Professional Documents
Culture Documents
ABSTRACT
Penetration testing is a mirrored cyber-attack defined for identifying vulnerabilities and flaws in a computer
system/Network/Web application— the organization appoints experts to conduct the test and present the details for
deeper interpretation. One of the critical components of securing the network is to perform penetration tests of the
network and web applications. In this paper, the industry-known OWASP (Open Web Application Security Project)
vulnerability tool and three vulnerable web applications in a lab setup are explored and presented with a detailed
analysis. Further, three penetration test reports are selected, and comprehensive analysis and reports are generated from
the proposed setup. After the observation, it's understood that there is a lack of standardization format of the penetration
testing reports. Therefore, this paper presents a format that will cater to the understanding of domain knowledge experts,
decision-making bodies, and board members of the top executives of an organization for making further decisions on
improving the robustness of their network and web applications.
Keywords: Penetration testing, Penetration testing report, Automated testing, Web application security.
1. INTRODUCTION
Amount of damage reported by cybercrime
in million in US dollar
As per the penetration testing survey conducted in In this context, the motivation of this work deals with
2020 [3], 72% of the responder noted they use open studying different open source tools, web vulnerable
source/ freeware tools. Nearly 50% of responders websites online available for freeware testing. A lab
reported commercial tools that open source tools may not environment has been set up to experiment with various
offer. Reporting was the most prevalent factor [3] while attacks, generate reports on a real-time basis. Further,
selecting tools for penetration testing. As per survey [3], different penetration testing reports are studied, available
69% of the responder listed reporting as an essential online. Based on common gaps identified in reporting
factor, maybe due to compliance requirements, which formats, comparative analysis and a standardized
often require extensive documentation to comply with penetration testing report have been proposed.
regulation and industry needs. 64% of the respondents
The remaining paper is formulated as follows.
listed multi-vector testing capabilities as the second
Section I discusses the related works. In section II
important factor in the penetration testing report.
discussed methodology, set up a lab environment.
Expert security consultants conduct penetration Section III performed detailed analysis, captured and
testing as complex manual processes. However, the presented this paper. A standard penetration report based
manual penetration testing process is time-consuming, on findings has been proposed. Finally, in IV, the paper
expensive, and dependent on the skill set of the has been concluded and provided various directions for
penetration tester. Therefore, expert professionals future research.
develop an automated tool so that non-expert users can
supplant the penetration team to view the current security
2. RELATED WORK
status. Table 2 shows the comparison between manual
Kwiatkowska et al. [6] highlighted the significance of
and automatic penetration testing [4,5].
each tired of the web, mainly security with its service
Table 2. Comparison between manual and automated point and sufficient security check at the service point.
penetration testing Touseef et al. [7] proposed a complete study of web
vulnerability measuring and recognizing relevant
Phases Manual Automated datasets. Khera et al. [8] examined and presented the
Manual nonstandard lifecycle of the VAPT process and VAPT tools. They
process, high cost in
Testing Standard process, concentrate on several organization levels for adaptation
customization.
Phases fast in time. requirements of security standards to defend various
process, high cost in
customization.
cybersecurity threats. Alanda et al. [9] highlighted
Dependencies on the
vulnerability and techniques used to find an exposure in
Attack public database and Updates are mobile-based penetration testing using the OWASP.
Database essential to maintain available for the Yulianton et al. [10] suggested a framework for
Management the database attack database. identifying web vulnerabilities using taint analysis and
manually. black-box testing. Jinfeng et al. [11], a case study is
Customization of conducted for vulnerability scanners using the OWASP
reports based on tool. Helmiawan et al. [12] examined the security of the
Manual process of
Reporting requirements and web using Open Web Application Security Project 10.
collection of data.
available Wijaya et al. [13] suggested a web-based dashboard for
centrally. monitoring penetration testing based on OWASP
Different systems standards. The dashboard is made using PHP
Network No change is needed
modifications are programming languages tools and can display application
Identification in systems.
required. vulnerabilities based on their frequency of occurrence.
Slow, complex to Records all
Lala et al. [14] highlighted the mitigation process of
Auditing manage, and often activity
vulnerabilities in web applications using configuration
inaccurate process. automatically.
changes, coding, and security updates.
Product vendors
maintain exploits Shebli et al. [15] explained the importance of
Maintaining an and are easier to penetration testing, components considered, the survey of
Exploit
exploit database is manage. In tools and procedures resulted while conducting
Development
very difficult, and addition, exploits penetration testing. Zakaria et al. [16] proposed a
and
public exploits can are developed by
Management penetration testing format to understand the
be unsafe to run. professional
organization's security professional and upper
experts and
thoroughly tested.
management needs. Shebli et al. [15] explained the
More importance of penetration testing, components
Training can be considered, the survey of tools and procedures resulted
straightforward, to
Training customized but while conducting penetration testing. Zakaria et al. [16]
train users compared
time-consuming. suggested a penetration testing format to understand the
to manual testing.
366
Atlantis Highlights in Computer Sciences, volume 4
3.1. Tool
OWASP ZAP: It is a freeware tool extensively
accepted concerning automated vulnerability detection in
web applications. It is a non-profit organization, which
serves to enhance security in software. The 2.10.0 version
of OWASP ZAP is utilized for this work, with default
scan profiles [35-38].
3.2. Vulnerable Web Application
Three types of vulnerable web applications, namely
Figure 2 Proposed lab setup. DVWA [21], Google Gruyere [22], and BWAPP [23], are
employed in this work. DVWA (Damn Vulnerable Web
Table 4. Test environment features Application) is a web application based on vulnerability
Attacke Web Web Web used by security professionals to test skillsets and tools
r Server 1 Server 2 Server 3 in a legal environment. Google Gruyere is a web
Windo Ubuntu Ubuntu Ubuntu application that is thoroughly discovering bugs and
ws 10 Server Server Server learning ways to fix them. Finally, BWAPP (Buggy Web
OS
Professi 14.04.6 14.04.6 14.04.6 Application) is an open source web application and uses
onal LTS x86 LTS x86 LTSx86 the penetration tester to find and prevent web
367
Atlantis Highlights in Computer Sciences, volume 4
vulnerabilities. The analyses discussed above are Table 7. Web vulnerability detected inside BWAPP
performed for education purposes only.[39-42]
No of
Vulnerability
4. RESULT AND DISCUSSION instances
4
X-Frame-Options Header Not Set
The experimental assessment is detailed and showed the
X-Content-Type-Options Header 4
web vulnerability identified in Table 5, Table 6, and
Missing
Table 7.
No of
Vulnerability
instances
Cross Site Scripting (Reflected) 1
X-Frame-Options Header Not Set 60
Absence of Anti-CSRF Tokens 3
Cookie No HttpOnly Flag 2
Cookie Without SameSite Attribute 2
Cookie Without Secure Flag 2
Incomplete or No Cache-control and Figure 5 Analysis of Vulnerability in DVWA.
62
Pragma HTTP Header Set
X-Content-Type-Options Header Missing 72
Charset Mismatch (Header Versus Meta
7
Content-Type Charset)
Information Disclosure - Suspicious
1
Comments
Timestamp Disclosure - Unix 1
368
Atlantis Highlights in Computer Sciences, volume 4
In this section, the discovery of web vulnerability Security) institute [29], four primary penetration report
using open source penetration testing tools is highlighted. writing phases are shown in Fig 10. An ancient proverb
The primary intention is to aid security professionals in in the consulting business: "If you do not document it, it
testing their skill set and tools in a legal environment. did not happen" [30].
Additionally, two online open source penetration
testing tools are tested, i.e., pentest tools [24] and
Forgenix [25], with three existing web-based vulnerable
databases. Reports generated using the OWASP tool are
represented in Figure 7.
369
Atlantis Highlights in Computer Sciences, volume 4
2.Exploitation: The penetration tester maps all the [5] Mirjalili, Mahin, Alireza Nowroozi, and Mitra
possible vulnerabilities and sees to what extent they can Alidoosti. "A survey on web penetration
get into the environment. test."International Journal in Advances in Computer
3.Reporting: In this phase, the penetration tester reports Science 3.6 (2014). ISSN: 2322-5157.
all the detected vulnerabilities.
[6] Kachhwaha R., Purohit R. (2019) Relating
Detailed Findings Vulnerability and Security Service Points for Web
This section represents complete information concerning Application Through Penetration Testing. In:
each finding; results can be described as a table, pie chart, Panigrahi C., Pujari A., Misra S., Pati B., Li KC.
bar graph, diagrams, etc. (eds) Progress in Advanced Computing and
Intelligent Engineering. Advances in Intelligent
1.Details of vulnerability: For all vulnerabilities, the Systems and Computing, vol 714. Springer,
description should be conferred about the source of the Singapore.DOI:10.1007/978-981-13-0224-4_4.
vulnerabilities, impact, and the likelihoods to be
[7] Touseef, P., Alam, K. A., Jamil, A., Tauseef, H.,
exploited.
Ajmal, S., Asif, R., ... & Mustafa, S. (2019, July).
2.Impact: It outlines the effects of vulnerability by Analysis of automated web application security
threats. vulnerabilities testing. In Proceedings of the 3rd
3.Likelihood: It represents the probability of International Conference on Future Networks and
occurrence of the threat. Distributed Systems (pp.1-8), DOI:
4.Recommendations: The penetration tester presents 10.1145/3341325.3342032.
good recommendations on the risk rating and severity of [8] Khera, Y., Kumar, D., & Garg, N. (2019, February).
the asset based on the outcome and discoveries. [42-44] Analysis and Impact of Vulnerability Assessment
and Penetration Testing. In 2019 International
5. CONCLUSION Conference on Machine Learning, Big Data, Cloud
and Parallel Computing (COMITCon) (pp.525-
Several state-of-the-art penetration testing tools have
530),IEEE.DOI:10.1109/COMITCon.2019.886222
been studied and explored in their report formats. This
paper highlights the differences in reports produced by .4.
various tools. A new standard format of report generation [9] Alanda, A., Satria, D., Mooduto, H. A., &
for pen testing is proposed based on the survey carried Kurniawan, B. (2020, May). Mobile Application
out. This standardized format will facilitate Security Penetration Testing Based on OWASP.
understanding of the network vulnerabilities by the In IOP Conference Series: Materials Science and
security professionals irrespective of the pen testing tool Engineering (Vol. 846, No. 1, p. 012036). IOP
used. The tool collects the data in any format and Publishing.DOI:10.1088/1757-
converts it to the standardized format as per the proposal. 899X/846/1/012036.
The future scope is to construct a penetration testing tool
and generate the report as the proposed idea. [10] Yulianton, H., Trisetyarso, A., Suparta, W., Abbas,
B. S., & Kang, C. H. (2020, July). Web Application
REFERENCES Vulnerability Detection Using Taint Analysis and
Black-box Testing. In IOP Conference Series:
[1] TheStatisca, Materials Science and Engineering (Vol. 879, No. 1,
https://www.statista.com/statistics/267132/total- p. 012031). IOP Publishing.DOI:10.1088/1757-
damage-caused-by-by-cyber-crime-in-the-us/ 899X/879/1/012031.
[2] National Crime Investion Bureau, The government [11] Li, Jinfeng. "Vulnerabilities mapping based on
of India, https://ncrb.gov.in/ OWASP-SANS: a survey for static application
[3] Penetration Testing Report, 2020, Coresecurity. security testing (SAST)." Annals of Emerging
https://www.coresecurity.com/ Technologiesin Computing(AETiC).
DOI:10.33166/AETiC.2020.03.001.
[4] Y. Stefinko, A. Piskozub and R. Banakh, "Manual
and automated penetration testing. Benefits and [12] Helmiawan, M. A., Firmansyah, E., Fadil, I.,
drawbacks. Modern tendency," 2016 13th Sofivan, Y., Mahardika, F., & Guntara, A. (2020,
International Conference on Modern Problems of October). Analysis of Web Security Using Open
Radio Engineering, Telecommunications and Web Application Security Project 10. In 2020 8th
Computer Science (TCSET), Lviv, 2016, pp. 488- International Conference on Cyber and IT Service
491. DOI: 10.1109/TCSET.2016.7452095. Management(CITSM) (pp.1-
5),IEEE.DOI:10.1109/CITSM50537.2020.9268856
370
Atlantis Highlights in Computer Sciences, volume 4
[13] Wijaya, Y. S., & Ramadhani, I. (2020). Web-Based [31] K. Yu, L. Tan, L. Lin, X. Cheng, Z. Yi and T. Sato,
Dashboard for Monitoring Penetration Testing "Deep-Learning-Empowered Breast Cancer
Activities Based on OWASP Standards. Jurnal Auxiliary Diagnosis for 5GB Remote E-Health,"
Ilmiah Teknik Elektro Komputer dan Informatika IEEE Wireless Communications, vol. 28, no. 3, pp.
(JITEKI), 6(1),36-41.DOI: 54-61, June 2021, doi:
10.26555/jiteki.v6i1.17019. 10.1109/MWC.001.2000374.
[14] Lala, S. K., Kumar, A., & Subbulakshmi, T. (2021, [32] K. Yu, Z. Guo, Y. Shen, W. Wang, J. C. Lin, T. Sato,
May). Secure Web development using OWASP “Secure Artificial Intelligence of Things for Implicit
Guidelines. In 2021 5th International Conference on Group Recommendations”, IEEE Internet of Things
Intelligent Computing and Control Systems Journal, 2021, doi: 10.1109/JIOT.2021.3079574.
(ICICCS) (pp.323-332).IEEE.DOI:
[33] H. Li, K. Yu, B. Liu, C. Feng, Z. Qin and G.
10.1109/ICICCS51141.2021.9432179.
Srivastava, "An Efficient Ciphertext-Policy
[15] Al Shebli, H. M. Z., & Beheshti, B. D. (2018, May). Weighted Attribute-Based Encryption for the
A study on penetration testing process and tools. Internet of Health Things," IEEE Journal of
In 2018 IEEE Long Island Systems, Applications Biomedical and Health Informatics, 2021, doi:
and Technology Conference (LISAT) (pp. 1-7). 10.1109/JBHI.2021.3075995.
IEEE.DOI: 10.1109/LISAT.2018.8378035.
[34] L. Zhen, A. K. Bashir, K. Yu, Y. D. Al-Otaibi, C. H.
[16] Zakaria, M. N., Phin, P. A., Mohmad, N., Ismail, S. Foh, and P. Xiao, “Energy-Efficient Random
A., Kama, M. N., & Yusop, O. (2019, December). Access for LEO Satellite-Assisted 6G Internet of
A Review of Standardization for Penetration Remote Things”, IEEE Internet of Things Journal,
Testing Reports and Documents. In 2019 6th doi: 10.1109/JIOT.2020.3030856.
International Conference on Research and
[35] L. Zhen, Y. Zhang, K. Yu, N. Kumar, A. Barnawi
Innovation in Information Systems (ICRIIS) (pp. 1-
and Y. Xie, "Early Collision Detection for Massive
5),DOI: 10.1109/ICRIIS48246.2019.9073393.
Random Access in Satellite-Based Internet of
[17] Gartner Application Security Testing (AST) Things," IEEE Transactions on Vehicular
Review and Ratings. Technology, vol. 70, no. 5, pp. 5184-5189, May
2021, doi: 10.1109/TVT.2021.3076015.
[18] The 2020 Gartner Magic Quadrant for Application
Security Testing. [36] L. Tan, K. Yu, A. K. Bashir, X. Cheng, F. Ming, L.
Zhao, X. Zhou, “Towards Real-time and Efficient
[19] A Tirosh, M. Horvath and D. Zumerle, "Magic
Cardiovascular Monitoring for COVID-19 Patients
Quadrant for Application Security Testing,"
by 5G-Enabled Wearable Medical Devices: A Deep
Gartner, 18 April 2019. OWASP ZAP.
Learning Approach”, Neural Computing and
[20] https://owasp.org/www-project-zap/ Applications, 2021, https://doi.org/10.1007/s00521-
021-06219-9
[21] https://dvwa.co.uk/
[37] Puttamadappa, C., and B. D. Parameshachari.
[22] https://google-gruyere.appspot.com/
"Demand side management of small scale loads in a
[23] http://www.itsecgames.com/ smart grid using glow-worm swarm optimization
technique." Microprocessors and Microsystems 71
[24] https://pentest-tools.com
(2019): 102886.
[25] https://foregenix.com
[38] Parameshachari, B. D., H. T. Panduranga, and Silvia
[26] Pen Test Report, January 1,2020, PurpleSec. liberata Ullo. "Analysis and computation of
[27] Real VNC, "Penetration Test Report and encryption technique to enhance security of medical
Response", 2019. images." In IOP Conference Series: Materials
Science and Engineering, vol. 925, no. 1, p. 012028.
[28] Offensive Security Services, LLC, Penetration Test IOP Publishing, 2020.
Report : Mega Corp One,2013.
[39] Subramani, Prabu, Ganesh Babu Rajendran, Jewel
[29] SANS Institute, "Writing a Penetration Teting Sengupta, Rocío Pérez de Prado, and
Report", 2010. Parameshachari Bidare Divakarachari. "A block bi-
[30] Lam,K.,Smith, B., & LeBlanc, D. diagonalization-based pre-coding for indoor
(2004). Assessing network security. Microsoft multiple-input-multiple-output-visible light
Press. communication system." Energies 13, no. 13
(2020): 3466.
371
Atlantis Highlights in Computer Sciences, volume 4
Annexure 1.
372