A methodology for automated penetration testing of cloud applications

Casola, Valentina; Benedictis, Alessandra De; Rak, Massimiliano; Villano, Umberto

doi:10.1504/ijguc.2020.105541

Cited by 13 publications

(5 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Kamongi et al [9] offer a vulnerability assessment framework that uses an ontology to create a knowledge base populated with a wide range of vulnerabilities, e.g., Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), Common Vulnerability Scoring System (CVSS), stored in the National Vulnerability Database (NVD). To obtain a preliminary evaluation of the security level provided by cloud applications, Casola et al [14] propose a methodology that takes into account the architecture of the applications and their potential security issues, such as threats, attacks, vulnerabilities and weaknesses.…”

Section: A Vulnerability Assessmentmentioning

confidence: 99%

A Methodological Framework for AI-Assisted Security Assessments of Active Directory Environments

Nebbione

Calzarossa

2023

IEEE Access

View full text Add to dashboard Cite

The pervasiveness of complex technological infrastructures and services coupled with the continuously evolving threat landscape poses new sophisticated security risks. These risks are mostly associated with many diverse vulnerabilities related to software or hardware security flaws, misconfigurations and operational weaknesses. In this scenario, a timely assessment and mitigation of the security risks affecting technological environments are of paramount importance. To cope with these compelling issues, we propose an AI-assisted methodological framework aimed at evaluating whether the target environment is vulnerable or safe. The framework is based on the combined application of graph-based and machine learning techniques. More precisely, the components of the target together with their vulnerabilities are represented by graphs whose analysis identifies the attack paths associated with potential security threats. Machine learning techniques classify these paths and provide the security assessment of the target. The experimental evaluation of the proposed framework was performed on 220 artificially generated Active Directory environments, half of which injected with vulnerabilities. The results of the classification process were generally good. For example, the F1-score obtained by the Random Forest classifier for the assessment of vulnerable networks was equal to 0.91. These results suggest that our approach could be applied for automating the security assessment procedures of complex networked environments.

show abstract

Section: A Vulnerability Assessmentmentioning

confidence: 99%

A Methodological Framework for AI-Assisted Security Assessments of Active Directory Environments

Nebbione

Calzarossa

2023

IEEE Access

View full text Add to dashboard Cite

show abstract

“…While some automated tools are currently publicly available [35], numerous research efforts are poised to prospectively enhance future generations of testing automation tools. Automation techniques for testing Blockchain contracts [36], cloud applications [37,38], Internet of Things devices [39], WiFi networks [40], and web services [41][42][43][44] have been proposed, among others. Researchers have also developed vulnerability-specific testers, such as for SQL injection [45].…”

Section: Security Testing Automationmentioning

confidence: 99%

Distributed Attack Deployment Capability for Modern Automated Penetration Testing

et al. 2022

View full text Add to dashboard Cite

Cybersecurity is an ever-changing landscape. The threats of the future are hard to predict and even harder to prepare for. This paper presents work designed to prepare for the cybersecurity landscape of tomorrow by creating a key support capability for an autonomous cybersecurity testing system. This system is designed to test and prepare critical infrastructure for what the future of cyberattacks looks like. It proposes a new type of attack framework that provides precise and granular attack control and higher perception within a set of infected infrastructure. The proposed attack framework is intelligent, supports the fetching and execution of arbitrary attacks, and has a small memory and network footprint. This framework facilitates autonomous rapid penetration testing as well as the evaluation of where detection systems and procedures are underdeveloped and require further improvement in preparation for rapid autonomous cyber-attacks.

show abstract

“…The attack is carried out to test a web application's security to generate recommendations to reduce the risk. Penetration testing is typically a human-driven procedure that requires deep knowledge of the possible attacks to carry out and the hacking tools that can be used to launch the tests [3].…”

Section: Introductionmentioning

confidence: 99%

Web Application Penetration Testing Using SQL Injection Attack

Alanda

Satria

Ardhana

et al. 2021

JOIV : Int. J. Inform. Visualization

View full text Add to dashboard Cite

A web application is a very important requirement in the information and digitalization era. With the increasing use of the internet and the growing number of web applications, every web application requires an adequate security level to store information safely and avoid cyber attacks. Web applications go through rapid development phases with short turnaround times, challenging to eliminate vulnerabilities. The vulnerability on the web application can be analyzed using the penetration testing method. This research uses penetration testing with the black-box method to test web application security based on the list of most attacks on the Open Web Application Security Project (OWASP), namely SQL Injection. SQL injection allows attackers to obtain unrestricted access to the databases and potentially collecting sensitive information from databases. This research randomly tested several websites such as government, schools, and other commercial websites with several techniques of SQL injection attack. Testing was carried out on ten websites randomly by looking for gaps to test security using the SQL injection attack. The results of testing conducted 80% of the websites tested have a weakness against SQL injection attacks. Based on this research, SQL injection is still the most prevalent threat for web applications. Further research can explain detailed information about SQL injection with specific techniques and how to prevent this attack.

show abstract

A methodology for automated penetration testing of cloud applications

Cited by 13 publications

References 0 publications

A Methodological Framework for AI-Assisted Security Assessments of Active Directory Environments

A Methodological Framework for AI-Assisted Security Assessments of Active Directory Environments

Distributed Attack Deployment Capability for Modern Automated Penetration Testing

Web Application Penetration Testing Using SQL Injection Attack

Contact Info

Product

Resources

About