Proceedings of the Third International Conference on Trends in Electronics and Informatics (ICOEI 2019)
IEEE Xplore Part Number: CFP19J32-ART; ISBN: 978-1-5386-9439-8
A Survey on Vulnerability Assessment & Penetration
Testing for Secure
Keyur Patel
Communication
Computer Engineering Dept., Marwadi University, Rajkot, Gujarat 360003
Email:
[email protected]
Abstract – As the technology is growing rapidly, the
development of systems and software are becoming more
complex. For this reason, the security of software and web
applications become more vulnerable. In the last two
decades, the use of internet application and security hacking
activities are on top of the glance. The organizations are
having the biggest challenge that how to secure their web
applications from the rapidly increasing cyber threats
because the organization can’t compromise the security of
their sensitive information. Vulnerability Assessment and
Penetration Testing techniques may help organizations to
find security loopholes. The weakness can be the asset for
the attacker if the organizations are not aware of this.
Vulnerability Assessment and Penetration Testing helps an
organization to cover the security loopholes and determine
their security arrangements are working as per defined
policies or not. To cover the tracks and mitigate the threats
it is necessary to install security patches. This paper
includes the survey on the current vulnerabilities,
determination of those vulnerabilities, the methodology
used for determination, tools used to determine the
vulnerabilities to secure the organizations from cyber
threat.
Index Terms – Cross-site Scripting (XSS), SQL Injection,
Broken Authentication, Security Misconfiguration,
Vulnerability Assessment and Penetration Testing (VAPT).
1. INTRODUCTION
A s the significant use of internet and web application in the
last two decades, there is a huge risk associated with
unauthorized access to the confidential data and the risk of
maintaining the integrity of the information. Day by day new
exploitation and hacking activities are discovered. Therefore it
is really necessary to identify the vulnerabilities and install the
security patches for those vulnerabilities. This activity becomes
the highest priority of organizations nowadays.
To help organization for identifying their loopholes into the
system the Vulnerability Assessment & Penetration Testing
(VAPT) techniques are used. It helps to determine the reliability
of the security arrangements, that they are effective against the
latest cyber threats or not. This technique helps to develop a
secured mechanism which is able to identify the vulnerabilities
[1].
The identification of the vulnerabilities into the system has
become a prime issue for an organization. With the growing
technology, the complexity of the systems is also being
978-1-5386-9439-8/19/$31.00 ©2019 IEEE
Increased so it is very difficult to identify the weakness in the
complex system. To stay secure the organizations have to
identify the maximum vulnerabilities and minimize the threats.
To do so they have to do Vulnerability Assessment and
Penetration Testing on a regular basis.
VAPT is made up of two things Vulnerability Assessment
(VA) and Penetration Testing (PT), both these techniques have
their own features and uniqueness. Vulnerability Assessment
means to scan the system and identify the loopholes of the
system and generates a report of them. Penetration Testing
means it is a white box testing conducted by the organization to
exploit the vulnerabilities identified in the vulnerability
assessment report.
There are many vulnerability scanners available in the market
which can calculate the damage and threats which can be
occurred due to those vulnerabilities. It can also be identified
that what is the impact score of that vulnerability and what are
the possible solution available for the vulnerability. VAPT
techniques tests identify the flaws so that organizations can
decide the priority for the mitigation process. So we can say that
the combined packet of Vulnerability Assessment and
Penetration Testing gives the cleared path of existing
weaknesses along with the risk associated with it.
In this paper, a survey has been presented over VAPT
technique. Section 2, Types of vulnerabilities as per OWASP
Top 10 2017. Section 3. An overview of VAPT. Section 4,
Tools used for VAPT. Section 5, Conclusion.
.
2. TYPES OF VULNERABILITIES
Vulnerabilities are the security flaws and weaknesses that can
be a threat to security risks which can cause damage to the
system. There are a huge amount of vulnerabilities found on a
daily basis. A survey found that minimum 30-40 vulnerabilities
found on a daily basis. The survey conducted by CVE details
says that 14,600 vulnerabilities were reported in 2017,
compared to 6447 in 2016[13]. Once the attacker has found a
potential threat or flow and determines the access of it, then he
can be able to get unauthorized access to the system. Attackers
use specific tools and technologies to identify and analyse
security weaknesses. Open Web Application Security Project
(OWASP), is the organization which gives the latest and
trending vulnerabilities related to web application [7]. Table1
shows the Top 10 vulnerabilities declared by the OWASP in
2017 [3], with their common weakness enumeration (CWE)
associated [2].
320
 Proceedings of the Third International Conference on Trends in Electronics and Informatics (ICOEI 2019)
IEEE Xplore Part Number: CFP19J32-ART; ISBN: 978-1-5386-9439-8

1) Persistent/Stored XSS: In this type of XSS attack the

TABLE 1 malicious string is already inserted into the application
OWASP TOP 10 VULNERABILITIES 2017
database. The string is previously accepted as the input
Vulnerability CWE Rank string like feedback text where the data is expected in
Injection CWE-1027 A1 text format.
Broken Authentication & 2) Reflected XSS: In this type of XSS attack the
CWE-1028 A2 malicious code is injected in the client request. So it is
Session Management
reflected when the webpage is loaded [8].
Sensitive Data Exposure CWE-1029 A3
XML External Entities CWE-1030 A4 3) DOM-based XSS: DOM-based refers to document
object model, generally it is a client-side attack where
Broken Access Control CWE-1031 A5
malicious string is inserted at client-side and response
Security Misconfiguration CWE-1032 A6
also arrives from the client-side code rather than
Cross-Site Scripting (XSS) CWE-1033 A7
server-side code [8].
Insecure Deserialization CWE-1034 A8
Using Components with B. SQL Injection:
CWE-1035 A9
known vulnerabilities
Insufficient Logging & SQL-Injection is an attack technique which tries to exploit the
CWE-1036 A10 database layer vulnerability of an application. To obtain
Monitoring
unauthorized access to the database of a system and understand
the schema of the database and included data within that,
As described in OWASP Top 10-2017 we will try to give a hackers are using this type of injection techniques. With the
brief introduction about current trending vulnerabilities like help of SQL-injection attacker can attach the malicious code to
Broken Authentication, SQL Injection, Sensitive Data an application and passed that code to the back-end database
Exposure, and Cross-Site Scripting [3]. and get access to it. This type of malicious code then executes
such types of queries which gives sensitive information to the
attacker which should not be disclosed.
Vulnerabilities To bypass the web application’s security mechanisms like
authentication and authorization and retrieve the contents of the
database, the attacker uses the SQL-Injection vulnerability.
Security SQL-Injection can also be used to modify the data with the help
Misconfiguration of INSERT, DELETE, ALTER queries to add, delete and
Sensitive Data modify the records of the database which affects the data
9% Exposure integrity. So, in general, we can say an SQL vulnerability can
6% 29% provide sensitive information with the help of unauthorized
XSS
12% access to an attacker. SQL Injection can be classified into three
major categories [11].
SQL

24% 20%
Broken
Authentication
Other Attacks
Fig.1 Survey On Current Vulnerability Scenario
A. Cross-Site Scripting:
Cross-Site Scripting (XSS) attacks are one type of injection
attack in which the malicious scripts are injected into the
website code. XSS attacks happen when an attacker makes use
of web application to send the malicious code generally, it is in
the form of browser-side script. Generally, this type of attack
can be done due to improper input validations. So an attacker
can insert malicious script into the application and can get
access to the web application [4]. There are three types of
Cross-Site Scripting attack:
1) In-band SQL Injection: This is the most common and
easiest way to exploit the SQL Injection vulnerability.
In-band SQL Injection can be done when an attacker
uses the same channel to inject the malicious code and
get output within that only. There are two types of In-
band SQL Injections [8].
Error-based SQL injection: This type of injection
relies on error messages thrown by the database server
while obtaining information about the database
structure.
Union-based SQL injection: This type of injection
relies on the UNION SQL operator to combine more
than two SELECT statements into one result which is
then resultant part of the HTTP response.

978-1-5386-9439-8/19/$31.00 ©2019 IEEE 321

 Proceedings of the Third International Conference on Trends in Electronics and Informatics (ICOEI 2019)
IEEE Xplore Part Number: CFP19J32-ART; ISBN: 978-1-5386-9439-8
2) Inferential SQL Injection (Blind SQL Injection): In this
type of attack the attacker will not be able to see the
result of an attack and no data is actually transferred via
web application but the attacker is able to reconstruct
the database with the help of payloads from the
observation of the response came from the web
application and the resulting behavior of the database.
There are two types of Inferential SQL Injection [8].
Boolean-based Blind SQL Injection: In this type of
attack the database will be questioned with the TRUE
or FALSE statements and determines the answer based
on the application response. This attack is often used
when the web application is configured to show the
generic messages, but the security of code from SQL
vulnerability is not being configured.
Time-based Blind SQL Injection: This type of injection
relies on the time means when the SQL query is sent to
the database it forces the database to wait some amount
of time before responding to the request. The response
time will indicate the attacker that the query gives a
successful result or not.
Blind SQL injection is similar to normal SQL injection
the only difference with this technique is how the data
is retrieved. When the database is not giving proper
output via web application we will try to obtain an
output with the help of TRUE or FALSE statements
which gives a more difficult and complex level of this
vulnerability but it isn’t impossible.
3) Out-of-band SQL Injections: This is an unusual type of
injection because it depends on the features being
allowed on the database server which is being used by
the web application. It can be done when an attacker is
unable to use the same channel to trigger the attack and
get results.
C. Broken Authentication & Session Management:
Authentication & session management is a critical section of
web application security. Flaws in this area can cause failure to
protect the user credentials and session token used within one
lifecycle. This flaws can lead to serious damage to the system
like overtaking of user or administrative accounts, privacy
violation and unexpected modification of credentials,
undermine authorization and accountability controls.
Application functions related to authentication and session
management are often not implemented correctly this can allow
the attacker to compromise user credentials, the key for
encryption-decryption or session tokens or the sensitive
information which can reveal the user identity.
978-1-5386-9439-8/19/$31.00 ©2019 IEEE
Risks which are associated with it is cause privacy violation,
identity theft and undermine authorization and accountability
controls [12].
D. Sensitive Data Exposure:
As the name suggests, sensitive data exposure occurs when
the web application does not protect the information such as
passwords, payment information or health data and many more.
As of now, attackers are very smart they can use this
information for further use or can sell the important information
of the organization to the dark web. They can access this
information for their personal use and can violate the security
of the organization. Recent news in early 2019 that Bleeding of
773 Million User Credentials from the various attacks which
are really a big security breach is an example of sensitive data
exposure.
E. Security Misconfiguration:
Security Misconfiguration comes into the picture when the
security of the application is used as default from where the
development of the application is done. If any kind of weakness
is left at the time of the development then it can be exploited by
the attacker and he might get unauthorized access to the system.
Perfect security requires a secure configuration defined and
deployed for the application, web servers and other related
platforms. For security purpose, every organization should have
its own defined policies and according to that security, rules
should be created. Regular testing of the security should be
done and install updated security patches for preventing this
type of attack.
3. OVERVIEW OF VAPT
A. Vulnerability Assessment:
A vulnerability assessment is a process of identifying the
security loopholes or vulnerabilities in the computer system,
network or web applications of organization with the necessary
knowledge, understanding of infrastructure and understanding
of the potential threats of the environment. After the whole
assessment process is done a detailed report is generated which
can be further used for the penetration testing process [1].
Advantage: Vulnerability Assessment is useful for providing
the layer-one remediation process for the security of
organizations. Also, it is helpful to do thousands of security
checks in less time with the help of automation tools.
Disadvantage: Vulnerability Assessment is unable to identify
the logical attack vectors. Automated tools only generate the
analysis according to policies defined by the tester, if anything
is left out then it might not be considered in the analysis. It can
generate some unnecessary data with some false positive
including in it
322
 Proceedings of the Third International Conference on Trends in Electronics and Informatics (ICOEI 2019)
IEEE Xplore Part Number: CFP19J32-ART; ISBN: 978-1-5386-9439-8
Fig.2 VAPT Process Diagram
B. Penetration Testing:
Penetration Testing is a technique in which tester tries to
exploit the vulnerabilities of computer systems, network or web
applications which are being found in the vulnerability
assessment phase. It is also known as Ethical Hacking. By
performing Penetration Testing the tester came to know which
vulnerabilities actually are there in the system and which are the
false positives [1].
Advantages: It helps to remove false positives from all the layer
of the security model. It helps in analysing the vulnerabilities in
detail and according to that generates the impact score of the
vulnerabilities. Mitigating the unnecessary controls taken into
the account and helps in designing the perfect security model.
Disadvantages: Requires more time to execute the whole
process. The guaranteed output of vulnerability is not available.
Requires a high cost because the dedicated team and specialized
person should require to do the process.
C. Benefits of VAPT:
The combined process of VAPT is very effective for identifying
the security loopholes into the system. VAPT offers many
benefits for the organizations which are listed below:
978-1-5386-9439-8/19/$31.00 ©2019 IEEE
1) A detailed view of potential threats and risks faced by
an application can be provided.
2) Identify the security errors which is left while the
creation of the application which leads to cyber-
attacks.
3) Provides risk management and also a perfect security
model for the organization.
4) Provides security to business against the loss of money
and reputation.
5) Secure application from internal and external attacks
and protects the organization from the various
malicious attacks.
4. VAPT TOOLS
There are bunch of tools available for the VAPT technique.
Each tool has its own different functionality. Let us list out
some the tools and its functionality [5].
A. NMAP: Network Mapper, an open source and freely
available tool to determine hosts and services running on it. It
can work with any operating system, so we can say it is a cross-
platform tool.
B. Nessus: Nessus is a commercial tool and widely used by the
organization. It is a vulnerability assessment tool which is used
for scanning network systems and web applications. Nessus
gives a full detailed report according to user-defined policies.
Nessus is the product of Tenable Community which updates
their security plugins regularly.
C. Burp Suite: Burp Suite is a tool used for web application
testing. Burp Suite is available as both freeware and
commercial version. It is used for intercept ongoing requests
and manipulates the requests and responses. Attacks like brute
force can be done with the help of Burp Suite.
D. Accuentix: Accuentix is a commercial tool like Nessus. It is
used for identifying the vulnerabilities in web applications. It is
available for both operating system, windows and Linux as
well. The key feature of this tool can support a single page
application as well [10].
E. Metasploit: Metasploit is the most popular and advanced tool
made for penetration testing. It contains lots of payloads and
exploits for the testing purpose. It is a CLI based tool and also
available in GUI based tool named as ‘Armitage’. It works on
web applications, mobile phones, computers, servers etc. It is
also available as a commercial tool.
F. The Harvester: The Harvester is used for information
gathering in the vulnerability assessment phase. It can help to
gather information like email-ids, usernames, hostnames,
subdomains etc. It is a very effective tool while testing email
security. It tool can be used for spear phishing.
323
 Proceedings of the Third International Conference on Trends in Electronics and Informatics (ICOEI 2019)
IEEE Xplore Part Number: CFP19J32-ART; ISBN: 978-1-5386-9439-8

6. CONCLUSION
G. Wireshark: Wireshark is used when it comes to network
Potential Threats to integrity and confidentiality of the
security. It is used to analyse all the network layer traffic and
sensitive data and the organization’s resources are increased too
packet so it is known as a packet sniffer. It is a freeware and
much. To safeguards from cyber-attacks, organizations perform
inbuilt tool in operating systems like kali, Backtrack, and Parrot
VAPT to check the security of the system architecture as per
OS. It is a Cross-Platform network protocol analyser. Its
the designed security model. As we have listed some of the
original name was Ethereal [9].
VAPT tools which are used to identify the vulnerabilities into
the system. The smart attackers are finding new ways to bypass
H. Zed Attack Proxy (ZAP): ZAP is developed by the
the security of the applications so day by day new
organization called Open Web Application Security Project
vulnerabilities are added into the list which should be addressed
(OWASP). It is freeware and inbuilt in operating systems like
into the organization’s security model so we can mitigate the
Kali and Parrot. It is only designed to scan web applications. It
risk of attack from those vulnerabilities. Regularly updating
includes features like proxy intercepting, scanning and spider
security policies and mechanism of the security model may
to crawl all the pages of web applications.
decrease the chances of being exploited from the evolved
vulnerabilities. To make VAPT results meaningful it must be
I. Beef: Beef stands for “The Browser Exploitation
prioritized and explain with CVE numbers which can be
Framework”. It used for penetration testing based on browsers
utilized from the industry standard references like national
vulnerabilities. It is a freeware tool. It helps to identify the
vulnerability database(NVD), common vulnerability scoring
zombie browsers in real time with their vulnerabilities. Provides
system(CVSS), open source vulnerability database(OSVDB),
a command and control interface which helps us to control an
CVE details etc. [1]
individual as well as a group of victims.

J. SQLMAP: SQLMAP is again an open-source tool used for

the purpose of penetration testing. SQLMAP identifies and REFERENCES
detects the vulnerabilities available in SQL databases. This tool [1] Shinde, P. and Ardhapurkar, S. (2016). Cyber security
is so powerful that it can give all the information which is stored analysis using vulnerability assessment and
in the SQL database. It is a CLI-based tool available for all the penetration testing. 2016 World Conference on
operating systems. Futuristic Trends in Research and Innovation for
Social Welfare (Startup Conclave).
5. PREVENTIVE MEASURES AGAINST OWASP TOP 10
[2] Cwe.mitre.org. (2019). CWE -Common Weakness
1) For Injection, It is easy to identify the injection flaws while Enumeration. [online] Available at:
doing application security testing. Developers can use input https://cwe.mitre.org/ [Accessed 15 Mar. 2019].
validations and parameterized queries to safeguards from this [3] Owasp.org. (2019). Top 10-2017 Top 10 - OWASP.
vulnerability. [online] Available at:
2) For Broken Authentication & Session management, the best https://www.owasp.org/index.php/Top_10-
way is to use multifactor authentication which can provide more
2017_Top_10 [Accessed 15 Mar. 2019].
security to identify the authorized user.
[4] Pranathi, K., Kranthi, S., Srisaila, A. and
3) For Sensitive Date Exposure, Encryption of data at rest and
transit can decrease the risk of exploitation. Madhavilatha, P. (2018). Attacks on Web Application
4) For XML External Entity, Similar to injection technique the Caused by Cross Site Scripting. 2018 Second
developer can identify it while application security tests. Proper International Conference on Electronics,
security test cases and input validations can do work. Communication and Aerospace Technology (ICECA).
5) For Broken Access Control, Try more and more penetration [5] Shebli, H. and Beheshti, B. (2018). A study on
technique to achieve all the loopholes. penetration testing process and tools. 2018 IEEE Long
6) For Security Misconfiguration, Dynamic Application Island Systems, Applications and Technology
security testing can detect the misconfigured APIs, code etc. Conference (LISAT).
7) For Cross-Site Scripting, Best coding techniques like [6] Taha, T. and Karabatak, M. (2018). A proposed
encoding, input validation, inbound/outbound input handling, approach for preventing cross-site scripting. 2018 6th
and content filtering can do the job [6]. International Symposium on Digital Forensic and
8) For Insecure Deserialization, Regular penetration testing and
Security (ISDFS).
application testing is needed to validate the problem.
9) For Using Components with Known Vulnerabilities, [7] Hasan, A., Meva, D., Roy, A. and Doshi, J. (2017).
Analysis of software infrastructure with static analysis Perusal of web application security approach. 2017
technique can detect insecure versions of the component. International Conference on Intelligent
10) For Insufficient Logging & Monitoring, Examine all the Communication and Computational Techniques
logs and try to be as an attacker while doing pen testing to do (ICCT).
sufficient monitoring.

978-1-5386-9439-8/19/$31.00 ©2019 IEEE 324

 Proceedings of the Third International Conference on Trends in Electronics and Informatics (ICOEI 2019)
IEEE Xplore Part Number: CFP19J32-ART; ISBN: 978-1-5386-9439-8

[8] Nagpure, S. and Kurkure, S. (2017). Vulnerability

Assessment and Penetration Testing of Web
Application. 2017 International Conference on
Computing, Communication, Control and Automation
(ICCUBEA).
[9] Sandhya, S., Purkayastha, S., Joshua, E. and Deep, A.
(2017). Assessment of website security by penetration
testing using Wireshark. 2017 4th International
Conference on Advanced Computing and
Communication Systems (ICACCS).
[10] Kadam, S., Mahajan, B., Patanwala, M., Sanas, P. and
Vidyarthi, S. (2016). Automated Wi-Fi penetration
testing. 2016 International Conference on Electrical,
Electronics, and Optimization Techniques (ICEEOT).
[11] Abirami, J., Devakunchari, R. and Valliyammai, C.
(2015). A top web security vulnerability SQL injection
attack — Survey. 2015 Seventh International
Conference on Advanced Computing (ICoAC).
[12] Al-Khurafi, O. and Al-Ahmad, M. (2015). Survey of
Web Application Vulnerability Attacks. 2015 4th
International Conference on Advanced Computer
Science Applications and Technologies (ACSAT).
[13] Cvedetails.com. (2019). CVE security vulnerability
database. Security vulnerabilities, exploits, references
and more. [online] Available at:
https://www.cvedetails.com/ [Accessed 17 Mar.
2019].

978-1-5386-9439-8/19/$31.00 ©2019 IEEE 325