Web Security: Contemporary Issues of Penetration Testing

Posted: August 27th, 2021

Web Security: Contemporary Issues of Penetration Testing

Name

Institutional Affiliation

Abstract

Several studies about security testing have been conducted within different environments, including networks, corporate environments, and security systems over the past years. Thus, the contemporary understanding of issues regarding tools and methods applied in security testing is a critical step. Among primary reasons for developments in security, testing includes penetration tests or Pentest. This study aims to underpin the contemporary issues in penetration testing with a focus on the application scenarios, methodologies, tools, and models based on a variety of research works. A review was conducted on several studies, accordingly analysed, thus helping understand the developments in Pentest.

Keywords: Penetration test, security testing, contemporary issues

Web Security: Contemporary Issues of Penetration Testing

Introduction

Organizations and other entities continue to suffer from security risks that can lead to a loss of their sensitive data. Although these risks are evident, it is hard for affected entities to wholly understand the actual complexity that extends beyond their communications structures that they have none or little control over (Man et al., 2020; Wang et al., 2020). The risk becomes even disastrous with the company applications that are run on computing infrastructures. Thus, their potential of having uncontrolled risks expanding into costly security attacks. 

However, some measures are available to guarantee protection. These include prevention, detection, and appropriate responses. Prevention involves attempting to stop the intruders from accessing the system or computer resources (Wang et al., 2020). This is different from detection, usually done once it is concluded that the intruder is gaining access or has already gained access into the system. Equally, the response is a measure undertaken once the intruder’s action is successful, particularly once the two first measures have failed (Man et al., 2020). Thus, the response is meant to stop any other future attack or damage to the target facility. However, assessing security risks is a continuous process to help establish any susceptibility of a system. As such, the subsequent discussions unveil various issues that are currently being experienced in Pentest.

Contemporary Issues in Penetration Test

Frequent examination of a security state is always necessary and should be continuous to help understand any potential risks within a network. An examination of a network’s security state is usually done through a security test (Man et al., 2020; Wang et al., 2020). Hence, it is always appropriate to employ the right techniques for conducting such tests.

One particular technique is the Pentest, which is used to assess and reduce security risks on a network. It is a controlled tentative for penetrating a system to identify potential susceptibility (Wang et al., 2020). The technique appliesthe same strategies that hackers regularly use in executing an attack. It provided an alternative that enables the undertaking of appropriate security measures to eliminate potential risks before the system is explored by attackers (). Therefore, the regular attacks aim at reading, damaging, or stealing information.

Types of Attacks

Some special attacks include Denial of Service (DoS), where an attacker makes the website too busy to serve any requests made by the host computer. The other attack type is the Remote to User (R2L) that involves having a remote machine sending packets to the machine over a network system to exploit vulnerabilities (Wang et al., 2020). In this way, the remote machine attempts to access the network machine as the user locally. Another attack is the User to Root (U2R), where the attacker starts by accessing a standard user account on the host system (Man et al., 2020). In this way, the attacker can exploit vulnerabilities of such a system before gaining access. Lastly, there is a probing attack where the attacker scans the computer network while gathering information or finding any weaknesses available. Thus, this information can be utilized to exploit and attack host machines over the network.

Activities During Penetration Test

Some activities undertaken during the implementation of these attacks are similar to Pentest. Mainly, Pentest involves several activities such as gathering data from the network host system, identifying and exploiting existing vulnerabilities on the network include the primary system and applications (Wang et al., 2020). However, the objective is to understand how comprehensive is an entity’s security system. It is basically for evaluating the level of system security (Man et al., 2020). The strength of Pentest determines the weaknesses or strength of a system. Besides, Pentest is not successful in some issues are adequately covered. These include the type of information being collected and the legal implications of the process. Subsequently, the technique is categorized from several perspectives, such as the information base, aggressiveness, scope, and technique, which addresses methodologies and techniques used during penetration tests (Wang et al., 2020). Hence, these activities should be appropriately considered when deploying the technique.

Tools Used for Pentest

            Analysis of the studies shows that there are over 43 tools used for Pentest. However, they are categorized for various services, such as static analysis, that mainly focuses on analyzing security. Static analysis tools are essential because they are utilized to perform analysis and identify vulnerable codes during the Pentest process (Man et al., 2020; Wang et al., 2020). The process is divided into three different main phases; namely, the pre-attach phase, attack phase, and the post-attack phase that are based on five main phases, including reconnaissance, scanning, gaining of access and maintaining the access as well as covering tracks (Man et al., 2020). The other category of tools is for general scanning to identify vulnerabilities. Likewise, there are tools for monitoring traffic or possible intrusion. Hence, the studies demonstrate significant roles of each tool as applied within different contexts of Pentest.

Target Scenarios of Pentest

According to the studies, the target scenarios for Pentest are different. They are categorized as web-based and system-based applications, desktop applications and software, web-services, network games, operating systems, network penetration, and control systems, among others(Abdelnabi, Krombhoz & Fritz, 2019). Therefore, the target scenarios vary across the studies but the reviewed studies identified web-based applications, protocol contexts, and network devices as the most contemporary.

Pentest Models

The penetration test models established in the study are divided into categories and methodologies. Accordingly, categories are utilized in describing the nature of knowledge at disposal about the implementation of a security test. The category includes being listed as black box, grey or white box(Abdelnabi, Krombhoz & Fritz, 2019). Specifically, the black box implies that there is no pre-existing knowledge about the attack environment. The studies acknowledge that most Pentest performs black-box tests. This is different in a white box where the Pentest is based on prior knowledge about the target system or environment. In another case, the grey box shows uncertainty about the target environment, network, or system. Subsequently, the methodologies established from the studies include the Penetration Testing Execution Standard (PTES), the National Institute of Standards and Technology (NIST), and the OWASP Testing Guide (Wang et al., 2020). There are three primary methods for Pentest, namely, the Automated Pentest, Exploratory, and the systematic Manual penetration test (Man et al., 2020). The PTES is used to describe the steps performed before accurate testing is conducted to understand the security state of the target environment. Through this methodology, rigid steps are eliminated, thereby easing the Pentest process. According to the method’s developers, they suggest a comprehensive guideline for evaluating security (Wang et al., 2020). Notably, it suggests the definition of the testing scope, intelligence gathering, exploitation, and reporting as major processes utilized in the process. Thus, through this method, it is possible to define the steps that should be followed during penetration testing.

The proposals under the NIST methodologies provide a structure with four main steps. These are planning, discovery, attack, and reporting. The planning stage encompasses analysing the system to identify target areas of interest (Abdelnabi, Krombhoz & Fritz, 2019). This is followed by a discovery process that seeks to establish vulnerabilities available for exploitation before testing them and finally reporting every action undertaken during the process (Abdelnabi, Krombhoz & Fritz, 2019). Besides, the attack stage is characterized by such activities as gaining access and escalating the privileges and browsing the system to install other exploratory tools. Lastly, the OWASP methodology focuses on realizing the ultimate security of the system. As such, it provides a guideline for testing the security state of web applications. This methodology intends to increase the level of awareness (Man et al., 2020). It includes three critical stages, such as an introductory, intermediate, and conclusive stage. The pre-conditions of the target web applications are handled at the introductory before presenting tasks and appropriate techniques for executing the methodology as the intermediate stage (Abdelnabi, Krombhoz & Fritz, 2019). Consequently, the conclusive stage summarises the test and how vulnerabilities were addressed. Therefore, the key features when implementing this strategy include providing details and definitions of the concepts and identifying emerging issues.

Challenges with Pentest

            The penetration test techniques are not without challenges. As established in the studies, one major challenge is the efficacy when assessing the vulnerability. The technique application varies, as well as its efficacy (Wang et al., 2020). A weak Pentest would yield unreliable or weak results; hence all tests should be adequately performed. Equally, providing the necessary tools and models for facilitating optimum security levels against some target scenarios is a problem (Wang et al., 2020). The challenges vary depending on the nature of the problem and the existing environment. Likewise, it is challenging to formalize the models (Abdelnabi, Krombhoz & Fritz, 2019). Thus, the Pentest technique does not have a particular model that robustly ensures that best practices are established.

Conclusion

The contemporary issues presented in the paper focused on the tools, models, target scenarios, and the challenges that surround the penetration test as a technique in assessing web security. Most studies focus on the web context as the point of concern for security testing. However, this should extend to other areas such as cloud computing, the internet of things (IoT), and mobile devices, among others. Regarding methodologies, the contemporary issues established demystifies that there is no specific approach to addressing security tests. The methods and models applied during security testing vary depending on the existing problem. The same applies to the automation of tasks and tools. This implies that the testers must ascertain the tools and tasks appropriate for a specific activity. In summary, the paper unveils the relevance of penetration testing despite the many contemporary issues. Hence, future studies should focus on Pentest’s challenges in the highly dynamic technological developments, including cloud computing and IoT.

References

Abdelnabi, S., Krombhoz, K. & Fritz, M. (2019). VisualPhishNet: Zero-Day Phishing Website Detection by Visual Similarity. Cornell University. https://arxiv.org/abs/1909.00300

Man, K., Qian, Z., Wang, Z., Zheng, X., Huang, Y., & Duan, H. (2020). DNS cache poisoning attack reloaded. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. https//www.doi:10.1145/3372297.3417280

Wang, J., Sun, K., Lei, L., Wan, S., Wang, Y., & Jing, J. (2020). Cache-in-the-Middle (CITM) attacks: Manipulating sensitive data in isolated execution environments. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. https//www. doi:10.1145/3372297.3417886