Nástroj pro penetrační testování aplikací

Thumbnail Image

Files

BAJ0088_FEI_N0612A140004_2024.pdf (14.08 MB)
BAJ0088_FEI_N0612A140004_2024_zadani.pdf (124.07 KB)
BAJ0088_FEI_N0612A140004_2024_priloha.zip (5.96 MB)
BAJ0088_FEI_N0612A140004_2024_posudek_vedouci_Plucar_Jan.pdf (146 KB)
BAJ0088_FEI_N0612A140004_2024_posudek_oponent_Szczypka_Miloslav.pdf (145.88 KB)

Downloads

6

Date issued

2024

Authors

Journal Title

Journal ISSN

Volume Title

Publisher

Vysoká škola báňská – Technická univerzita Ostrava

Location

Signature

Abstract

This thesis deals with the automation process of web applications penetration testing. The main goal is to gather intelligence about the current level of automation in this area and to check the quality of the web application vulnerability scanners. The thesis presents several experiments focusing on a detection of the Cross Site Scripting vulnerabilities of the three testing web applications using selected vulnerability scanners. The Nikto and Wapiti scanners detect only a very small amount of vulnerabilities. The analysis of the network traffic and logs shows that the Nikto does not perform website crawling, and the Wapiti fails to detect if the tested web application stops responding during the testing process. The best results in the terms of Cross Site Scripting vulnerabilities detection are achieved with the ZAP scanner. However this scanner does not detect DOM XSS vulnerabilities of features that rely on a JavaScript code. The main output of the thesis is a custom fuzzer that is able to detect this type of vulnerabilities.

Description

Subject(s)

Cross Site Scripting, penetration testing automation, web application

Citation

Item identifier

http://hdl.handle.net/10084/153877

Collections

Vysokoškolské kvalifikační práce Fakulty elektrotechniky a informatiky / Theses and dissertations of Faculty of Electrical Engineering and Computer Science (FEI)