Applications, vol. 88, no. 3, 2014.
Q. DuPont & B. Fidler, “Edge Cryptography and the Codevelopment of Computer Networks and Cybersecurity,” IEEE XPLORE Digital Library, vol. 38. [Online]. doi: https://doi.org/ 10.1109/MAHC.2016.49, pp. 55 - 73, 2016.
P. K. DaljitKaur, “Empirical Analysis of Web Attacks,” Science Direct, vol. 78, no. [Online]. doi: https://doi.org/10.1016/j.procs.2016.02.057, pp. 298-306, 2016.
S. S. Kanchana Natarajan, “Generation of Sql-injection Free Secure Algorithm to Detect and Prevent Sql-Injection Attacks,” Science Direct, vol. 4, no. 4. [Online]. doi: https://doi.org/10.1016/j.protcy.2012.05.129, pp. 790-796, 2012.
M. M. W. M. T. A. M. K. I. K. Y. H. Hidemasa Naruoka, “ICS Honeypot System (CamouflageNet) Based on Attacker's Human Factors,” Science Direct, vol. 3. [Online]. doi: https://doi.org/10.1016/j.promfg.2015.07.175, pp. 1074 - 1081, 2015.
S. R. C. A. O. William & G. J. Halfond, “Improving penetration testing through static and dynamic analysis,” Published online in Wiley Online Library (wileyonlinelibrary.com). [Online]. doi: https://doi.org/10.1002/stvr.450 , 2011.
S. A. T. H. Lee Allen, Kali Linux – Assuring Security by Penetration Testing, Packt Publishing, volumen 2014, Issue 8, https://doi.org/10.1016/S1353-4858(14)70077-7, 2014.
M. F. R. B. Philipp Zech, “Knowledge-based security testing of web applications by logic programming” International Journal on Software Tools for Technology Transfer, vols. 1, no. 2. [Online]. doi: https://doi.org/10.1007/s10009-017-0472-3, pp. 1-26, 2017.
R. C. L. C. N. D. A. A. U. M. Avinash Sudhodanan, “Large-Scale Analysis & Detection of Authentication Cross-Site Request,” IEEE XPLORE Digital library. [Online]. doi: https://doi.org/10.1109/EuroSP.2017.45, 2017.
J. H. R. F. J. H. Lukas Malina, “On perspective of security and privacy-preserving solutions in the internet of things,” Science Direct, vol. 102. [Online]. doi: https://doi.org/10.1016/j.comnet.2016.03.011, pp. 83-95, 2016.
A. F. Z. Daniel Dalalana Bertoglio, “Overview and open issues on penetration test,” Journal of the Brazilian Computer Society. [Online]. doi: https://doi.org/10.1186/s13173-017-0051-1, 2017.
B. Chacos, “Raspberry Pi 3: The revolutionary $35 mini-PC cures its biggest headaches,” PcWorld, vol. 9, no. 9. 2016. [Online]. Available: https://www.pcworld.com/article/3057888/computers/raspberry-pi-3-review-the-revolutionary-35-mini-pc-cures-its-biggest-headaches.html. [Último acceso: 2 12 2017].
A. Manu Kumar, “Reverse Engineering and Vulnerability Analysis in Cyber Security,” International Journal of Advanced Research in Computer Science, vol. 8, no. 5. pp. 950- 953, 2017. [Online]. Availablbe: https://www.ijarcs.info/index.php/Ijarcs/article/viewFile/3502/3456
P. S. E. M. M.I, “Security Testing Methodology for Vulnerabilities Detection of XSS in Web Services and WS-Security,” Science Direct, vol. 302, no. 25. [Online]. doi: https://doi.org/10.1016/j.entcs.2014.01.024, pp. 133-154, 2014.
D. M. D. M. S. M. B. Alie El-Din Mady, “Towards resilient cyber security for embedded devices on Internet,” IEEE Computer Society - IEEE 3rd World Forum on Internet of Things (WF-IoT), pp. 1-2, 2016. [Online]. Available: http://www.computer.org/csdl/proceedings/wf-iot/2016/4130/00/07845439-abs.html,
B. Jai Narayan Goel, “Vulnerability Assessment & Penetration Testing as a Cyber Defence Technology,” Science Direct, vol. 57. [Online]. doi: https://doi.org/10.1016/j.procs.2015.07.458, pp. 710-715, 2015.
M. Ubaidullah & Q. Makki, “A Review on Symmetric Key Encryption Techniques in Cryptography,” International Journal of Computer Applications, vol. 147, no. 10, , pp.43-48, 2016. [Online]. Available: https://www.ijarcs.info/index.php/Ijarcs/article/download/3777/3258
N. J. Nisal Madhushan Vithanage, “WebGuardia - An integrated penetration testing system to detect web application vulnerabilities,” IEEE XPLORE Digital Library - 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET). [Online]. doi: https://doi.org/10.1109/WiSPNET.2016.7566124, 2016.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.