Araştırma Makalesi
BibTex RIS Kaynak Göster

VinJect: Sızma Testi ve Güvenlik Açığı Taraması Aracı

Yıl 2018, Cilt: 6 Sayı: 4, 779 - 790, 01.08.2018
https://doi.org/10.29130/dubited.425414

Öz

Güvenilir
yazılım ürünleri ve elektronik sistemlerin geliştirilmesinde sızma testi önemli
rol oynamaktadır.
Zaafiyet taramalarının düzenli olarak yapılması sayesinde, ticari
sistemlerin sürdürülebilirliği sağlanmaktadır. Kalite güvence ve test firmalarının
günümüzde yaygınlıklarını arttırdıkları bu dönemde,  kullanılan araç ve yöntemlerin etkinlikleri
çok kritiktir. Bu makalede etkin bir sızma testi ve güvenlik açığı taraması
için geliştirilmiş VinJect ismindeki yazılımın mimarisi anlatılmaktadır. Amaç, çok
işparçacıklı yapıda çalışan bu uygulama ile zaafiyet barındıran yerlerin
tespitinin daha kısa sürede yapılmasıdır. Önerdiğimiz uygulama, arka planında
Wapiti ve SQLmap uygulamalarına ait servisleri kullanmaktadır. Kullanıcı dostu
arayüzler ile çoğunlukla komut satırında çalışşan uygulamaların verdiği olumsuz
kullanıcı tecrübesinin ortadan kaldırılması hedeflenmiştir.
Yaptığımız
testlerde, WinJect'in daha etkin bir kullanım sunduğu ve zaafiyet taramaları
çok daha kısa sürede tamamladığı görüldü.

Kaynakça

  • [1] Allen, L., Heriyanto, T. and Ali, S., Kali Linux–Assuring security by penetration testing. Packt Publishing Ltd, 2014.
  • [2] Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., Computer security: principles and practice. Pearson Education, 2012.
  • [3] Patil, S., Marathe, N., & Padiya, P., "Design of efficient web vulnerability scanner.", Inventive Computation Technologies (ICICT), International Conference on. Vol. 2. IEEE, 2016.
  • [4] Aliero, M. S., & Ghani, I., "A component based SQL injection vulnerability detection tool.", Software Engineering Conference (MySEC), 2015 9th Malaysian. IEEE, 2015.
  • [5] Parvez, M., Zavarsky, P., & Khoury, N., "Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities.", Internet Technology and Secured Transactions (ICITST), 2015 10th International Conference for. IEEE, 2015.
  • [6] Khoury, N., Zavarsky, P., Lindskog, D., & Ruhl, R., "An analysis of black-box web application security scanners against stored SQL injection.", Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third Inernational Conference on Social Computing (SocialCom), 2011 IEEE Third International Conference on. IEEE, 2011.
  • [7] Delamore, B., & Ko, R. K., "Escrow: A large-scale web vulnerability assessment tool.", Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on. IEEE, 2014.
  • [8] Liban, A., & Hilles, S. M., "Enhancing Mysql Injector vulnerability checker tool (Mysql Injector) using inference binary search algorithm for blind timing-based attack.", Control and System Graduate Research Colloquium (ICSGRC), 2014 IEEE 5th. IEEE, 2014.
  • [9] Singh, A. K., & Roy, S., "A network based vulnerability scanner for detecting sqli attacks in web applications.", Recent Advances in Information Technology (RAIT), 2012 1st International Conference on. IEEE, 2012.
  • [10] Lounis, O., Guermeche, S. E. B., Saoudi, L., & Benaicha, S. E., "A new algorithm for detecting SQL injection attack in Web application." Science and Information Conference (SAI), 2014. IEEE, 2014.
  • [11] Dessiatnikoff, A., Akrout, R., Alata, E., Kaâniche, M., & Nicomette, V., "A clustering approach for web vulnerabilities detection.", Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on. IEEE, 2011.
  • [12] Salas, M. I. P., & Martins, E., "A black-box approach to detect vulnerabilities in web services using penetration testing.", IEEE Latin America Transactions 13.3 (2015): 707-712.
  • [13] Fortify WebInspect, “URL:http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/”, [Accessed: 20-May-2018].
  • [14] Gamja : Web vulnerability scanner, “URL: https://sourceforge.net/projects/gamja/”, [Accessed: 20-May-2018].
  • [15] N-Stalker The Web Security Specialists, “URL:http://www.nstalker.com/”, [Accessed: 20-May-2018].
  • [16] IBM Security AppScan, “URL: https://www.ibm.com/developerworks/downloads/r/appscan/index.html”, [Accessed: 20-May-2018].
  • [17] Burp Suite Scanner | PortSwigger, “URL:http://portswigger.net/suite/”, [Accessed: 20-May-2018].
  • [18] Acunetix, “URL: https://www.acunetix.com/web-vulnerability-scanner/”, [Accessed: 20-May-2018].
  • [19] ImmuniWeb Application Security Testing Platform, “URL: https://www.htbridge.com/immuniweb/” , [Accessed: 20-May-2018].
  • [20] Wapiti : a Free and Open-Source web-application vulnerability scanner in Python for Windows, Linux, BSD, OSX, “URL:http://wapiti.sourceforge.net/” [Accessed: 20-May-2018].
  • [21] sqlmap : automatic SQL injection and database takeover tool, “URL: http://sqlmap.org/” [Accessed: 20-May-2018].
  • [22] Pankratius, V., Adl-Tabatabai, A.R. and Tichy, W., eds. Fundamentals of multicore software development. CRC Press, 2011.
  • [23] Ammann, P. and Offutt, J., Introduction to software testing. Cambridge University Press, 2016.
  • [24] Wright, H.K., Kim, M. and Perry, D.E., "Validity concerns in software engineering research." Proceedings of the FSE/SDP workshop on Future of software engineering research. ACM, 2010.

VinJect: Toolkit for Penetration Testing and Vulnerability Scanning

Yıl 2018, Cilt: 6 Sayı: 4, 779 - 790, 01.08.2018
https://doi.org/10.29130/dubited.425414

Öz

Penetration
testing plays an important role in the development of secure software products
and electronic systems. Sustainability of commercial systems is ensured through
the regular scans of vulnerability. In this era where quality assurance and
testing organizations become increasingly widespread, the effectiveness of the
used tools and methods are critical. This article describes the architecture of
the software named VinJect, which is
developed for efficient penetration testing and vulnerability scanning. The primary
goal of this application is to detect vulnerable locations in a shorter time
with running in a multi-threaded structure. Our proposed application uses Wapiti
and SQLmap applications’ services in the background. With user-friendly
interfaces, it is also aimed to remove the bad UX that these applications
running on the command line have. In the tests we performed, WinJect was found to be more efficient in
completing the vulnerability scans in a much shorter time. 

Kaynakça

  • [1] Allen, L., Heriyanto, T. and Ali, S., Kali Linux–Assuring security by penetration testing. Packt Publishing Ltd, 2014.
  • [2] Stallings, W., Brown, L., Bauer, M.D. and Bhattacharjee, A.K., Computer security: principles and practice. Pearson Education, 2012.
  • [3] Patil, S., Marathe, N., & Padiya, P., "Design of efficient web vulnerability scanner.", Inventive Computation Technologies (ICICT), International Conference on. Vol. 2. IEEE, 2016.
  • [4] Aliero, M. S., & Ghani, I., "A component based SQL injection vulnerability detection tool.", Software Engineering Conference (MySEC), 2015 9th Malaysian. IEEE, 2015.
  • [5] Parvez, M., Zavarsky, P., & Khoury, N., "Analysis of effectiveness of black-box web application scanners in detection of stored SQL injection and stored XSS vulnerabilities.", Internet Technology and Secured Transactions (ICITST), 2015 10th International Conference for. IEEE, 2015.
  • [6] Khoury, N., Zavarsky, P., Lindskog, D., & Ruhl, R., "An analysis of black-box web application security scanners against stored SQL injection.", Privacy, Security, Risk and Trust (PASSAT) and 2011 IEEE Third Inernational Conference on Social Computing (SocialCom), 2011 IEEE Third International Conference on. IEEE, 2011.
  • [7] Delamore, B., & Ko, R. K., "Escrow: A large-scale web vulnerability assessment tool.", Trust, Security and Privacy in Computing and Communications (TrustCom), 2014 IEEE 13th International Conference on. IEEE, 2014.
  • [8] Liban, A., & Hilles, S. M., "Enhancing Mysql Injector vulnerability checker tool (Mysql Injector) using inference binary search algorithm for blind timing-based attack.", Control and System Graduate Research Colloquium (ICSGRC), 2014 IEEE 5th. IEEE, 2014.
  • [9] Singh, A. K., & Roy, S., "A network based vulnerability scanner for detecting sqli attacks in web applications.", Recent Advances in Information Technology (RAIT), 2012 1st International Conference on. IEEE, 2012.
  • [10] Lounis, O., Guermeche, S. E. B., Saoudi, L., & Benaicha, S. E., "A new algorithm for detecting SQL injection attack in Web application." Science and Information Conference (SAI), 2014. IEEE, 2014.
  • [11] Dessiatnikoff, A., Akrout, R., Alata, E., Kaâniche, M., & Nicomette, V., "A clustering approach for web vulnerabilities detection.", Dependable Computing (PRDC), 2011 IEEE 17th Pacific Rim International Symposium on. IEEE, 2011.
  • [12] Salas, M. I. P., & Martins, E., "A black-box approach to detect vulnerabilities in web services using penetration testing.", IEEE Latin America Transactions 13.3 (2015): 707-712.
  • [13] Fortify WebInspect, “URL:http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/”, [Accessed: 20-May-2018].
  • [14] Gamja : Web vulnerability scanner, “URL: https://sourceforge.net/projects/gamja/”, [Accessed: 20-May-2018].
  • [15] N-Stalker The Web Security Specialists, “URL:http://www.nstalker.com/”, [Accessed: 20-May-2018].
  • [16] IBM Security AppScan, “URL: https://www.ibm.com/developerworks/downloads/r/appscan/index.html”, [Accessed: 20-May-2018].
  • [17] Burp Suite Scanner | PortSwigger, “URL:http://portswigger.net/suite/”, [Accessed: 20-May-2018].
  • [18] Acunetix, “URL: https://www.acunetix.com/web-vulnerability-scanner/”, [Accessed: 20-May-2018].
  • [19] ImmuniWeb Application Security Testing Platform, “URL: https://www.htbridge.com/immuniweb/” , [Accessed: 20-May-2018].
  • [20] Wapiti : a Free and Open-Source web-application vulnerability scanner in Python for Windows, Linux, BSD, OSX, “URL:http://wapiti.sourceforge.net/” [Accessed: 20-May-2018].
  • [21] sqlmap : automatic SQL injection and database takeover tool, “URL: http://sqlmap.org/” [Accessed: 20-May-2018].
  • [22] Pankratius, V., Adl-Tabatabai, A.R. and Tichy, W., eds. Fundamentals of multicore software development. CRC Press, 2011.
  • [23] Ammann, P. and Offutt, J., Introduction to software testing. Cambridge University Press, 2016.
  • [24] Wright, H.K., Kim, M. and Perry, D.E., "Validity concerns in software engineering research." Proceedings of the FSE/SDP workshop on Future of software engineering research. ACM, 2010.
Toplam 24 adet kaynakça vardır.

Ayrıntılar

Birincil Dil İngilizce
Konular Mühendislik
Bölüm Makaleler
Yazarlar

Akhan Akbulut 0000-0001-9789-5012

Yayımlanma Tarihi 1 Ağustos 2018
Yayımlandığı Sayı Yıl 2018 Cilt: 6 Sayı: 4

Kaynak Göster

APA Akbulut, A. (2018). VinJect: Toolkit for Penetration Testing and Vulnerability Scanning. Düzce Üniversitesi Bilim Ve Teknoloji Dergisi, 6(4), 779-790. https://doi.org/10.29130/dubited.425414
AMA Akbulut A. VinJect: Toolkit for Penetration Testing and Vulnerability Scanning. DÜBİTED. Ağustos 2018;6(4):779-790. doi:10.29130/dubited.425414
Chicago Akbulut, Akhan. “VinJect: Toolkit for Penetration Testing and Vulnerability Scanning”. Düzce Üniversitesi Bilim Ve Teknoloji Dergisi 6, sy. 4 (Ağustos 2018): 779-90. https://doi.org/10.29130/dubited.425414.
EndNote Akbulut A (01 Ağustos 2018) VinJect: Toolkit for Penetration Testing and Vulnerability Scanning. Düzce Üniversitesi Bilim ve Teknoloji Dergisi 6 4 779–790.
IEEE A. Akbulut, “VinJect: Toolkit for Penetration Testing and Vulnerability Scanning”, DÜBİTED, c. 6, sy. 4, ss. 779–790, 2018, doi: 10.29130/dubited.425414.
ISNAD Akbulut, Akhan. “VinJect: Toolkit for Penetration Testing and Vulnerability Scanning”. Düzce Üniversitesi Bilim ve Teknoloji Dergisi 6/4 (Ağustos 2018), 779-790. https://doi.org/10.29130/dubited.425414.
JAMA Akbulut A. VinJect: Toolkit for Penetration Testing and Vulnerability Scanning. DÜBİTED. 2018;6:779–790.
MLA Akbulut, Akhan. “VinJect: Toolkit for Penetration Testing and Vulnerability Scanning”. Düzce Üniversitesi Bilim Ve Teknoloji Dergisi, c. 6, sy. 4, 2018, ss. 779-90, doi:10.29130/dubited.425414.
Vancouver Akbulut A. VinJect: Toolkit for Penetration Testing and Vulnerability Scanning. DÜBİTED. 2018;6(4):779-90.