The Experts below are selected from a list of 51 Experts worldwide ranked by ideXlab platform
Fakhreldeen Abbas Saeed - One of the best experts on this subject based on the ideXlab platform.
-
Using WASSEC to Analysis and Evaluate Open Source Web WASSEC to Analysis and Evaluate Open Source Web WASSEC to Analysis and Evaluate Open Source Web WASSEC to Analysis and Evaluate Open Source Web Application Security Scanners Application Security S
2014Co-Authors: Fakhreldeen Abbas SaeedAbstract:The web application security has currently become a very significant area of scholarship, the best way to deal with it is to use web application security scanner to discover the architectural weaknesses and vulnerabilities in the web application. The goal of this paper is to use The Web Application Security Scanner Evaluation Criteria (WASSEC) to compare and contrast the Open Source Web Application Security Scanners, and show the differences between them. We used six factors to do this compression (Protocol Support, Authentication, Session Management, Crawling, Parsing and Testing). The study shows that W3AF 1.2-rev509, arachniv0.4.0.3, IronWASP v0.9.1.0, Skipfish 2.07b and zed attack proxy v1.4.0.1 are the most suitable ones because they have 0.554217, 0.385542, 0.385542, 0.349398 and 0.337349 averages respectively. As the result of this study and depend on the information about the Open Source Web Application Security Scanner we collected; the web developer can use W3AF with IronWASP to cover Parsing factor and arachniv0.4.0.3 or zed attack proxy v1.4.0.1 to cover Authentication factor.
Arun Sapkota - One of the best experts on this subject based on the ideXlab platform.
-
PRATICAL DATA SECURITY TESTING ON A
2015Co-Authors: Wikström Yngvar M. Eng, Instructor Virtanen Tero, Arun SapkotaAbstract:Data breaches in networks are a common issue in Internet Technology. Virtual environments are hidden most of the time, but academic working spaces need more security and encrypted space. This thesis focuses on issues arising at a virtual space created for a teacher for educational purposes. The purpose of the thesis was to explore the vulnerabilities in virtual space in order to implement security patches in the future. Various hacking tools and penetration testing tools were used to discover the weak points left in the virtual space during the software development, which could be exploited by intruders. In order to find the security weak points, a security analyzer tool named zed attack proxy was connected to the database server. It was given privilege rights and the database was evaluated with this tool. Subsequently, lists of possible weak points were generated and the thesis discusses these weak points and proposes possible solutions
Albalat Montenegro Bruno - One of the best experts on this subject based on the ideXlab platform.
-
Integració del reporting de zed attack proxy amb JasperReports
'Fundacio per la Universitat Oberta de Catalunya', 2015Co-Authors: Albalat Montenegro BrunoAbstract:Aquest treball tracta de millorar el reporting de l'eina zed attack proxy integrant-la a base de crear una expansió en forma d'add-on amb l'eina de creació de reports JasperReports.This project attemps to improve on zed attack proxy's reporting by creating an expansion in form of an add-on, which integrates ZAP's scanning with the report creating tool JasperReports.Este trabajo trata de mejorar el reporting de la herramienta zed attack proxy integrándola a base de crear una expansión en forma de add-on con la herramienta de creación de reportes JasperReports
Paudel Samir - One of the best experts on this subject based on the ideXlab platform.
-
VULNERABLE WEB APPLICATIONS AND HOW TO AUDIT THEM : Use of OWASP zed attack proxy effectively to find the vulnerabilities of web applications
Oulun ammattikorkeakoulu, 2016Co-Authors: Paudel SamirAbstract:Oulu University of Applied Sciences Degree programme in Information Technology Author: Samir Kumar Paudel Title of the bachelor’s thesis: Vulnerable Web Applications and How to Audit Them Supervisor: Lauri Pirttiaho Term and year of completion: Spring 2016 Number of pages: 59 This thesis work was done as a private project for completing a Bachelor’s De-gree in Information Technology. The main objective of this work was to find out the effectiveness of OWASP zed attack proxy, an open source and free inte-grated penetration testing tool for finding vulnerabilities in web applications. Besides that, the secondary objectives were to learn how to make web applica-tions and try to find out the security loopholes of them. For this project, Notepad++, Localhost, and OWASP zed attack proxy were used as tools, PHP, HTML, JavaScript, and CSS as languages, and MySQL Database for making a prototype web application. Notepad++ is a text editor and it supports various programming languages for writing programs or edit files. Localhost was used as a web host. And OWASP zed attack proxy was used as a testing tool. The reason for using OWASP ZAP is that it is an open source and free application and it is a very popular tool among all available web application penetration testing tools either commercial or open source. Some vulnerabilities were successfully found by the application (OWASP zed attack proxy). Besides that, the developed prototype web application is a simple one. To test the effectiveness of OWASP zed attack proxy in more detail, the web application should be more complex with various features. Being a prototype, it has limitations regarding its full intended features. As only few features were implemented in the prototype, there is a possibility to add more features to the web application as well as testing it in the future
Koskinen Sami - One of the best experts on this subject based on the ideXlab platform.
-
Web-sovellusten tietoturvastandardin testaaminen
2019Co-Authors: Koskinen SamiAbstract:Tietoturva on nousemassa yhä tärkeämmäksi osaksi web-sovellusten kehitystä ja myyntiä. Euroopan unionin vuonna 2018 voimaanastuneen yleisen tietoturva-asetuksen myötä web-sovellusten tilaajat voivat saada konkreettisia rangaistuksia tietoturvallisuuden laiminlyömisestä. Näin ollen web-sovellusten tietoturva pitää pystyä varmistamaan ja todistamaan nykyisille sekä mahdollisille tuleville asiakkaille. Työn tavoitteena on kehittää tehokas ja kohtuullisella työmäärällä toteutettava testaustapa jo olemassa olevan tietoturvastandardin testaamiselle. Tietoturvastandardi pitää sisällään OWASPin, eli Open Web Application Security Projectin, 10 kriittisintä haavoittuvuutta. Tavoitteena on myös luoda valmius tietoturvaraportin luomiselle. Työn kehitysvaiheessa etsittiin ensin sopivat työkalut testauksen toteuttamiselle, minkä jälkeen tutustuttiin työkaluihin ja testausmenetelmiin. Testaus toteutettiin aluksi manuaalisesti OWASPin omaa web-sovellusten penetraatiotestaustyökalulla, zed attack proxyllä. Manuaalisen testauksen ja tulosten raportoinnin jälkeen manuaalinen testaus todettiin toimivaksi, mutta liian paljon työtä vaativaksi prosessiksi. Toisessa vaiheessa testausta pyrittiin jatkokehittämään kevyemmäksi, automatisoiduksi prosessiksi. Automatisointiin käytettiin versionhallinnan pilvipalvelua, Bitbuckettia, sekä CircleCI-työkalua, joka on jatkuvan integraation työkalu. Projektin lopputuloksena syntyi kaksi eri testausprosessia. Ensimmäinen lopputulos oli manuaalinen testausprosessi, jonka avulla voidaan olla yhä varmempia web-sovelluksen tietoturvallisuudesta. Toisena lopputuloksena syntyi automatisoitu tietoturvastandardin testausprosessi, joka onnistuttiin sulauttamaan mukaan web-sovelluksen kehitysvaiheeseen kohtuullisella työmäärällä. Manuaalinen testaus on huomattavasti automatisoitua testausta hitaampi, mutta on sitäkin tarkempi. Automatisoitutestaus soveltuu suurimpien haavoittuvuuksien testaamiseen. Projektissa päästiin työn tilaajan asettamiin tavoitteisiin. Kehitettävää automatisoidulle testaukselle jäi, sillä ajan puutteen vuoksi web-sovelluksiin tunnistautumista ei ehditty automatisoimaan, jolloin tunnistautumisen takana olevat sivustot jäävät testaamatta. Automatisoitua testausprosessia pystyy kuitenkin hyödyntämään suurimmassa osassa web-sovelluksia.Information security is continuously becoming a important part of web-application development and sales. After the inception of European Union’s General Data Protection Regulations in 2018 web-applications owners can face concrete punishments for neglecting security in web-applications. This means that customers are more interested in information security but without knowledge in the technology behind web-application security, it has become more important for the web-application provider to test and prove the security of their applications. The goal of this project was to develop an efficient method for testing and proving an existing security standard while maintaining a reasonable workload. The security standard includes all of the Open Web Application Security Projects Top 10 most critical web-application vulnerabilities. A secondary goal for the project was to create a method for efficiently reporting the results of web-application security testing. In the first part of the development phase of the project, sufficient tools were researched for penetration testing the web-applications. The penetration testing was originally conducted manually using OWASP’s own web-application penetration testing tool, zed attack proxy. After manually testing the security of the web-application based on the security standard, and reporting the results, the manual penetration testing was concluded to be too inefficient for being integrated into web-application development workflow. In the second part of the development phase the goal was to automate the testing that was conducted manually in part one. The automation was implemented using a version control tool, BitBucket, and a continuous integration tool, CircleCI. The outcome of the project was two separate testing methods. The first one was a manual testing method. The manual testing method is conducted by hand and requires the attention of a penetration tester. The manual testing method is an accurate and extensive testing method for web-applications. The second method was a completely automated testing method for web-applications that could be integrated into web-application development workflow. The automated testing method is less accurate, than the manual one but requires no work from the penetration tester after the initial configuration. The project goals were reached after developing the automated testing method. Further development is recommended for the automated penetration testing, since authentication could not be automated in the limited time that the project was being worked on. This means that parts of the web-application being tested might remain untested if no authentication is automated. The automated testing method will however test all parts of the web-application that do not require authentication
