Research Article Open Access

Design and Development of an Automatic Penetration Test Generation Methodology for Security of Web Applications

Shilpa R. G.1, Pushphavathi T. P.1 and Murthy P. V. R.1
  • 1 Faculty of Engineering and Technology, M. S. Ramaiah University of Applied Sciences, Bangalore, India

Abstract

In today's world, web application security is becoming more crucial. Web applications frequently hold sensitive data, which might be compromised if it were to fall into the hands of a hostile attacker. This leads to significant losses for businesses and customers alike and exposes the qualities of confidentiality, integrity, and availability. A penetration test is an attempt to exploit vulnerabilities in an IT infrastructure with the goal of evaluating its security. Existing methodologies do not have a systematic basis to represent information gathered hence creating automatic attack generation difficult. The proposed model-based penetration test framework provides a repeatable, systematic approach for conducting penetration tests based on appropriate models of the behavior of the web application. It incorporates a novel approach for model-built security tests along the two scopes of vulnerability coverage criteria and automated attack generation from vulnerability mapping and abstract behavior of web applications. The algorithms are proposed for both manual and automatically driven penetration tests from the state models. The proposed approach is illustrated on a web app location within the banking sector exploiting input validation vulnerabilities.

Journal of Computer Science
Volume 20 No. 10, 2024, 1176-1184

DOI: https://doi.org/10.3844/jcssp.2024.1176.1184

Submitted On: 16 March 2024 Published On: 30 July 2024

How to Cite: G., S. R., P., P. T. & R., M. P. V. (2024). Design and Development of an Automatic Penetration Test Generation Methodology for Security of Web Applications. Journal of Computer Science, 20(10), 1176-1184. https://doi.org/10.3844/jcssp.2024.1176.1184

  • 1,007 Views
  • 566 Downloads
  • 0 Citations

Download

Keywords

  • Penetration Testing
  • Vulnerabilities
  • SQL Injection
  • Secondary SQL Injection
  • Client-Side Manipulation
  • Model Driven Testing
  • State Models