Penetration tests for computer security to the web server using owasp methodology for the detection of vulnerabilities in the cybersecurity laboratory at the Universidad Politécnica Estatal del Carchi
DOI:
https://doi.org/10.32645/13906925.1138Keywords:
vulnerability, security, web server, web sites, OwaspAbstract
This research called “Penetration tests for computer security to the web server of the cybersecurity laboratory at the Carchi State Polytechnic University” delved into the study of the vulnerabilities present in web servers and their relationship with security processes, the objective The main part of the project was to diagnose existing vulnerabilities in web servers such as SQL injections, XXS Cross Site Script, brute force attacks, among others. Through pentest tools, the risks and threats present were made known, to fulfill this goal a qualitative approach was proposed in conjunction with field and documentary research that allowed data to be collected through the technique of an interview with the laboratory coordinator cybersecurity, resulting in detailed information on security processes and the most common problems that occur on web servers.
From the results obtained, several tests were established using a methodology to develop the processes, the Owasp and Owasp Zap methodology were the main tools to find threat alerts, as well as the execution of processes such as: information collection, use of engines search to verify analysis, enumeration of the server applications, review of comments towards the website to verify the presence of vulnerable information, identification of entry points, alerts and analysis of the application architecture, configuration management test and development, configuration and infrastructure test, file extension test, http method test, strict Hsts security test, input validation test, among others. As well as the use of Kali Linux as an operating system that allowed the use of pentest techniques and security corrections to the server. On the other hand, a comparison of the web servers was established with a value reached of 80% for Apache and 30% for Microsoft IIS, as well as a final comparison of the vulnerabilities of 5.33% for management, configuration and development, 8% handling of identity and http method, 7% brute force and Cross Site Scripting, 5% SQL injection and DoS and finally 4.67% Owasp Zap / directories. The use of these techniques combined with the management of the phases of the Owasp methodology allowed to organize, guide quickly and reliably basic techniques to protect against common and important threats, obtaining as a reference the generated documentation that can be reusable for future projects or in implementation work.
References
Briones, G., y Hernández, E. (2018). Auditoría de Seguridad del Servidor Web de la Empresa Publinext S.A. Utilizando Mecanismos Basados en OWASP (tesis de grado). Universidad de Guayaquil. Ecuador http://repositorio.ug.edu.ec/bitstream/redug/26837/1b-cint-ptg-.249%20briones%20pincay%20gerson
Hidalgo, J. (2015) Diseño de una red Wi-Fi para proporcionar servicios de una ciudad digital para Tulcán (Tesis de grado). Pontificia Universidad Católica del Ecuador, Quito. Ecuador http://repositorio.puce.edu.ec/handle/22000/7661
Pérez, C., y Quiñones, J. (2017). Uso de herramientas de pentesting para el análisis de vulnerabilidades en las comunicaciones móviles de las operadoras ubicadas en la ciudad de Guayaquil (Tesis de grado). Universidad de Guayaquil. Ecuador http://repositorio.ug.edu.ec/bitstream/redug/22444/1/B-CINT-PTG-.190.p%c3%a9rez%20falcon%c3%ad%20carolina%20victoria.qui%c3%b1ones%20mo nta%c3%b1o%20jairo%20alexander.pdf
Consultores en Seguridad de la Información. (2016). Seguridad Informática vs Seguridad de la Información. Recuperado el 03 de marzo de 2017, de https://www.maestrodelacomputacion.net/seguridad-informatica-seguridad-de-la-informacion/
Gonzalez, J. (2011). ¿Seguridad Informática o Seguridad de la Información? Recuperado el 02 de febrero de 2016, de http://www.seguridadparatodos.es/2011/10/seguridad-informatica-oseguridad-de-la.html
ISOTools Excellence. (2017) ¿Seguridad informática o seguridad de la información? Recuperado el 05 de marzo de 2017, de http://www.pmg-ssi.com/2017/01/seguridad-de-la-informacion/
Rojas Valduciel, H. (2016). Seguridad de la Información, Seguridad Informática y Ciberseguridad: ¿Son sinónimos? Recuperado el 20 de febrero de 2017, de https://infobyteabyte.wordpress.com/2016/04/20/seguridad-de-la-informacion-seguridadinformatica-y-ciberseguridad-son-sinonimos
Downloads
Published
Issue
Section
License
Copyright (c) 2022 Álvaro Steebe Castillo Enríquez, Jairo Vladimir Hidalgo Guijarro, Carlitos Alberto Guano Cárdenas
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
El autor mantiene los derechos morales e intelectuales de su obra, autorizando a la editorial de la revista Sathiri la difusión y divulgación de su contenido con fines estrictamente académicos y de investigación, sin fines de lucro. Así mismo, se autoriza que la obra sea descargada y compartida con otras personas, siempre y cuando no sea alterada y se reconozca su autoria.
