Design and Development of an Automatic Penetration Test Generation Methodology for Security of Web Applications

Abstract

In today's world, web application security is becoming more crucial. Web applications frequently hold sensitive data, which might be compromised if it were to fall into the hands of a hostile attacker. This leads to significant losses for businesses and customers alike and exposes the qualities of confidentiality, integrity, and availability. A penetration test is an attempt to exploit vulnerabilities in an IT infrastructure with the goal of evaluating its security. Existing methodologies do not have a systematic basis to represent information gathered hence creating automatic attack generation difficult. The proposed model-based penetration test framework provides a repeatable, systematic approach for conducting penetration tests based on appropriate models of the behavior of the web application. It incorporates a novel approach for model-built security tests along the two scopes of vulnerability coverage criteria and automated attack generation from vulnerability mapping and abstract behavior of web applications. The algorithms are proposed for both manual and automatically driven penetration tests from the state models. The proposed approach is illustrated on a web app location within the banking sector exploiting input validation vulnerabilities.