Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology

ISSN No:-2456-2165

Adaptive Penetration Test Method

Volkan DORTKARDES İbrahim SOGUKPINAR
Computer Engineering Department Computer Engineering Department
Gebze Technical University Gebze Technical University
Kocaeli, Turkey Kocaeli, Turkey

Abstract:- The complexity of the Information systems is entering the target systems and starting the scan. In another
increasing day by day. This leads to more security scenario, in a company with several thousand users and their
vulnerabilities in IT Systems. Attackers use these infrastructure, unlike the previous scenario, the penetration
vulnerabilities to penetrate for the target's system. It is testing process may take several weeks or months due to the
better to find these vulnerabilities in advance before the complexity of network / application architectures and many
attacker does. The power of vulnerability assessment is different attack paths.
often overlooked. Penetration testing is a set of activities
undertaken to identify and exploit vulnerabilities. It If we need to express it in detail, some weaknesses that
helps to verify the effectiveness of the security measures can be easily detected using automated tools can become
implemented. When the existing penetration test virtually impossible to detect manually, information security
approaches and methods are examined, another issue experts say. For example, inorder for Host Header injection
that is overlooked is that not all steps are performed to be detected, 4 requests must be sent separately for each
adequately in the penetration test process. In the URL. Or, when Sensitive data Leak is handled, automated
environments where penetration tests will be scanning is needed because all pages of the web application
performed, the number of attack vectors may be limited need to be attacked by the bruteforce. In addition, some of
only if progress is made depending on the capabilities of the tests performed automatically can’t reach the number of
the Penetration Test Specialist and / or some important outputs that can be obtained automatically, even when
parts may be missing due to forgetting or lack of ability. performed manually. The number of outputs that will be
In this work, my studies on how to use the obtained can both provide the information security expert
comprehensive penetration test software in cyber with more clues, give him the chance to create more attack-
defense technology, how to apply more attack vectors vectors, and prevent possible output losses caused by human
and more results can be obtained during the tests with a factors(forgetfulness, lack of information, etc.).
new perspective and how to automate the detection of
social engineering weaknesses with an automated Basically, a company hires security experts to evaluate
application tool. is located together. Automated test and hack their networks, servers and services so that
results were compared with the results of the manual malicious users can do the same. Penetration testing devices
tests performed in 7 different environments and the will provide a report on network, service and application
superior parts are indicated in the results section. I also vulnerabilities. The report may also include how penetration
talked about which tools will be used for which testers can access IT infrastructures and applications to gain
purposes and at what stages, and I have automated access to specific accounts or systems. The report will also
several steps of penetration testing. provide suggestions on how to correct these gaps. This
allows the company to secure its networks, services and
Keywords:- Vulnerability Assessment, Adaptive Penetration applications against various future attacks.
Test, Automated Application Security, Computer Security
And Computer Ethics. In this work, an adaptive penetration test method has
been proposed for IT systems. We will cover adaptive
I. INTRODUCTION pentesting tool. This tool will enable you to collaboratively
conduct penetration tests efficiently and effectively against
Penetration testing and security assessments in general variable target environments. It allows us to create different
are critical for all companies based on an IT infrastructure. attack vectors by providing more results and yields than
However, there are some problems. Penetration testing manual pentest.
procedure may take several weeks or months, depending on
the size and complexity of the targeted network and the Rest of the paper are organized as follows.
level of detail the customer wants. A company can have up Fundamentals and related works are presented in the section
to twenty users, and all they want is a basic vulnerability 2. Proposed method is explained in the section 3.
scan to make sure they don't have a major problem with Experimental results are presented in the Section 4. Last
system configurations. In this case, the scan can be done in Section is Conclusion and Future Works. Ease of Use
one day or several days with very little interaction other than

IJISRT20JAN338 www.ijisrt.com 1295

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
II. FUNDAMENTALS OF PENETRATION characteristics, both techniques report their findings
TESTING differently [3]. In the paper of Mariano and Riccardo, a
report based on a static analysis-based security tool was
The penetration test is a set of activities that involves compared with a report based on penetration testing, and
examining a system for weaknesses, identifying these scenario-based studies were conducted on how reporting
weaknesses as the impact of abuse, and finally preparing a could be more useful.
report for the owners of the system. The life cycle of the
penetration test consists of the following steps [2]: A. Penetration Testing Methods And Related Works
Social engineering has emerged as a serious threat to
 Scope social communities and is an effective tool for attacking
 Discovery information systems. The services used by today's
 Vulnerability detection information workers pave the way for sophisticated social
 Information analysis and planning engineering attacks. The increasing trend towards BYOD
 Implementation of penetration test (bring your own device) policies and the use of online
 Privilege upgrade communication and social media in private / business
 Results analysis environments make the problem worse. In globally
 Reporting operating companies, teams no longer work together
 Clean up the traces left geographically, but work full-time. Despite the decrease in
personal interaction, the emergence of numerous tools used
Penetration testing techniques are three types and each for communication (e-mail, IM, Skype, Dropbox, LinkedIn,
type presented as follows has its own characteristics. Lync, etc.) creates new attack vectors for social
engineering. Recent attacks on companies such as the New
 White box: the security expert who performs the test on York Times and RSA have shown that targeted
this test model has complete knowledge of the network spearfishing attacks are an effective and evolutionary step
configuration of the test network and the test /system in social engineering attacks. [5] Katharina and colleagues
network. This test is usually performed from the provide a comprehensive overview of advanced social
internal network. White box testing requires an in-depth engineering attacks on the knowledge worker, as well as a
understanding of the test network or system and yields well-known taxonomy of social engineering attacks.
better results.
 Black Box Testing: in this technique, the expert This study leveraged a long series of Applied
performing the test has no prior knowledge of the Research studies aimed at automating and optimizing
network architecture or the systems of the test network. penetration testing processes and systems, in particular
Black box testing is performed from external networks vulnerability assessment (vulnerability analysis) and
to internal networks. The person performing the test penetration testing. [13.15]. Among the most important
should use his or her expertise and skill. contributions to this topic, here we present a summary of
 Gray box test: the person performing this test does not previous research focusing on the approaches and
have detailed knowledge of network architecture, but contributions adopted. Initially, researchers were interested
knows some information about testing network and in the planning phase. Some studies have been applied in
system configuration. It's actually a mixture of the industrial penetration testing systems and frameworks,
previous two methods. It can be performed from both while others have remained research ideas [13,14].
the internal network and the external network.
Although people could not use social networking sites
When performing these tests, the following operations to communicate with each other, in fact the privacy of the
are performed as an implementation: user's information is confiscated and often neglected,
 Information Gathering, although the services provided are considered to be an
 Network Mapping, advantage [4]. The approach put forward by Markus and
 Vulnerability Scanning, his colleagues in the study takes a step further with the
 Penetration into the system “Exploit performing ”, automation of classical social engineering. They conducted
 Authorization Upgrade, two experiments to evaluate the proposed attack cycle and
 Penetration to Other Networks, prototype applications (ASE bot). In their first attempt, they
 Protecting Access, examine their boats' ability to gather information. In their
 Attacks on Web-Based Applications, second assessment, they performed a Turing test. The
 Social Engineering Attacks, promising results of their assessments emphasize the
 Cleaning Footprints, possibility of effective and effective social engineering
 Reporting. attacks using automated social engineering boots.

Static analysis is also one of the common techniques The attacks that Markus and his colleagues carried out
used to find security errors in application code. The with the automated social engineering tool they created in
difference from penetration testing is that a system runs in a their work are very striking. The first is automated social
white box by analyzing the source code and identifying engineering work on five successful large Swedish-based
security vulnerabilities. Due to their different

IJISRT20JAN338 www.ijisrt.com 1296

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
multinational companies, where they conducted the
penetration test study. These institutions:

 High-tech company
 IT company
 Scandinavian finance company
 Industrial engineering company
 It's a telecommunications company.

The following chart shows the cases of finding

victims in these firms by means of social engineering.

Fig 3:- messaging results for target users with the character
Anna [4]

As can be seen from these studies, the attempts to be

automated are often focused on automating social
engineering attacks. In my study, the penetration test rather
than a test which is only one step of Information Collection
social engineering: Exploration: network scanning and
Vulnerability Assessment results and make further
Fıg 1:- Finding targets with automated social engineering automated by considering the weaknesses in OWASP 10
tool [4] Steps The Biggest you could get , and would give more
clues to the Information Security Professional think is
The information gathering process was observed to going to gain benefit in terms of time; it supports the idea
take 16 minutes (Organization 3), 65 minutes (organization that the automated social engineering approach is an
2) and an average of 44 minutes per organization. In the innovative and effective tool both in the presence of similar
following two graphs, their messaging with Target groups studies and in the automated penetration test tool, which I
is numerically expressed using different profiles created intend to establish success rates.
with this automated tool.
The automated systems require the permanent control
of a human PT expert and often fail to produce acceptable
results in medium and large assets context because of the
significant number of operations required to cover the
entire network [9,10,11,12]

Mohamed C. Ghanem and Thomas M. Chen mainly

performed penetration test implementation related to the
network perspective and focused on machine learning and
especially the application of Reinforcement Learning
techniques to make penetration test application intelligent
and efficient.[9] In this research, the probabilistic output of
the penetration Test action (screening, fingerprinting,
abuse) was a crucial factor in which they considered
allocating sufficient probabilities for transitions and
observations to reflect real-world penetration test practice.
Therefore, the NIST National Vulnerability Database
known for everyone that creates a reliable online catalog
(CVSS [16] and Common Vulnerabilities and exploits
Fig 2:- the results of a conversation between the Julian (CVE) [17] are two well-established source of using a
character and the target's real people [4] standard and cross-validated the method they chose.
Different types of operating systems, software, and
applications associated with proven vulnerabilities: the use
of such resources, rich content, easy accessibility and
regular updates and the calculation of the scoring function

IJISRT20JAN338 www.ijisrt.com 1297

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
and associated probabilities, such as cvssv3 and is studies and in the automated penetration test tool, which I
motivated by the existing mechanism. Each passage or intend to establish success rates.
observation is detailed in [16,17].
III. ARCHITECTURE OF ADAPTIVE PENTESTING
As can be seen from these studies , the attempts to be TOOL
automated are often focused on automating social
engineering attacks. In my study, the penetration test rather The ISO / IEC 25010 : 2013 quality standard defines a
than a test which is only one step of Information Collection product pattern by separating software features into sub-
social engineering: Exploration: network scanning and features, consisting of eight important features.
Vulnerability Assessment results and make further
automated by considering the weaknesses in OWASP 10 This product has been developed by considering the
Steps The Biggest you could get , and would give more weaknesses of OWASP 10, regardless of its methodology or
clues to the Information Security Professional think is framework. Here we investigated whether the tool in
going to gain benefit in terms of time; it supports the idea question was interested in the complete leak test and created
that the automated social engineering approach is an a tool to support our approach to assess the Adaptive
innovative and effective tool both in the presence of similar pentesting approach. The adaptive pentest tool has been
created by keeping the standard in mind.

Fig 4:- Adaptive Penetration Testing Quality Model

The pentesting of a web application can be automated

with a website in order to conserve time and cover a wider
scope compared to manual pentestıng. This tool uses scans
the wesite i.e starts visiting all the pages on the website one
at a time and stores the address of all the unique url it
encounter on every page and stores it in a deque to visit for
next time. The tool is made to find the following
vulnerabilities.

 XSS
 SQL Injection
 XXE
 SSRF
 Subdomain Takeover
 Missing security Headers
Fig 5:- Use Case Dıagram of the Adaptıve Pentest Tool
 Host Header Injection
 CORS
Crawling :The crawler function in scraping.py is called
 Sensitive Data Leak it takes two arguments the website name and the file in
which the urls which are crawled have to be saved . There
are two crawling function based on the authentication: as
authenticated user and as unauthenticated user.

IJISRT20JAN338 www.ijisrt.com 1298

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165

Fig 6:- Class Diagram of the Adaptive Pentest Tool

Information Flow: From vul_scan entity data is going normal get and post request. Then start the ssrf injection
to be scrapped entity. In there scrapping entity calls crawler attack to url ,or form input .If finds any vulnerable then
module to crawling the website and generate a report shows an alert to the user.
file.The relation between VuL_scanner and scrapping is an
optional means scrapping part depends on the user. If the check__xxe: one to many relation First the module
user wants to crawl the website then only this module will sends a request to the server to connect .Then check the
be working otherwise not. normal get and post request .Then start the ssrf injection
attack to url ,or form input .If finds any vulnerable then
After scraping data is going to the chk and shows an alert to the user.
wayback_urls entities .In chk entity scanner gets cookies of
the application . The relationship with Vul_scan entity is Sensitive_data: In this part this modules looking for
optional . robot.txt, password.txt files.

After that data is going from vul_scan entity to all Subdomain takeover: find for subdomain under the
other entities after one by one with the interaction of the main ip address. cors: check cors error by send a spoof
user .Serial is depends on the user of the scanner.one can request to server.
perform xxs check first on the other hand other can start
with sql_Check .Its totally depends on the user . check_host header and security header: find
vulnerabilities in the header by inspecting then and match
Working procedure: Check_sql entity: (Relationship with the signature databases.
with Vul_scan entity is one to many.) Make a request to the
server then Get a response from the server.then inject A. Parts of Adaptıve Pentestıng Tool
normal sql injection to the form input .If it does not work  Crawling :- is the first step and it is the most important
then the modules go for the sqli,sql blind injection mode.If step as soon as the script starts , the crawler function in
the modules find any vulnerabilities while performing scan scraping.py is called it takes two arguments the website
it will show a message to the user . name and the file in which the urls which are crawled
have to be saved . There are two crawling function
XSS check: one to many relation based on the authentication
First the module sends a request to the server to  Crawling the website as unauthenticated user (Takes
connect .Then check the normal get and post request .Then two arguments website name and the filename to save
start the XSS injection attack to url ,or form input .If finds processed urls)
any vulnerable then shows an alert to the user.  Crawling the website as authenticated user (Takes three
arguments website name , filename to save processed
check__ssrf: one to many relation First the module urls and the cookie for the authenticated user)
sends a request to the server to connect. Then check the

IJISRT20JAN338 www.ijisrt.com 1299

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
The crawler starts visting the website from the index xxs_check.py file it takes two argument the website name
page and finds all the anchor and HTML tags with src and the cookie value if provided and then uses the
attribute and the links in javascript it does this by using the form_input.py file to get all the urls with form tag in them
python requests library and beautifulSoup library used to and their input types names . After storing all the urls and
scrape data from the website. input types in the list it uses the loop to get a single url and
its and data and test if the url is vulnerable to xss or not . It
After visiting all the links it saves it in the demofile.txt cheks a single url is vulnerable by sending a unique such as
internally and it also takes care for authenticated user that batman in the input and checks if the response contains the
it does not loose the sesssion so, it avoids visiting the urls same string in the response or not , if the string is present
which contain logout or signout keywords in them. then it sends <>/() in the input and see if they are encoded
or not . If not it has a list of xss polyglots which it submits
To make sure it visits all the url the it uses a script in the request and checks if the string is reflected in the
waybackurls.py it searches the web archives for the urls response if present in the string it print on the terminal the
which belong to the target website which are mainly from url is vulnerable to xss with the payload used in the attack .
the starting i.e when the website was created till now . It is
a very rich source for urls which usually a manual pentest SQL Injection : It is the second option in the menu it
might miss it can contain the function that was used by the the very old bug on found on the website and it is very less
website in the starting and they forgot to remove it from the common now days because website using web frameworks
website and it vulnerable to some attack. now days and CMS such as Wordpress . It is very severe
bug if a attacker is able to exploit this he can access data of
any user and even change the data. In the script on
choosing 2 option sqli function is called present in
check_sql.py it takes two arguments the website name and
the cookie if provided and gets input and urls as xss . After
getting the links and the take for it sets up a difference
between the normal request and the malicious request by
ignoring the response if it contains terms such as error ,
exception , SELECT and many more and then uses the
payload such as ' . " , * and many more to check if the what
the response is if the response status code is like 500 502
etc then it flags the url and print on the terminal as sql
injection found with the payload .

Fig 7:- Interface of Adaptive Pentest Tool XXE Injection : It is the third option in the menu it is a
very new bug in the modern web found on the website
 Menu :- it is the interface for the user , it helps the user which contain the xml file to fulfill store the data of the user
with what is the tool does and makes the navigation for or to use xml to respond to the user with the requested data
the user very easy it helps the user choose which bug . So to find XXE using the script we use call xxe function in
they want to test in the website . There are many tools check_xxe.py file it takes two arguments the website name
which do not provide the menu and take very long time and the cookie if provided . In this it changes content type
to produce the result unlike them here you can check of the request to application/xml for each request and check
only particular bug which is very time saving and helps the difference between the length and status code of the
you conserve time and gives you a list to checklist of response of the request with normal data and the request
bugs . A manual tester not having a checklist might miss with the xxe payload and if the difference shows the
to test some bug . It uses figlet a linux utility to make the possibility of the xxe attack it flags it as the xxe
animated text in the linux terminal to give it an vulnerablility found the specific url with the specific
animated look . payload . It uses xxe polyglots as the payloads .

 Testing for Specific Vulnerabilities SSRF : It is the fouth option in the menu it is also a
As we stated at the beginning of the study, we focused very new bug types in this the attacker if able to exploit it
on the most known weaknesses of OWASP and included 9 can get access to the private file on the server and port
weaknesses in this section.A separate module has been scan the network on which the server is present . To find
created for each of these weaknesses and their working this bug in the script we call the function ssrf in the
philosophies are listed below. check_ssrf.py file it takes two argument as website and the
cookie if provided . In this we develop the differnce between
XSS : So first option to choose from the menu is the the normal request and malicious payload . If there is the
xss it stands for Cross-Site Scripting it is the most common differnce between the status code and response length then
bug in the mordern web application , very large enterprises we flag it as the ssrf bug found the specific payload with
are also vulnerable to this bug type . In XSS an attacker is specific payload . We uss ssrf polyglots as the payload .
able to execute the javascript on the victims browser . The
script on entering the option 1 intiates the xss function in

IJISRT20JAN338 www.ijisrt.com 1300

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
CORS : It is fifth option in the menu it is also a fairly IV. REALIZATION AND EXPERIMENTAL
new bug type in this if the website allows different origin RESULTS
other than the domain it is having to send it a request and
send response to that malicious origin than an attacker A. Properties of the Test Environments
would change the origin header for the victim request and I tested the automatized application in 7 different
receive the response on his malicious server and make environments with enough different parameters and
changes in the javascipt and compromise the user . To find compared the results with the tests I did manually. Test
this bug we change the Origin header of each request and environments are included below:
and check if Allow-AccessControl header is * or null or the
name of the website in origin and flag it and print on the i. http://testphp.vulnweb.com
terminal as CORS found the url . This environment is an example PHP implementation
that is deliberately weak against web attacks. Designed to
Missing Security Headers : It is the sixth option in the help you test Acunetix. It also helps you understand how
menu it check if all the security headers which a website developer errors and poor configuration can allow someone
response should have to make it secure against the attacks to enter your website. It can also use other tools and manual
are present or not . To find this the script call the safety testing to test your skills. Tip: we can look for
check_security_header function in security_header.py file . potential SQL injections, cross-site scripting (XSS), and
It check the X-Frame-Options ,X-XSS-Protection and many cross-site request spoofing (CSRF), and more.
more header if present or not if not present flags it as
vulnerable and prints on the terminal as the missing ii. https://demo.testfire.net/
particular security header . Altoroj is an example banking J2EE web application.
It shows what happens when Web applications are written
Subdomain takeover: It is the seventh option in the with application functionality in mind and not with
menu in this a attacker an attacker can claim a subdomain . application security in mind. It is a simple and orderly
To find this by the function check_subdomain is called in platform for learning and learning more about real-life
the subdomain_takeover.py file . The script uses the application security issues. AltoroJ uses standard Java and
https://crt.sh/?q=%25 to search the subdomains of the JSP functionality without using any additional framework.
target domain and then request all found subdomain and if While the most of real-life applications use frameworks, the
the respose status code is 404 or the string Not Found are same application security principles apply in both cases.
present then the script flags it as subdomain takeover found Frameworks can be difficult to understand and learn for
and prints it on the terminal . someone with no particular familiarity. There are many
large and complex "old" Java web applications, not so-
Sensitive Data Leak : It is the eighth option in the called, that are very similar to Altoroj(but of course many
menu in the attacker could get access to the sensitive file on are almost repeatedly more complex).
the server which the developers forgot to remove or is by
default present on the server . To find this bug we use a list iii. http://zero.webappsecurity.com
of file which are by default present on the server and The Free Online Bank website was published by
contain sensitive file . As we request for the specific file and Micro Focus Fortify only to demonstrate the functionality
its response status is 200 we request it as sensitive data and effectiveness of Micro Focus fortify's WebInspect
leak on specific url and print it on the terminal . products in detecting and reporting Web application
vulnerabilities. This site is not a real banking site and the
Host Header Injection : It is the ninth option in the similarities to third party products and / or websites are
menu in this an attacker can manually divert the code to purely coincidental. This site is offered "as is" without
produce the hacker's desired output, simply by editing the warranty of any kind, express or implied. Micro Focus
host header. Most probably web servers are configured to Fortify does not accept any risk associated with your use of
pass the host header to the first virtual host in the list this website. Use of this website indicates that you have
without proper re organisation. So It is possible to send the read and accepted Micro Focus fortify's terms of Use.
HTTP requests with arbitrary host headers to the first
virtual host. In that case, if we specify an invalid Host iv. http://testhtml5.vulnweb.com/
means that the web server process it and pass the invalid This is an HTML5 implementation with design-to-
host header to the first virtual host in the list. To find this malicious design. This application was created so that you
bug we use function check_host in the could test your Acunetix, other tools, or manual penetration
check_host_header.py file it requests the url with Host and testing skills. Application code is prone to attacks such as
X-ForwardedHost header in the request and checks the Cross-Site Scripting (XSS) and XML external presence
response if the malicious host is found it flags it as the host (XXE). The links provided on this site are not linked to the
header injection found with the url . site and are only available here as examples.

IJISRT20JAN338 www.ijisrt.com 1301

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
v. Typhoon Vulnerable Machine
Typhoon vulnerable VM is a virtual machine that
comes with various vulnerabilities that provide a laboratory
environment for researchers looking to improve their skills
in cybersecurity. Typhoon VM v1 was developed by the
Prisma CSI team to provide a mini-laboratory environment
for practical Penetration Testing Training offered by the
company. You can also download and install the virtual
machine on your system, giving you a chance to gain some
practical skills in this area.

vi. Damn Vulnerable Web Application Fig 9:- Running Security Header scripts and results
Damn malicious Web application (DVWA) is a PHP /
MySQL web application that is vulnerable. Basic
objectives of IT security experts to test the skills and tools
in the legal environment, help web developers better
understand the process of securing their web applications
and help teachers / students in a classroom environment to
teach you how to web application security / learn to help.

vii. Bwapp
bWAPP, or a buggy web application, is a free and
open source deliberately insecure web application. Helps
security enthusiasts, developers and students discover and Fig 10:- Detection of subdomain takeover weakness with
prevent web vulnerabilities. bWAPP prepares to carry out automatic scripts
successful penetration testing and ethical hacking projects.
What makes bwapp unique is that it has 100 web
vulnerabilities. OWASP covers all known major web bugs,
including all risks from the top 10 project. bWAPP is a
PHP application that uses a MySQL database. It can be
hosted on Linux/Windows with Apache/IIS and MySQL. It
can also be installed with WAMP or XAMPP. Another
possibility is to download bee-box, a custom Linux VM
pre-installed with bwapp.

B. Performed Tests

 http://testphp.vulnweb.com
Manual tests performed in the environment identified Fig 11:- Running Sensitive data Leak scripts and detection
the following weaknesses : XSS, SQL Injection, Missing of weakness
Security Headers, Subdomain takeover, Sensitive Data
Leak, Host Header Injection.

Automated tests with scripts performed in the same

environment were much shorter than manual tests and
identified the same weaknesses.

Fig 12:- Running and detecting Host Header Injection

scripts

 https://demo.testfire.net/
In this environment, manually and automatically
detected vulnerability numbers are equal, but automated
Fig 8:- Execution of CSS scripts over automatic tool detection time has been reduced. Weaknesses in both types
are : XSS, SQL Injection, Missing Security Headers,

IJISRT20JAN338 www.ijisrt.com 1302

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
Subdomain Takeover, Sensitive Data Leak, and Host scanning, media recording and video recording on the
Header injection. Detailed tests on the environment are internal network using the browser.
included in the Annex.Form
For checking XSS automatic scanning is better than
 http://zero.webappsecurity.com manual scanning. In manual scanning penetration tester has
The weaknesses detected by automating in this to be gone through all of the input field and then has to be
environment are more than those detected manually. inject the script manually which is time consuming. But
Manually detectable weaknesses: XSS, SQL Injection, automatic scanner do it all in a short period of time.
CORS and Missing Security header.
Manual testing cannot possibly cover everything from
The weaknesses detected by automating are xxe and A to Z. This is harder due to the obvious reasons such as
Sensitive Data Leak weaknesses in addition to the time and skills, whereas automated tools can do it with a
weaknesses detected manually. little bit of human intervention.

 http://testhtml5.vulnweb.com/ Automated tools are the perfect fit for testing a target
The only manually detected weaknesses are for more of attacks with large number of payloads as it can
XSS,XXE,CORS and Missing Security headers. Automated do it even with a thousand different payloads for one single
scripts provide additional detection of weaknesses such as test. Hence, automated tools can cover the breadth.
Host Header Injection and Sensitive Data Leak.
A vulnerable SQL Injection vulnerability is a
 Typhoon Vulnerable Machine vulnerability that could allow an attacker to append queries
In this environment, missing Security Headers and to a database sent in the background because the
Sensitive Data Leak vulnerabilities have been identified information sent through the application parameters is not
with automated scripts. properly checked.

 Damn Vulnerable Web Application V. CONCLUSION AND FUTURE WORKS

In this environment, CSS, Sensitive Data Leak and
Missing Security Headers and SQL Injection were It has been observed that the studies and results of
successfully detected with high output. different researchers have been supported on the
technologies I intend to use when developing automated
 Bwapp pentest software. In addition, the existence of many
In this environment, as mentioned earlier, OWASP security libraries belonging to the python language that I
has most of the vulnerabilities in 10, so the number of will use in architecture will have a positive effect on the
vulnerabilities detected is higher and are: CORS, Host implementation time of the software. In addition, many
Header Injection , Sensitive Data Leak, Missing Security tools in the kali operating system should not be ignored.
Headers, SQL Injection and CSS. Output values are high, The next phase of my work will be to integrate all these
as can be seen in the test screenshots in the annex. tools with which I perform the test operations. The more
output we get from the test results we showed throughout
C. Dıscussions the study and the advantage of all the time we have gained
In view of the diversity of the environments in which provides the basis for the following statements:
the Test takes place, what we can refer to as openings of
urgent importance are openings that result in attacks carried  Cost-conscious information security principals who
out remotely by unqualified attackers and which result in need to do “less and more” with manual security
the complete seizure of the system. For example, in penetration tests.
banking applications such as XSS, SQL injection, openness  Application security teams that need to provide tiered
vectors that can lead to customer information disclosure fall security and verify results from multiple sources.
into this category. And in particular, these openings have  DevOps teams that need App Security to reduce the
been identified with high output in every environment. number of false positives associated with traditional
tools.
In the information panel, there is a weakness in the  "Red teams “that will benefit from a detailed” road
image replacement function. Since the loaded file has not map"of current highlighted vulnerabilities in
passed the required control, it has been observed that a file applications.
containing malware can be loaded into the user's profile
field. Following areas can be considered as Future works

The detected XSS vulnerabilities occur when  Expending of the Adaptivity in Pentesting to all
applications do not have sufficient input and output environments
controls for outside information, and a malicious user can  Increasing Attack Vector with Machine Learning
execute javascript code to steal the session information of Methods
the target people, and redirect the browser of the target  Artificial Intelligence in Adaptive Penetration Testing
people at will. The captured victim can perform port

IJISRT20JAN338 www.ijisrt.com 1303

Volume 5, Issue 1, January – 2020 International Journal of Innovative Science and Research Technology
ISSN No:-2456-2165
 Performance of Module Updating in Penetration Testing [12]. Backes, M.; Hoffmann, J.; Kunnemann, R.; Speicher,
Tools P.; Steinmetz, M. Simulated Penetration Testing and
 Automated Attack Vector Planning in Penetration Mitigation Analysis. arXiv 2017, arXiv:1705.05088.
Testing [Google Scholar]
 How can adaptive pentesting improve by learning and / [13]. Almubairik, N.; Wills, G. Automated penetration
or capturing its expertise during testing? testing based on a threat model. In Proceedings of the
11th International Conference for Internet
ACKNOWLEDGMENT Technologies and Secured Transactions, ICITST,
Barcelona, Spain, 5–7 December 2016. [Google
I would first like to thank my thesis advisor Scholar]
Prof.İbrahim SOGUKPINAR of the Computer Engineering [14]. Obes, J.; Richarte, G.; Sarraute, C. Attack planning in
Department at Gebze Technical University. The door to the real world. arXiv 2013, arXiv:1306.4044. [Google
Prof. SOGUKPINAR office was always open whenever I Scholar]
ran into a trouble spot or had a question about my research [15]. Backes, M.; Hoffmann, J.; Kunnemann, R.; Speicher,
or writing. He consistently allowed this paper to be my own P.; Steinmetz, M. Simulated Penetration Testing and
work, but steered me in the right the direction whenever he Mitigation Analysis. arXiv 2017, arXiv:1705.05088.
thought I needed it. [Google Scholar]
[16]. NIST. Computer Security Resource Center—
REFERENCES NATIONAL VULNERABILITY DATABASE
(CVSS). 2019. Available online: https://nvd.nist.gov
[1]. Lee Epling, Brandon Hinkel and Yi Hu , “Penetration (accessed on 18 December 2019).
Testing in a Box”, InfoSecCD 2015: 6:1-6:4 [17]. MITRE. The MITRE Corporation—Common
[2]. Jai Narayan Goel , BM Mehtreb, “Vulnerability Vulnerabilities and Exposures (CVE) Database. 2019.
Assessment & Penetration Testing as a Cyber Defence Available online: https://cve.mitre.org (accessed on 18
Technology”, 3rd International Conference on Recent December 2019).
Trends in Computing 2015 (ICRTC-2015)
[3]. Mariano Ceccato, Riccardo Scandarito, “Static
Analysis and Penetration Testing from the Perspective
of Maintenance Teams”, 2016
[4]. Markus Huber ,Stewart Kowalski, Marcus Nohlberg
and Simon Tjoa, “Towards Automating Social
Engineering Using Social Networking Sites”, 2009
[5]. Katharina Krombholz, Heidelinde Hobel,Markus
Huber Edgar Weippl , “Advanced social engineering
attacks ”, 2014
[6]. G. v. Rossum, "Python Documentation," [Online].
Available: https://docs.python.org/2/library/os.html.
[Accessed 15 5 2015].
[7]. G. v. Rossum, "Python," [Online]. Available:
https://www.python.org/. [Accessed 16 5 2015].
[8]. Mohamed C. Ghanem, Thomas M. Chen
“Reinforcement Learning for Efficient Network
Penetration Testing”, 2020
[9]. Qiu, X.; Jia, Q.; Wang, S.; Xia, C.; Shuang, L.
Automatic generation algorithm of penetration graph
in penetration testing. In Proceedings of the Ninth
International Conference on P2P, Parallel, Grid, Cloud
and Internet Computing, Guangdong, China, 8–10
November 2014.
[10]. Heinl, C. Artificial (intelligent) agents and active
cyber defence: Policy implications. In Proceedings of
the 6th International Conference On Cyber Conflict
(CyCon 2014), Tallinn, Estonia, 3–6 June 2014.
[11]. Sarraute, C.; Buffet, O.; Hoffmann, J. POMDPs Make
Better Hackers: Accounting for Uncertainty in
Penetration Testing. Available online:
https://arxiv.org/abs/1307.8182 (accessed on 20
December 2019).

IJISRT20JAN338 www.ijisrt.com 1304