IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)

Cyber Security Analysis using Vulnerability

Assessment and Penetration Testing
Prashant S. Shinde Prof. Shrikant B. Ardhapurkar
Department of Computer Technology, Department of Computer Technology,
Yeshwantrao Chavan College of Engineering, Yeshwantrao Chavan College of Engineering,
Nagpur, Maharashtra, India Nagpur, Maharashtra, India
[email protected] [email protected]

Abstract— In last twenty years, use of internet applications, The two types of vulnerability testing are Vulnerability
web hacking activities have exaggerated speedily. Organizations Assessment and Penetration Testing (VAPT) which can often
facing very significant challenges in securing their web be combined for achieving better vulnerability analysis results.
applications from rising cyber threats, as compromise with the So VA and PT are nothing but two different tasks giving
protection issues don't seem to be reasonable. Vulnerability
Assessment and Penetration Testing (VAPT) techniques help
different results but within the same workspace.
them to go looking out security loopholes. These security We have Vulnerability assessment tools for discovering
loopholes could also be utilized by attackers to launch attacks on vulnerabilities, whereas no differentiation found between types
technical assets. Thus it is necessary ascertain these of flaws that cause damage on exploitation and those that do
vulnerabilities and install security patches. VAPT helps not do so. There are Vulnerability scanners which generates
organization to determine whether their security arrangements alert for companies about pre-existence of any flaws in code as
are working properly. This paper aims to elucidate overview and well as location of flaws. Penetration tests are performed to
various techniques used in vulnerability assessment and exploit the vulnerabilities in a system to get any way of
penetration testing (VAPT). Also focuses on making cyber
unauthorized access or possibility of any malicious activity and
security awareness and its importance at various level of an
organization for adoption of required up to date security
used in identification of flaws posing threat to the application.
measures by the organization to stay protected from various These tests find out exploitable flaws and measure their
cyber- attacks. severity. These are also helpful for showing the amount of
damage it could cause during the real attack. Thus, combined
Index Terms— Cross-Site Scripting (XSS), Cyber Security, Sql package of penetration testing and vulnerability assessment
Injection (SQLi), Vulnerability Assessment and Penetration tools gives a detailed view of existing flaws along with the risk
Testing (VAPT). associated with it [19].
I. INTRODUCTION In this paper, literature survey has been presented over
various VAPT mechanisms proposed by various researchers.
With the magnified use of web and on-line resources in last This paper is organized as follows. Section II presents types of
twenty years, the threat to integrity and confidentiality to vulnerabilities corresponding to attack types. Section III
information and resources has together been exaggerated. Each presents overview of VAPT. Then, in Section IV literature
day cases of Hacking and Exploitation are being discovered. survey is highlighted followed by the conclusion in section V.
Therefore finding Vulnerabilities and install security patches
has been major considerations of each internet facing II. TYPES OF VULNERABILITIES
organization [11]. Vulnerabilities are system flaws or weaknesses that may
Vulnerability Assessment and Penetration Testing (VAPT) lead to security breach. Once an attacker has found a flaw, or
helps to assess the effectiveness and ineffectiveness of the application vulnerability, and determined a way to access it, the
security arrangements of web application to stay protected attacker has the potential to take advantage of the application
against the rising Cyber threats. The projected work helps to vulnerability. Thus threat to the confidentiality, integrity, or
develop a versatile mechanism which is able to find availability of resources possessed by an application is
vulnerabilities from internet applications. increased. Attackers typically rely on specific tools or
So, Identification of Vulnerabilities and remedy of a similar strategies identify application vulnerabilities and compromise
has become one among the prime issues for organizations. the application.
With the growing inter-connectivity of systems and Table 1 shows the OWASP Top 10 vulnerability list with
advancement in Cyber Services, the extent of Cyber Attacks common weakness enumeration (CWE) associated [18]. This
has conjointly exaggerated. Thus so as to stay immune and for list is maintained by the OWASP Foundation. And the
threat minimization, Vulnerability Assessment and Penetration Vulnerabilities in this list are primarily related to Web
Testing (VAPT) is conducted by the organizations on regular Application Security.
basis.

978-1-4673-9214-3/16/$31.00 © 2016 IEEE

Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:50:11 UTC from IEEE Xplore. Restrictions apply.
 IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)
Vulnerability CWE Rank B. Sql Injection (SQLi)
Injection CWE-929 A1
SQL injection is a kind of technique where users can inject
Broken Authentication and Session CWE-930 A2
Management SQL commands through input of a web page in an SQL
statement. An injected SQL command alters SQL statement
Cross Site Scripting (XSS) CWE-931 A3
Insecure Direct Object Reference CWE-932 A4
and compromises the security of a web application [1]. SQL
Security Misconfiguration CWE-933 A5
Injection is a code injection method, used to attack data-driven
Sensitive Data Exposure CWE-934 A6 applications, in which SQL statements are inserted into an
Missing Function Level Access Control CWE-935 A7 entry field. SQL Injection exploits the security vulnerability in
Cross Site Request Forgery CWE-936 A8 an application's software. With SQL injection exploitation
Using Component with known CWE-937 A9 attacker can read sensitive data, modify data, execute
Vulnerability administration operations on the database, recover the content
Unvalidated Redirects and Forwards CWE-938 A10 of files present on the DBMS file system [6] etc.
Table.1 OWASP TOP 10 2013 C. Directory Traversal
As described in OWASP TOP 10-2013 Injection Directory Traversal is an input manipulation attack
vulnerabilities and Cross-site scripting attack vulnerabilities vulnerability which uses directory traversal sequences to
are on top of the list [6]. access or manipulate arbitrary files and resources on the web
server [18]. A directory traversal vulnerability occurs due to
A. Cross-site Scripting(XSS) insufficient filtering/validation of browser inputs from users.
Cross site Scripting or XSS vulnerabilities are rumoured These vulnerabilities can be located in web server
and exploited since Nineties. XSS got listed top 3rd software/files or in application code that is executed on the
Vulnerability in the OWASP TOP 10 2010 and 2013 web server.
application Vulnerabilities list. Cross-site scripting (XSS) is a
D. File Inclusion
kind of security vulnerability found in web application in
which the attacker can inject client side scripts into web pages File inclusion allows an attacker to include a file, usually
which are viewed by other users. The injected code is through a script on the web server. This vulnerability occurs
executed at client side. due to the use of unvalidated user-supplied input. This can
A cross site scripting vulnerabilities are often employed by lead to code execution on the web server and client-side,
the attacker to bypass the Same Origin Policy (SOP). Denial of service (DoS), Data theft/manipulation.
Attacker can use vulnerabilities to steal the Identity and
E. Failure to Restrict URL Access:
Confidential Data, Bypass restrictions in websites, Session
Hijack, launch malware Attack, Website Defacement and Using this vulnerability an attacker can bypass website
Denial of Service attacks (DoS), etc. security by accessing files directly instead of following links.
According to persistence capability, there are two types of This allows attacker to access data source files directly instead
XSS attacks: of using the web application. It is one of the common
vulnerabilities listed on the Open Web Application Security
1) Persistent XSS: The Persistent or stored XSS attack Project’s (OWASP) Top 10.
happens when the malicious code submitted by attacker is
saved by the server within the database, in a message forum, III. OVERVIEW OF VAPT
visitor log, comment field, etc. So a victim is able to retrieve Vulnerabilities are system flaws, bugs, misconfiguration
the stored data from the web application without that that make it vulnerable to the attacks. Assessing of these
information being made safe to render within the browser [6]. system vulnerabilities enable us to identify and install security
2) Non- Persistent XSS: Reflected or Non-Persistent XSS patches, so as to defend the system from the risk of being
attack happens when user input is instantly returned by a web damaged.
application in a form of an error message, search result, or any VAPT methodology is conducted in two major
other response that has some or all of the input provided by components. The first half deals with the Analysis and
the user as a part of the request, without that data being made Discovery of existing Vulnerabilities. The second half deals
safe for rendering it into the browser, and permanently storing with the Exploitation of the detected set of Vulnerabilities, to
the user provided information [6]. evaluate their Severity and Impact over the Target system.
Vulnerability assessment is a passive approach whereas
This vulnerability frequently occurs in search fields. In case
penetration testing is an active approach where security
of Non-Persistent XSS attacks, attacker sends the specially-
professionals simulate attack and test the target web site and
crafted url to target victims and trick them into click the link.
its tolerance power against attacks.
When user clicks on the link, the browser will send the
injected code to the server, then server reflects the attack back
to the victim’s browser and the code is executed by the
browser.

Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:50:11 UTC from IEEE Xplore. Restrictions apply.
 IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)

this part the VAPT tester tries to exploit the identified set of
vulnerabilities in the same manner as an attacker would do
[10]. The aim of the tester behind doing this is to check the
difficulty level of exploiting the vulnerability and its impact on
the concerned Information system. The VAPT tester performs
all these operations in a very controlled and supervised manner,
so that it does not affect the functioning of other parts of the
system.
1. Advantages of PT:
a. Mitigating controls are taken into account
b. Enables the chaining together of
vulnerabilities to understand the full impact of
all discovered issues
c. Removes false-positives from all layers of the
security model
2. Disadvantages of PT:
a. Requires comparatively more time and effort
than a vulnerability assessment
Fig. 1 VAPT Process b. Usually requires hiring an outside firm for
pen testing
A. Vulnerability Assessment c. Every test does not guarantee to identify a
In this part the VAPT tester aims at finding crucial vulnerability
information about the test target and scanning the target to d. A penetration test is unlikely to provide
find the vulnerabilities [10]. Vulnerability is a flaw in a information about new vulnerabilities
system. Reasons for vulnerability existence are weak
C. Features and Benefits of VAPT:
password, coding, input validation or misconfiguration etc.
The attacker first identifies vulnerabilities and makes use of it Vulnerability Assessment and Penetration Testing together
for malicious purposes. gives more comprehensive application evaluation along with
Vulnerability assessment is strategy which follows detailed view of threats in an application to mitigate critical
systematic and proactive approach to discover vulnerability. It vulnerabilities.
is practiced to discover known and unknown problems in the Periodic VAPT test helps the organization to remain
system. Industry standard like DSS PCI also require this from assured about the security of their business and its operations.
a compliance point of view. VAPT helps organization in preventing financial losses,
Vulnerability assessment can be achieved with the help of preserving Corporate Image and rationalizing Information
scanners. It is a hybrid solution consisting of automated testing Security investments.
and expert analysis. Proactively implementing VAPT tests identify and address
1. Advantages of VA: security risks preventing unauthorized access, data corruption
a. Used for enabling automation of thousands of or financial loss.
security checks VAPT avoid network downtime cause by breach along with
b. Helpful in integrating the organization’s discovering methods used by hackers to compromise the
threat and vulnerability management network [18].
program.
IV. LITERATURE SURVEY
c. Serves as a useful layer-one remediation test
and can be done with easily available tools In 2006, Jovanovic N., Kruegel C., et al. [17] have
2. Disadvantages of VA: proposed a system to discover vulnerable points in a web
a. Generates an incoherent and overwhelming application program by using context sensitive, flow sensitive
amount of data along with some false-positive and inter procedural data flow analysis i.e. static source code
results analysis. They have employed alias and literal analysis for
b. Fails to identify logical attack vectors such as improving the integrity of precision of the result. Their system
application logic flaws and password reuse targeted at general class of taint-style vulnerabilities and used
c. Produces remediation recommendations that for detecting types of vulnerability such as SQL injection,
are generic and based on tool output cross-site scripting, or command injection. Moreover they
presented the open source prototype implementation named
B. Penetration Testing pixy targeted at detecting cross-site scripting vulnerabilities in
A penetration testing assesses the security posture of a PHP scripts. Their tool discovered and reported 15 previously
system or network by performing attack. Penetration testing is unknown vulnerabilities in three web applications also
a proactive and systematic approach for security assessment, in reconstructed 36 known vulnerabilities.

Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:50:11 UTC from IEEE Xplore. Restrictions apply.
 IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)

In 2009, Adam Kiezun, Philip J. Juo, et al. [7] proposed an are reported by it on the Target. Moreover the tool also exploits
automatic technique for creating inputs/attack vectors that the identified SQLI vulnerable links and steals confidential
expose SQLI and XSS vulnerabilities from applications. Their data from Target. The generated report is sent via Email and all
technique produces sample inputs, make symbolical tracking of the traces of Scan are removed for ensuring the Confidentiality
taints through execution, and mutation of inputs to create of the VAPT Report. It uses passive approach to detect service
concrete exploits. The proposed tool creates attack vectors, and vulnerabilities with the help of National Vulnerability Database
has some false positives. It works without modification of (NVD) and active approach to detect application vulnerabilities
code. It is a white box testing tool and requires source code of by performing Blind SQL injection, Error-Based SQL
application. It generates a set of concrete inputs, does injection.
execution of the program under test with each input, and In 2014, Geogiana Buja, Dr. Kamarularifin Bin, Abd Jalil,
dynamically observes data flows. et al. [10] proposed a detection model for detecting and
In 2010, Jan-Min Chen and Chia-Lun Wu [12] proposed recognizing SQL Injection vulnerability based on the defined
an automated vulnerability scanner which detects injection and identified criteria and generate a report concerning the
attack vulnerabilities based on injection points. This tool uses vulnerability level of the web application. This model relies on
black box testing for analysis of potential vulnerabilities Boyer Moore string matching algorithm in which every string
present in the web applications. It consists of two major or input files are scanned for the defined attributes of the SQL
components Spider and Scanner. The spider crawls the website Injection Pattern of attack.
and finds the injections points whereas scanner performs In 2014, Rocha, T.S., Souto, et al. [14] developed a tool
injection test and response analysis. And for verification they ETSS Detector, which automatically analyses web applications
used National Vulnerability Database (NVD). to find XSS vulnerabilities. It is generic and modular
In 2010, Jason Bau, Elie Bursztein, et al. [11] reported a vulnerability scanner that automatically analyses web
study of current automated black box vulnerability scanners applications by the information contained on web applications
with the aim of providing the background required to figure out to detect vulnerabilities. ETSS Detector identifies and analyses
and determine the potential value of future research in this all data entry points of the application and generates the code
space. This includes vulnerabilities to be tested by the injection tests. ETSS Detector is constructed on techniques that
scanners, and discusses about coverage of scanner tests, and enable the proper filling of form fields with valid data
their effectiveness to find vulnerabilities. Conjointly their study permitting the pages to be successfully submitted.
shows that XSS, SQLi, info disclosure are prevailing In 2014, Gupta, M.K.; Govil, M.C., et al. [15] proposed a
vulnerabilities. classification of software security approaches which will be
In 2012, Singh, Tejinder [16] have served the technique useful to develop secure software in various phase of software
which is being used to detect XSS and listed number of development life cycle. They have presented a survey of static
analyses to evaluate performances of these XSS detection analysis based approaches for detection of SQL Injection
techniques. They studied the Cross-site scripting attack (SQLi) and cross-site scripting XSS vulnerabilities in source
mechanism in detail along with the defence approaches as code of web applications. Their aim of behind these
Content Filtering and Browser Collaboration. They proposed approaches is identification of the weaknesses in source code
two prevention methods as to restrict the valid input to be free before it exploit in actual environment. Their study will be
from the characters that have special meaning under HTML helpful to note down future direction for securing legacy web
specification and second one as if it is not possible to restrict applications in early phases of software development life cycle.
the content of the input, the another method is to encode/escape
the user input on output. V. CONCLUSION
In 2013, Michelle E Ruse and Samik Basu [13] proposed a Threats to integrity and confidentiality of information and
two-phase technique for detection of XSS vulnerability and resources are increased. To stay protected, organizations
prevention of XSS attack which relies on translation of web perform VAPT to check the security posture of the system. As
applications. In first phase, they translated the web application we have gone through the literature survey about VAPT
code is done to a language where recently developed concolic methods, it is found that there are various tools available for
testing tools were available for that language. In the second performing VAPT. Attackers finding new ways to bypass
phase, they appropriately instrument the application code by security mechanisms so new vulnerabilities are evolving which
including monitors based on I/O dependencies captured from need to be addressed. Therefore existing tools needs to be
first phase. Exploitation of vulnerabilities is checked by added with mechanisms to identify and assess the newly
monitors at runtime. This prototype implementation identifies evolved vulnerabilities. This issue can be addressed by making
XSS vulnerabilities and its exploitation. tools so flexible that new attack signatures can be added for
In 2014, Sugandh Shah, B. M. Mhetre [1] proposed an types of vulnerabilities.
automated VAPT Testing Tool named NetNirikshak 1.0 which To make VAPT results meaningful it must prioritize and
is helpful to assess Services and analyses Security Posture. It explain vulnerabilities with CVE numbers which can be bought
finds out the vulnerabilities based on the Services running and from industry standard references like national vulnerability
applications on the target system. It also detects the SQL database (NVD), common vulnerability scoring system
Injection vulnerabilities and all the Identified vulnerable links (CVSS), open source vulnerability database (OSVDB) etc.

Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:50:11 UTC from IEEE Xplore. Restrictions apply.
 IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)

Also these results can provide possible remediation suggestions [10] Buja, G.; Bin Abd Jalil, K.; Bt Hj Mohd Ali, F.; Rahman,
for identified vulnerabilities. T.F.A., "Detection model for SQL injection attack: An
approach for preventing a web application from the SQL
REFERENCES injection attack," in Computer Applications and Industrial
[1] Shah. Sugandh. and B.M. Mehtre. "A Modern Approch to Electronics (ISCAIE), 2014 IEEE Symposium on , vol.,
CyberSecurity Analysis Using Vulnerability Assessment no., pp.60-64, 7-8 April 2014 doi:
and Penetration Testing" NCRTCST - 2013, Nov. 2013, 10.1109/ISCAIE.2014.7010210
Hyderabad (A.P), India. [11] Bau, J.; Bursztein, E.; Gupta, D.; Mitchell, J., "State of
[2] Shah, Sugandh, and B. M. Mehtre."A Reliable Strategy the Art: Automated Black-Box Web Application
for Proactive Self-Defence in Cyber Space using V APT Vulnerability Testing," in Security and Privacy (SP), 2010
Tools and Techniques", "School of Computer and IEEE Symposium on , vol., no., pp.332-345, 16-19 May
Information Sciences, University of Hyderabad, 2010 doi: 10.1109/SP.2010.27
Hyderabad, India." Computational Intelligence and [12] Jan-Min Chen; Chia-Lun Wu, "An automated
Computing Research (ICCIC), 2013 IEEE International vulnerability scanner for injection attack based on
Conference on. injection point," in Computer Symposium (ICS), 2010
[3] Shah, S.; Mehtre, B.M., "An automated approach to International , vol., no., pp.113-118, 16-18 Dec. 2010 doi:
Vulnerability Assessment and Penetration Testing using 10.1109/COMPSYM.2010.5685537
Net-Nirikshak 1.0," in Advanced Communication [13] Ruse, M.E.; Basu, S., "Detecting Cross-Site Scripting
Control and Computing Technologies (ICACCCT), 2014 Vulnerability Using Concolic Testing," in Information
International Conference on , vol., no., pp.707-712, 8-10 Technology: New Generations (ITNG), 2013 Tenth
May 2014 doi: 10.1109/ICACCCT.2014.7019182 International Conference on , vol., no., pp.633-638, 15-17
[4] Kranthi Kumar, K. Srinivasa Rao,” A Latest Approach to April 2013 doi: 10.1109/ITNG.2013.97
Cyber Security Analysis using Vulnerability Assessment [14] Rocha, T.S.; Souto, E., "ETSSDetector: A Tool to
and Penetration Testing”, International Journal of Automatically Detect Cross-Site Scripting
Emerging Research in Management &Technology ISSN: Vulnerabilities," in Network Computing and Applications
2278-9359 (Volume-3, Issue-4 (NCA), 2014 IEEE 13th International Symposium on ,
[5] Urmi Chhajed, Ajay Kumar, “A Critical Review on vol., no., pp.306-309, 21-23 Aug. 2014 doi:
Detecting Cross-Site Scripting Vulnerability”, ISSN: 10.1109/NCA.2014.53
2319-8753 International Journal of Innovative Research [15] Gupta, M.K.; Govil, M.C.; Singh, G., "Static analysis
in Science, Engineering and Technology ,Vol 3, Issue $, approaches to detect SQL injection and cross site
April 2014 scripting vulnerabilities in web applications: A survey," in
[6] Owasp.org, "OWASP", 2016. [Online]. Available: Recent Advances and Innovations in Engineering
https://www.owasp.org/index.php/Main_Page. [Accessed: (ICRAIE), 2014 , vol., no., pp.1-5, 9-11 May 2014 doi:
15- Feb- 2016]. 10.1109/ICRAIE.2014.6909173
[7] Kieyzun, A.; Guo, P.J.; Jayaraman, K.; Ernst, M.D., [16] Singh, Tejinder. "Detecting and Prevention Cross–Site
"Automatic creation of SQL Injection and cross-site Scripting Techniques." IOSR Journal of Engineering 2.4
scripting attacks," Software Engineering, 2009. ICSE (2012): 854-857.
2009. IEEE 31st International Conference on , vol., no., [17] Jovanovic, N.; Kruegel, C.; Kirda, E., "Pixy: a static
pp.199,209, 16-24 May 2009 doi: analysis tool for detecting Web application
10.1109/ICSE.2009.5070521 vulnerabilities," in Security and Privacy, 2006 IEEE
[8] Sushilkumar Yadav et al, / “Survey: Secured Techniques Symposium on , vol., no., pp.6 pp.-263, 21-24 May 2006
for Vulnerability Assessment and Penetration Testing,” doi: 10.1109/SP.2006.29
(IJCSIT) International Journal of Computer Science and [18] Cwe.mitre.org, "CWE -CWE List Version 2.9", 2016.
Information Technologies, Vol. 5 (4), 2014, 5132-5135. [Online]. Available:
[9] Yusof, I.; Pathan, A.-S.K., "Preventing persistent Cross- https://cwe.mitre.org/data/index.html. [Accessed: 15-
Site Scripting (XSS) attack by applying pattern filtering Feb- 2016].
approach," Information and Communication Technology [19] F. Glynn, "Common Web Application Vulnerabilities",
for The Muslim World (ICT4M), 2014 The 5th Veracode, 2014. [Online]. Available:
International Conference on , vol., no., pp.1,6, 17-18 Nov. http://www.veracode.co.uk/security/web-application-
2014 doi: 10.1109/ICT4M.2014.7020628 vulnerabilities. [Accessed: 15- Feb- 2016].

Authorized licensed use limited to: Mukesh Patel School of Technology & Engineering. Downloaded on March 18,2024 at 09:50:11 UTC from IEEE Xplore. Restrictions apply.