IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)
Cyber Security Analysis using Vulnerability
Assessment and Penetration Testing
Prashant S. Shinde
Department of Computer Technology,
Yeshwantrao Chavan College of Engineering,
Nagpur, Maharashtra, India
prashant.ss21@gmail.com
Abstract— In last twenty years, use of internet applications,
web hacking activities have exaggerated speedily. Organizations
facing very significant challenges in securing their web
applications from rising cyber threats, as compromise with the
protection issues don't seem to be reasonable. Vulnerability
Assessment and Penetration Testing (VAPT) techniques help
them to go looking out security loopholes. These security
loopholes could also be utilized by attackers to launch attacks on
technical assets. Thus it is necessary ascertain these
vulnerabilities and install security patches. VAPT helps
organization to determine whether their security arrangements
are working properly. This paper aims to elucidate overview and
various techniques used in vulnerability assessment and
penetration testing (VAPT). Also focuses on making cyber
security awareness and its importance at various level of an
organization for adoption of required up to date security
measures by the organization to stay protected from various
cyber- attacks.
Index Terms— Cross-Site Scripting (XSS), Cyber Security, Sql
Injection (SQLi), Vulnerability Assessment and Penetration
Testing (VAPT).
I. INTRODUCTION
With the magnified use of web and on-line resources in last
twenty years, the threat to integrity and confidentiality to
information and resources has together been exaggerated. Each
day cases of Hacking and Exploitation are being discovered.
Therefore finding Vulnerabilities and install security patches
has been major considerations of each internet facing
organization [11].
Vulnerability Assessment and Penetration Testing (VAPT)
helps to assess the effectiveness and ineffectiveness of the
security arrangements of web application to stay protected
against the rising Cyber threats. The projected work helps to
develop a versatile mechanism which is able to find
vulnerabilities from internet applications.
So, Identification of Vulnerabilities and remedy of a similar
has become one among the prime issues for organizations.
With the growing inter-connectivity of systems and
advancement in Cyber Services, the extent of Cyber Attacks
has conjointly exaggerated. Thus so as to stay immune and for
threat minimization, Vulnerability Assessment and Penetration
Testing (VAPT) is conducted by the organizations on regular
basis.
978-1-4673-9214-3/16/$31.00 © 2016 IEEE
Prof. Shrikant B. Ardhapurkar
Department of Computer Technology,
Yeshwantrao Chavan College of Engineering,
Nagpur, Maharashtra, India
shrikant.999@gmail.com
The two types of vulnerability testing are Vulnerability
Assessment and Penetration Testing (VAPT) which can often
be combined for achieving better vulnerability analysis results.
So VA and PT are nothing but two different tasks giving
different results but within the same workspace.
We have Vulnerability assessment tools for discovering
vulnerabilities, whereas no differentiation found between types
of flaws that cause damage on exploitation and those that do
not do so. There are Vulnerability scanners which generates
alert for companies about pre-existence of any flaws in code as
well as location of flaws. Penetration tests are performed to
exploit the vulnerabilities in a system to get any way of
unauthorized access or possibility of any malicious activity and
used in identification of flaws posing threat to the application.
These tests find out exploitable flaws and measure their
severity. These are also helpful for showing the amount of
damage it could cause during the real attack. Thus, combined
package of penetration testing and vulnerability assessment
tools gives a detailed view of existing flaws along with the risk
associated with it [19].
In this paper, literature survey has been presented over
various VAPT mechanisms proposed by various researchers.
This paper is organized as follows. Section II presents types of
vulnerabilities corresponding to attack types. Section III
presents overview of VAPT. Then, in Section IV literature
survey is highlighted followed by the conclusion in section V.
II. TYPES OF VULNERABILITIES
Vulnerabilities are system flaws or weaknesses that may
lead to security breach. Once an attacker has found a flaw, or
application vulnerability, and determined a way to access it, the
attacker has the potential to take advantage of the application
vulnerability. Thus threat to the confidentiality, integrity, or
availability of resources possessed by an application is
increased. Attackers typically rely on specific tools or
strategies identify application vulnerabilities and compromise
the application.
Table 1 shows the OWASP Top 10 vulnerability list with
common weakness enumeration (CWE) associated [18]. This
list is maintained by the OWASP Foundation. And the
Vulnerabilities in this list are primarily related to Web
Application Security.
IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)
Vulnerability CWE Rank B. Sql Injection (SQLi)
Injection CWE-929 A1
SQL injection is a kind of technique where users can inject
Broken Authentication and Session CWE-930 A2
Management SQL commands through input of a web page in an SQL
statement. An injected SQL command alters SQL statement
Cross Site Scripting (XSS) CWE-931 A3
Insecure Direct Object Reference CWE-932 A4
and compromises the security of a web application [1]. SQL
Security Misconfiguration CWE-933 A5
Injection is a code injection method, used to attack data-driven
Sensitive Data Exposure CWE-934 A6 applications, in which SQL statements are inserted into an
Missing Function Level Access Control CWE-935 A7 entry field. SQL Injection exploits the security vulnerability in
Cross Site Request Forgery CWE-936 A8 an application's software. With SQL injection exploitation
Using Component with known CWE-937 A9 attacker can read sensitive data, modify data, execute
Vulnerability administration operations on the database, recover the content
Unvalidated Redirects and Forwards CWE-938 A10 of files present on the DBMS file system [6] etc.
Table.1 OWASP TOP 10 2013 C. Directory Traversal
As described in OWASP TOP 10-2013 Injection Directory Traversal is an input manipulation attack
vulnerabilities and Cross-site scripting attack vulnerabilities vulnerability which uses directory traversal sequences to
are on top of the list [6]. access or manipulate arbitrary files and resources on the web
server [18]. A directory traversal vulnerability occurs due to
A. Cross-site Scripting(XSS) insufficient filtering/validation of browser inputs from users.
Cross site Scripting or XSS vulnerabilities are rumoured These vulnerabilities can be located in web server
and exploited since Nineties. XSS got listed top 3rd software/files or in application code that is executed on the
Vulnerability in the OWASP TOP 10 2010 and 2013 web server.
application Vulnerabilities list. Cross-site scripting (XSS) is a
D. File Inclusion
kind of security vulnerability found in web application in
which the attacker can inject client side scripts into web pages File inclusion allows an attacker to include a file, usually
which are viewed by other users. The injected code is through a script on the web server. This vulnerability occurs
executed at client side. due to the use of unvalidated user-supplied input. This can
A cross site scripting vulnerabilities are often employed by lead to code execution on the web server and client-side,
the attacker to bypass the Same Origin Policy (SOP). Denial of service (DoS), Data theft/manipulation.
Attacker can use vulnerabilities to steal the Identity and
E. Failure to Restrict URL Access:
Confidential Data, Bypass restrictions in websites, Session
Hijack, launch malware Attack, Website Defacement and Using this vulnerability an attacker can bypass website
Denial of Service attacks (DoS), etc. security by accessing files directly instead of following links.
According to persistence capability, there are two types of This allows attacker to access data source files directly instead
XSS attacks: of using the web application. It is one of the common
vulnerabilities listed on the Open Web Application Security
1) Persistent XSS: The Persistent or stored XSS attack Project’s (OWASP) Top 10.
happens when the malicious code submitted by attacker is
saved by the server within the database, in a message forum, III. OVERVIEW OF VAPT
visitor log, comment field, etc. So a victim is able to retrieve Vulnerabilities are system flaws, bugs, misconfiguration
the stored data from the web application without that that make it vulnerable to the attacks. Assessing of these
information being made safe to render within the browser [6]. system vulnerabilities enable us to identify and install security
2) Non- Persistent XSS: Reflected or Non-Persistent XSS patches, so as to defend the system from the risk of being
attack happens when user input is instantly returned by a web damaged.
application in a form of an error message, search result, or any VAPT methodology is conducted in two major
other response that has some or all of the input provided by components. The first half deals with the Analysis and
the user as a part of the request, without that data being made Discovery of existing Vulnerabilities. The second half deals
safe for rendering it into the browser, and permanently storing with the Exploitation of the detected set of Vulnerabilities, to
the user provided information [6]. evaluate their Severity and Impact over the Target system.
Vulnerability assessment is a passive approach whereas
This vulnerability frequently occurs in search fields. In case
penetration testing is an active approach where security
of Non-Persistent XSS attacks, attacker sends the specially-
professionals simulate attack and test the target web site and
crafted url to target victims and trick them into click the link.
its tolerance power against attacks.
When user clicks on the link, the browser will send the
injected code to the server, then server reflects the attack back
to the victim’s browser and the code is executed by the
browser.
IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)
Fig. 1 VAPT Process
A. Vulnerability Assessment
In this part the VAPT tester aims at finding crucial
information about the test target and scanning the target to
find the vulnerabilities [10]. Vulnerability is a flaw in a
system. Reasons for vulnerability existence are weak
password, coding, input validation or misconfiguration etc.
The attacker first identifies vulnerabilities and makes use of it
for malicious purposes.
Vulnerability assessment is strategy which follows
systematic and proactive approach to discover vulnerability. It
is practiced to discover known and unknown problems in the
system. Industry standard like DSS PCI also require this from
a compliance point of view.
Vulnerability assessment can be achieved with the help of
scanners. It is a hybrid solution consisting of automated testing
and expert analysis.
1. Advantages of VA:
a. Used for enabling automation of thousands of
security checks
b. Helpful in integrating the organization’s
threat and vulnerability management
program.
c. Serves as a useful layer-one remediation test
and can be done with easily available tools
2. Disadvantages of VA:
a. Generates an incoherent and overwhelming
amount of data along with some false-positive
results
b. Fails to identify logical attack vectors such as
application logic flaws and password reuse
c. Produces remediation recommendations that
are generic and based on tool output
B. Penetration Testing
A penetration testing assesses the security posture of a
system or network by performing attack. Penetration testing is
a proactive and systematic approach for security assessment, in
this part the VAPT tester tries to exploit the identified set of
vulnerabilities in the same manner as an attacker would do
[10]. The aim of the tester behind doing this is to check the
difficulty level of exploiting the vulnerability and its impact on
the concerned Information system. The VAPT tester performs
all these operations in a very controlled and supervised manner,
so that it does not affect the functioning of other parts of the
system.
1. Advantages of PT:
a. Mitigating controls are taken into account
b. Enables the chaining together of
vulnerabilities to understand the full impact of
all discovered issues
c. Removes false-positives from all layers of the
security model
2. Disadvantages of PT:
a. Requires comparatively more time and effort
than a vulnerability assessment
b. Usually requires hiring an outside firm for
pen testing
c. Every test does not guarantee to identify a
vulnerability
d. A penetration test is unlikely to provide
information about new vulnerabilities
C. Features and Benefits of VAPT:
Vulnerability Assessment and Penetration Testing together
gives more comprehensive application evaluation along with
detailed view of threats in an application to mitigate critical
vulnerabilities.
Periodic VAPT test helps the organization to remain
assured about the security of their business and its operations.
VAPT helps organization in preventing financial losses,
preserving Corporate Image and rationalizing Information
Security investments.
Proactively implementing VAPT tests identify and address
security risks preventing unauthorized access, data corruption
or financial loss.
VAPT avoid network downtime cause by breach along with
discovering methods used by hackers to compromise the
network [18].
IV. LITERATURE SURVEY
In 2006, Jovanovic N., Kruegel C., et al. [17] have
proposed a system to discover vulnerable points in a web
application program by using context sensitive, flow sensitive
and inter procedural data flow analysis i.e. static source code
analysis. They have employed alias and literal analysis for
improving the integrity of precision of the result. Their system
targeted at general class of taint-style vulnerabilities and used
for detecting types of vulnerability such as SQL injection,
cross-site scripting, or command injection. Moreover they
presented the open source prototype implementation named
pixy targeted at detecting cross-site scripting vulnerabilities in
PHP scripts. Their tool discovered and reported 15 previously
unknown vulnerabilities in three web applications also
reconstructed 36 known vulnerabilities.
IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)
In 2009, Adam Kiezun, Philip J. Juo, et al. [7] proposed an
automatic technique for creating inputs/attack vectors that
expose SQLI and XSS vulnerabilities from applications. Their
technique produces sample inputs, make symbolical tracking of
taints through execution, and mutation of inputs to create
concrete exploits. The proposed tool creates attack vectors, and
has some false positives. It works without modification of
code. It is a white box testing tool and requires source code of
application. It generates a set of concrete inputs, does
execution of the program under test with each input, and
dynamically observes data flows.
In 2010, Jan-Min Chen and Chia-Lun Wu [12] proposed
an automated vulnerability scanner which detects injection
attack vulnerabilities based on injection points. This tool uses
black box testing for analysis of potential vulnerabilities
present in the web applications. It consists of two major
components Spider and Scanner. The spider crawls the website
and finds the injections points whereas scanner performs
injection test and response analysis. And for verification they
used National Vulnerability Database (NVD).
In 2010, Jason Bau, Elie Bursztein, et al. [11] reported a
study of current automated black box vulnerability scanners
with the aim of providing the background required to figure out
and determine the potential value of future research in this
space. This includes vulnerabilities to be tested by the
scanners, and discusses about coverage of scanner tests, and
their effectiveness to find vulnerabilities. Conjointly their study
shows that XSS, SQLi, info disclosure are prevailing
vulnerabilities.
In 2012, Singh, Tejinder [16] have served the technique
which is being used to detect XSS and listed number of
analyses to evaluate performances of these XSS detection
techniques. They studied the Cross-site scripting attack
mechanism in detail along with the defence approaches as
Content Filtering and Browser Collaboration. They proposed
two prevention methods as to restrict the valid input to be free
from the characters that have special meaning under HTML
specification and second one as if it is not possible to restrict
the content of the input, the another method is to encode/escape
the user input on output.
In 2013, Michelle E Ruse and Samik Basu [13] proposed a
two-phase technique for detection of XSS vulnerability and
prevention of XSS attack which relies on translation of web
applications. In first phase, they translated the web application
code is done to a language where recently developed concolic
testing tools were available for that language. In the second
phase, they appropriately instrument the application code by
including monitors based on I/O dependencies captured from
first phase. Exploitation of vulnerabilities is checked by
monitors at runtime. This prototype implementation identifies
XSS vulnerabilities and its exploitation.
In 2014, Sugandh Shah, B. M. Mhetre [1] proposed an
automated VAPT Testing Tool named NetNirikshak 1.0 which
is helpful to assess Services and analyses Security Posture. It
finds out the vulnerabilities based on the Services running and
applications on the target system. It also detects the SQL
Injection vulnerabilities and all the Identified vulnerable links
are reported by it on the Target. Moreover the tool also exploits
the identified SQLI vulnerable links and steals confidential
data from Target. The generated report is sent via Email and all
the traces of Scan are removed for ensuring the Confidentiality
of the VAPT Report. It uses passive approach to detect service
vulnerabilities with the help of National Vulnerability Database
(NVD) and active approach to detect application vulnerabilities
by performing Blind SQL injection, Error-Based SQL
injection.
In 2014, Geogiana Buja, Dr. Kamarularifin Bin, Abd Jalil,
et al. [10] proposed a detection model for detecting and
recognizing SQL Injection vulnerability based on the defined
and identified criteria and generate a report concerning the
vulnerability level of the web application. This model relies on
Boyer Moore string matching algorithm in which every string
or input files are scanned for the defined attributes of the SQL
Injection Pattern of attack.
In 2014, Rocha, T.S., Souto, et al. [14] developed a tool
ETSS Detector, which automatically analyses web applications
to find XSS vulnerabilities. It is generic and modular
vulnerability scanner that automatically analyses web
applications by the information contained on web applications
to detect vulnerabilities. ETSS Detector identifies and analyses
all data entry points of the application and generates the code
injection tests. ETSS Detector is constructed on techniques that
enable the proper filling of form fields with valid data
permitting the pages to be successfully submitted.
In 2014, Gupta, M.K.; Govil, M.C., et al. [15] proposed a
classification of software security approaches which will be
useful to develop secure software in various phase of software
development life cycle. They have presented a survey of static
analysis based approaches for detection of SQL Injection
(SQLi) and cross-site scripting XSS vulnerabilities in source
code of web applications. Their aim of behind these
approaches is identification of the weaknesses in source code
before it exploit in actual environment. Their study will be
helpful to note down future direction for securing legacy web
applications in early phases of software development life cycle.
V. CONCLUSION
Threats to integrity and confidentiality of information and
resources are increased. To stay protected, organizations
perform VAPT to check the security posture of the system. As
we have gone through the literature survey about VAPT
methods, it is found that there are various tools available for
performing VAPT. Attackers finding new ways to bypass
security mechanisms so new vulnerabilities are evolving which
need to be addressed. Therefore existing tools needs to be
added with mechanisms to identify and assess the newly
evolved vulnerabilities. This issue can be addressed by making
tools so flexible that new attack signatures can be added for
types of vulnerabilities.
To make VAPT results meaningful it must prioritize and
explain vulnerabilities with CVE numbers which can be bought
from industry standard references like national vulnerability
database (NVD), common vulnerability scoring system
(CVSS), open source vulnerability database (OSVDB) etc.
IEEE Sponsored World Conference on Futuristic Trends in Research and Innovation for Social Welfare (WCFTR’16)
Also these results can provide possible remediation suggestions
for identified vulnerabilities.
REFERENCES
[1] Shah. Sugandh. and B.M. Mehtre. "A Modern Approch to
CyberSecurity Analysis Using Vulnerability Assessment
and Penetration Testing" NCRTCST - 2013, Nov. 2013,
Hyderabad (A.P), India.
[2] Shah, Sugandh, and B. M. Mehtre."A Reliable Strategy
for Proactive Self-Defence in Cyber Space using V APT
Tools and Techniques", "School of Computer and
Information Sciences, University of Hyderabad,
Hyderabad, India." Computational Intelligence and
Computing Research (ICCIC), 2013 IEEE International
Conference on.
[3] Shah, S.; Mehtre, B.M., "An automated approach to
Vulnerability Assessment and Penetration Testing using
Net-Nirikshak 1.0," in Advanced Communication
Control and Computing Technologies (ICACCCT), 2014
International Conference on , vol., no., pp.707-712, 8-10
May 2014 doi: 10.1109/ICACCCT.2014.7019182
[4] Kranthi Kumar, K. Srinivasa Rao,” A Latest Approach to
Cyber Security Analysis using Vulnerability Assessment
and Penetration Testing”, International Journal of
Emerging Research in Management &Technology ISSN:
2278-9359 (Volume-3, Issue-4
[5] Urmi Chhajed, Ajay Kumar, “A Critical Review on
Detecting Cross-Site Scripting Vulnerability”, ISSN:
2319-8753 International Journal of Innovative Research
in Science, Engineering and Technology ,Vol 3, Issue $,
April 2014
[6] Owasp.org, "OWASP", 2016. [Online]. Available:
https://www.owasp.org/index.php/Main_Page. [Accessed:
15- Feb- 2016].
[7] Kieyzun, A.; Guo, P.J.; Jayaraman, K.; Ernst, M.D.,
"Automatic creation of SQL Injection and cross-site
scripting attacks," Software Engineering, 2009. ICSE
2009. IEEE 31st International Conference on , vol., no.,
pp.199,209, 16-24 May 2009 doi:
10.1109/ICSE.2009.5070521
[8] Sushilkumar Yadav et al, / “Survey: Secured Techniques
for Vulnerability Assessment and Penetration Testing,”
(IJCSIT) International Journal of Computer Science and
Information Technologies, Vol. 5 (4), 2014, 5132-5135.
[9] Yusof, I.; Pathan, A.-S.K., "Preventing persistent Cross-
Site Scripting (XSS) attack by applying pattern filtering
approach," Information and Communication Technology
for The Muslim World (ICT4M), 2014 The 5th
International Conference on , vol., no., pp.1,6, 17-18 Nov.
2014 doi: 10.1109/ICT4M.2014.7020628
[10] Buja, G.; Bin Abd Jalil, K.; Bt Hj Mohd Ali, F.; Rahman,
T.F.A., "Detection model for SQL injection attack: An
approach for preventing a web application from the SQL
injection attack," in Computer Applications and Industrial
Electronics (ISCAIE), 2014 IEEE Symposium on , vol.,
no., pp.60-64, 7-8 April 2014 doi:
10.1109/ISCAIE.2014.7010210
[11] Bau, J.; Bursztein, E.; Gupta, D.; Mitchell, J., "State of
the Art: Automated Black-Box Web Application
Vulnerability Testing," in Security and Privacy (SP), 2010
IEEE Symposium on , vol., no., pp.332-345, 16-19 May
2010 doi: 10.1109/SP.2010.27
[12] Jan-Min Chen; Chia-Lun Wu, "An automated
vulnerability scanner for injection attack based on
injection point," in Computer Symposium (ICS), 2010
International , vol., no., pp.113-118, 16-18 Dec. 2010 doi:
10.1109/COMPSYM.2010.5685537
[13] Ruse, M.E.; Basu, S., "Detecting Cross-Site Scripting
Vulnerability Using Concolic Testing," in Information
Technology: New Generations (ITNG), 2013 Tenth
International Conference on , vol., no., pp.633-638, 15-17
April 2013 doi: 10.1109/ITNG.2013.97
[14] Rocha, T.S.; Souto, E., "ETSSDetector: A Tool to
Automatically Detect Cross-Site Scripting
Vulnerabilities," in Network Computing and Applications
(NCA), 2014 IEEE 13th International Symposium on ,
vol., no., pp.306-309, 21-23 Aug. 2014 doi:
10.1109/NCA.2014.53
[15] Gupta, M.K.; Govil, M.C.; Singh, G., "Static analysis
approaches to detect SQL injection and cross site
scripting vulnerabilities in web applications: A survey," in
Recent Advances and Innovations in Engineering
(ICRAIE), 2014 , vol., no., pp.1-5, 9-11 May 2014 doi:
10.1109/ICRAIE.2014.6909173
[16] Singh, Tejinder. "Detecting and Prevention Cross–Site
Scripting Techniques." IOSR Journal of Engineering 2.4
(2012): 854-857.
[17] Jovanovic, N.; Kruegel, C.; Kirda, E., "Pixy: a static
analysis tool for detecting Web application
vulnerabilities," in Security and Privacy, 2006 IEEE
Symposium on , vol., no., pp.6 pp.-263, 21-24 May 2006
doi: 10.1109/SP.2006.29
[18] Cwe.mitre.org, "CWE -CWE List Version 2.9", 2016.
[Online]. Available:
https://cwe.mitre.org/data/index.html. [Accessed: 15-
Feb- 2016].
[19] F. Glynn, "Common Web Application Vulnerabilities",
Veracode, 2014. [Online]. Available:
http://www.veracode.co.uk/security/web-application-
vulnerabilities. [Accessed: 15- Feb- 2016].