Web application penetration test: Proposal for a generic web application testing methodology

Detalhes bibliográficos
Autor(a) principal: João, Hugo Pinto
Data de Publicação: 2021
Tipo de documento: Dissertação
Idioma: eng
Título da fonte: Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
Texto Completo: http://hdl.handle.net/10071/24246
Resumo: Nowadays, Security Management is beginning to become a priority for most companies. The primary aim is to prevent unauthorized identities from accessing classified information and using it against the organization. The best way to mitigate hacker attacks is to learn their methodologies. There are numerous ways to do it, but the most common is based on Penetration Tests, a simulation of an attack to verify the security of a system or environment to be analyzed. This test can be performed through physical means utilizing hardware or through social engineering. The objective of this test is to examine, under extreme circumstances, the behavior of systems, networks, or personnel devices, to identify their weaknesses and vulnerabilities. This dissertation will present an analysis of the State of the Art related to penetration testing, the most used tools and methodologies, its comparison, and the most critical web application vulnerabilities. With the goal of developing a generic security testing methodology applicable to any Web application, an actual penetration test to the web application developed by VTXRM – Software Factory (Accipiens) will be described, applying methods and Open-Source software step by step to assess the security of the different components of the system that hosts Accipiens. At the end of the dissertation, the results will be exposed and analyzed.
id RCAP_d7cd5cd9dfa5c606bf339562b8ad4c5b
oai_identifier_str oai:repositorio.iscte-iul.pt:10071/24246
network_acronym_str RCAP
network_name_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository_id_str 7160
spelling Web application penetration test: Proposal for a generic web application testing methodologyPenetration testsCyber securitySegurança -- SecurityWeb applicationIT security auditIT risks and OWASPTestes de intrusãoCibersegurançaAplicações webAuditoria de segurança TIRiscos de TI e OWASPNowadays, Security Management is beginning to become a priority for most companies. The primary aim is to prevent unauthorized identities from accessing classified information and using it against the organization. The best way to mitigate hacker attacks is to learn their methodologies. There are numerous ways to do it, but the most common is based on Penetration Tests, a simulation of an attack to verify the security of a system or environment to be analyzed. This test can be performed through physical means utilizing hardware or through social engineering. The objective of this test is to examine, under extreme circumstances, the behavior of systems, networks, or personnel devices, to identify their weaknesses and vulnerabilities. This dissertation will present an analysis of the State of the Art related to penetration testing, the most used tools and methodologies, its comparison, and the most critical web application vulnerabilities. With the goal of developing a generic security testing methodology applicable to any Web application, an actual penetration test to the web application developed by VTXRM – Software Factory (Accipiens) will be described, applying methods and Open-Source software step by step to assess the security of the different components of the system that hosts Accipiens. At the end of the dissertation, the results will be exposed and analyzed.Atualmente, a Gestão de Segurança da Informação começa a tornar-se uma prioridade para a maioria das Empresas, com o principal objetivo de impedir que identidades não autorizadas acedam a informações confidenciais e as utilizem contra a organização. Uma das melhores formas de mitigar os possíveis ataques é aprender com as metodologias dos atacantes. Existem inúmeras formas de o fazer, mas a mais comum baseia-se na realização de Testes de Intrusão, uma simulação de um ataque para verificar a segurança de um sistema ou ambiente a ser analisado. Este teste pode ser realizado através de meios físicos utilizando hardware, através de engenharia social e através de vulnerabilidades do ambiente. O objetivo deste teste é examinar, em circunstâncias extremas, o comportamento de sistemas, redes, ou dispositivos pessoais, para identificar as suas fraquezas e vulnerabilidades. Nesta dissertação será apresentada uma análise ao estado da arte relacionada com testes de penetração, as ferramentas e metodologias mais utilizadas, uma comparação entre elas, serão também explicadas algumas das vulnerabilidades mais críticas em aplicações web. O objetivo é o desenvolvimento de uma metodologia genérica de testes de intrusão, ambicionando a sua aplicabilidade e genericidade em aplicações web, sendo esta aplicada e descrita num teste de intrusão real à aplicação web desenvolvida pela VTXRM – Software Factory (Accipiens), aplicando passo a passo métodos e softwares Open-Source com o objetivo de analisar a segurança dos diferentes componentes do sistema no qual o Accipiens está instalado. No final serão apresentados os resultados do mesmo e a sua análise.2022-01-21T15:52:15Z2021-12-17T00:00:00Z2021-12-172021-11info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesisapplication/pdfhttp://hdl.handle.net/10071/24246TID:202855295engJoão, Hugo Pintoinfo:eu-repo/semantics/openAccessreponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãoinstacron:RCAAP2023-11-09T17:29:09Zoai:repositorio.iscte-iul.pt:10071/24246Portal AgregadorONGhttps://www.rcaap.pt/oai/openaireopendoar:71602024-03-19T22:13:03.469378Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informaçãofalse
dc.title.none.fl_str_mv Web application penetration test: Proposal for a generic web application testing methodology
title Web application penetration test: Proposal for a generic web application testing methodology
spellingShingle Web application penetration test: Proposal for a generic web application testing methodology
João, Hugo Pinto
Penetration tests
Cyber security
Segurança -- Security
Web application
IT security audit
IT risks and OWASP
Testes de intrusão
Cibersegurança
Aplicações web
Auditoria de segurança TI
Riscos de TI e OWASP
title_short Web application penetration test: Proposal for a generic web application testing methodology
title_full Web application penetration test: Proposal for a generic web application testing methodology
title_fullStr Web application penetration test: Proposal for a generic web application testing methodology
title_full_unstemmed Web application penetration test: Proposal for a generic web application testing methodology
title_sort Web application penetration test: Proposal for a generic web application testing methodology
author João, Hugo Pinto
author_facet João, Hugo Pinto
author_role author
dc.contributor.author.fl_str_mv João, Hugo Pinto
dc.subject.por.fl_str_mv Penetration tests
Cyber security
Segurança -- Security
Web application
IT security audit
IT risks and OWASP
Testes de intrusão
Cibersegurança
Aplicações web
Auditoria de segurança TI
Riscos de TI e OWASP
topic Penetration tests
Cyber security
Segurança -- Security
Web application
IT security audit
IT risks and OWASP
Testes de intrusão
Cibersegurança
Aplicações web
Auditoria de segurança TI
Riscos de TI e OWASP
description Nowadays, Security Management is beginning to become a priority for most companies. The primary aim is to prevent unauthorized identities from accessing classified information and using it against the organization. The best way to mitigate hacker attacks is to learn their methodologies. There are numerous ways to do it, but the most common is based on Penetration Tests, a simulation of an attack to verify the security of a system or environment to be analyzed. This test can be performed through physical means utilizing hardware or through social engineering. The objective of this test is to examine, under extreme circumstances, the behavior of systems, networks, or personnel devices, to identify their weaknesses and vulnerabilities. This dissertation will present an analysis of the State of the Art related to penetration testing, the most used tools and methodologies, its comparison, and the most critical web application vulnerabilities. With the goal of developing a generic security testing methodology applicable to any Web application, an actual penetration test to the web application developed by VTXRM – Software Factory (Accipiens) will be described, applying methods and Open-Source software step by step to assess the security of the different components of the system that hosts Accipiens. At the end of the dissertation, the results will be exposed and analyzed.
publishDate 2021
dc.date.none.fl_str_mv 2021-12-17T00:00:00Z
2021-12-17
2021-11
2022-01-21T15:52:15Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/masterThesis
format masterThesis
status_str publishedVersion
dc.identifier.uri.fl_str_mv http://hdl.handle.net/10071/24246
TID:202855295
url http://hdl.handle.net/10071/24246
identifier_str_mv TID:202855295
dc.language.iso.fl_str_mv eng
language eng
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.format.none.fl_str_mv application/pdf
dc.source.none.fl_str_mv reponame:Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
instname:Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron:RCAAP
instname_str Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
instacron_str RCAAP
institution RCAAP
reponame_str Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
collection Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos)
repository.name.fl_str_mv Repositório Científico de Acesso Aberto de Portugal (Repositórios Cientìficos) - Agência para a Sociedade do Conhecimento (UMIC) - FCT - Sociedade da Informação
repository.mail.fl_str_mv
_version_ 1799134686692245504

Registros relacionados