Through this project, the design of a Pentesting based on the OWASP V.4 methodology was carried out in order to evaluate the Security of the Orfeo Application (Document Management System).
The project was developed based on the guidelines defined in recognized standards, such as the international standard ISO 27002, national guidelines for policy on Cybersecurity and Cyberdefense CONPES 3854 of 2016.
Once the applicable regulatory framework was identified, a current diagnosis of the procedures and methodologies defined in the New Era Support Group was made. The referring information was analyzed to prepare the low penetration test with the “Gray Box” strategy, the type of test used in the developed design. Finally, and based on the information collected, two final reports are prepared in the documentation phase of Pentest, the Executive Report and the Technical Report, which are delivered to the managers of the New Era Support Group.
Index of Terms: Threat, Security Audit, Cybersecurity, Gray Box, Pentesting, Vulnerability.
INTRODUCTION
During the last years it is observed that the security in the Web Applications of the information systems of the organizations are increasingly compromised, either by malware or by attacks of a computer nature, adding to administrative errors and information management, such such as: poorly prepared configurations, human errors, inefficient security policies and other vulnerabilities that can be exploited by an attacker to damage an information system. The attacker can be an individual, a group of hackers, or a Nation. Its ultimate goal is to alter the business operation, disable applications, servers and network is communication temporarily or permanently.
To counteract this problem, organizations must carry out penetration tests on a regular basis, as it is well known that such audits are too expensive, since it is advisable to carry them out at least every 6 months. For this reason, the Office of Telematics - Coordination of the New Era Support Group is advised on the design and development of a Security Pentest which will be carried out by the members of the Organization's Security area. These penetration tests are one of the essential characteristics that seeks to ensure the operation of the Orfeo Document Management Application, this application manages the information of all the personnel of the New Age Support Group and is interconnected with another Human Resources Application, therefore,It is necessary to have the internal support of the organization to safeguard the information and operation of the business, or in the event that the organization presents any of these events:
- The security system discovers new threats. A new network infrastructure is added. The system is updated or new software is installed. D) A new program / policy end user is configured.
Therefore, the present project focused specifically on designing a Pentesting, prepared exclusively for the New Age Support Group. This Office has 150 workstations and approximately 500 users connected daily to Orfeo. Due to its status as an institution, the information is considered one of the most sensitive in the country, therefore, it must be guaranteed that this document will not be accessible to third parties, hence the need to know its current status at the level of Cybersecurity, to know A part of the current management on this topic to guide them on the scenarios that must be considered previously, the minimum requirements that they must have for the execution of a penetration test and what aspects should be considered with other mechanisms (review of configurations and procedures, audit of applications,etc.) that the delivered reports be very useful for IT staff.
The project is developed based on the OWASP V.4 methodology adapted in four phases such as:
- Information Collection Scanning Exploitation Documentation.
Figure 2. - Phases for the elaboration of Pentesting
Finally, and based on the findings, two final reports are prepared in the documentation phase of Pentest, the Executive Report and the Technical Report, which will be delivered to the directors of the New Era Support Group.
II.METODOLOGÍA
The methodology used in the design of Pentesting is based on qualitative research with an initial inductive approach, a flexible design is presented with findings found from start to finish.
It contains a holistic perspective studying the elements that surround the research of the Pentest project. Based on interviews, in direct observation, in analyzing each document provided. For this reason, it was categorized by stages as shown in Figure 2.
Figure 3. Stages implemented in the methodology
A) Stage 1: Type of Information
The information is sought in a staggered manner, starting with the basic information that is related to the Why. Once this information is available, we proceed to the investigation of the What and the How as a search strategy.
B) Stage 2: Source of Information
To reach this stage, two sources of information were taken into account to obtain a reliable result.
- Population: The actors involved with the Web Application were taken into account both directly and indirectly, that is, those who interact with it and with those who protect it from possible attacks. Shows:To determine the population elements, the first phase of Pentesting is implemented, which consists of the Collection of information and making a descriptive analysis of the users who intervene with the Web Application, they were taken as personal reference from the Telematics Office as the developer of the application, apprentice, backup administrator and titular administrator. Since they are the ones who have the relevant information on the application architecture and have a thorough understanding of how the tool works. These people provided information about the application manuals, about the policies, about the network architecture and about the last audit carried out.
C) Stage 3: Information search tools
- General Survey of Web Application Survey: The purpose of the result of this survey was decisive in order to start our investigative process in the Telematics Office, we needed to have data that would bring us closer to the application that we perceived the importance of this for users. The first filter was to have the collaboration of the Management in charge, this person provided us with the initial information and determined the need to carry out the Pentest as an aid to their dependency. A basic and concise questionnaire was designed on general aspects and on some perspectives of the business, the answer option was (YES-NO) and times listed in months. It consists of 10 questions which can be found as an Annex at the end of this work.Survey for the Collection of Information
Web application technique:
The information requested in this questionnaire provides data focused on the Web Application, such as usability data, configuration data, infrastructure data and security data. The technique used to collect the information was through detailed questionnaires and was performed on the main actors involved in the operation of the application, developer, backup administrator and main administrator. They offered the most relevant information, making known the expectations they had with the performance of Pentesting in order to apply attack techniques and thus control the vulnerabilities found in the development of this security audit.The purpose of using this interview technique is to have indicators that allow the measurement of initial vulnerabilities and possible threats as a starting point. The objective of these surveys is based on having a baseline of information, the current controls that the application has. The answer option was descriptive text, which allows free to describe the answer openly. The results were a key factor to start the Penetration Test and to support the importance of carrying out this work for both the Telematics Office and for us.which allows to freely describe the answer in an open way. The results were a key factor to start the Penetration Test and to support the importance of carrying out this work for both the Telematics Office and for us.which allows to freely describe the answer in an open way. The results were a key factor to start the Penetration Test and to support the importance of carrying out this work for both the Telematics Office and for us.
- Direct observation:This technique was selected for its effectiveness since it is the one that describes the use in a direct and dynamic way, the main actors were observed interacting with the application in order to give a clearer answer to the questions, in the case of the application developer his concepts were short and he had to rely on the tool to be able to explain his answer further, for example, in the role assignment test, he explained through the cascading menus how a user is created and how permissions are assigned, the hierarchy of application management and control. The benefit of using this technique for data collection is that the data is true since it is derived from one of the main sources.This technique was the most effective for the initial process and very easy to apply since it provides the adequate data and identified and exact behaviors of the use of the application.Analysis of the information collected: Once the search and description strategies for each of them have been completed and consolidated in the Pentest design, an evaluation is carried out using the conventional method, using an Excel template, the responses were tabulated and An interpretive analysis was performed graphically.
Figure 4. Security percentage of the Orfeo Application based on the survey.
For the open questions survey, it was consolidated by the number of participants and the knowledge and perception they have about the application, that is, if they know the application and how it is made up. Each of the data groups contains 5 questions, from these five questions the ones that the actor does not know about the application are selected. According to table 4, we identify that the main actors do not fully know the application in security matters, the index is too low for the importance of the role that it has. Likewise, the knowledge that the Backup Administrator has with respect to the Developer is observed, this indicates that participant 1 knows more about the application so her role is below the Backup Administrator role. In consecuense,from this information, it can be deduced that the lack of training on the part of the main administrator towards the backup administrator is deficient and can have dire consequences in the event that participant 3 withdraws from his role.
Table 1. Participants in the survey
III.RESULTS
For the evaluation of the security of the Orfeo Web Application (Document Management System), the New Era Support Group, a Pentesting based on the OWASP V.4 Methodology was designed.
Described in the following figure 5.
Figure 5. General Description of Tests by Pentesting Phase
This design was validated through the implementation of a Pentesting in which several vulnerabilities were detected in execution with the following tests.
- Information Gathering Tests Search Engine Recognition Roles Definition Test Weak or Unforced User Policy Test Authentication Tests Test Network / Infrastructure Configuration Tests Test Cross-Sectional Directory Test Omission Authorization Scheme Test Schema Test session management Test exposed session variables Mirrored cross-site scripting tests Clickjacking tests SQL Injection tests Clear text password test User input or login test Information leak test
For the analysis, the described tests used tools for the Scan - Detection of vulnerabilities and manual analysis tests. Where the following table of risks is obtained as a result.
Table 2. Vulnerability analysis by severity and trust
As we can see for 35 tests carried out of the 53 defined in the design, it shows security vulnerabilities in the Orfeo application, it is evident that 30 percent of Orfeo is threatened and the need to implement the proposed design is confirmed.
IV DISCUSSION
This study was proposed with the aim of designing a Pentesting for a Web application, in addition to guiding the New Age Support Group based on a methodology and its Cybersecurity team in carrying out these tests, the quality of the security of the information from your Applications developed or acquired. The results of this project show that it is vitally important to secure your systems against the greatest number of possible threats, as well as having people who are in charge of establishing these security measures and keeping them active and updated.
These results agree with those obtained in previous studies such as those carried out by the Open Web Application Security (OWASP) project in the Top 10 vulnerabilities, frequent in Web Applications put into production. However, many of the tests recommended by the OWASP Methodology were not sufficient to detect vulnerabilities, so other authors and techniques were consulted. Because computer attacks evolve every day and there are already controls in place in the infrastructures that support these applications.
There are several possible explanations for these results as described by each of the findings found.
- There is no Security policy for Error Management and user access. There is no Security policy for User Administration Management. There is no documentation of application deployment diagrams. There are no technical manuals for the application source code. except the one provided by Orfeogpl, which is outdated. There is no documentation of the RFC to control changes made to the application. Inexperienced personnel in information security. Inefficient configuration of the infrastructure that supports the application such as web application servers. No validation of the applications or information systems that they contract with third parties. lack of security policies in the development of secure web applications.
Given the small sample size, caution should be used when making interpretations because only 35% of the total designed tests are being analyzed, and it must also be borne in mind that Orfeo was tested using an Open Source application, the development code was It is published on the web, which generates a greater vulnerability in its implementation. And therefore greater security measures must be taken. The total number of vulnerabilities classified as High suggests that there could be many more at the time of implementing the 53 designed and proposed tests. It is suggested that future studies on this topic address the phases of the life cycle in the development of web applications since many of these findings originate from the design and implementation of web applications.
V. CONCLUSIONS
To conclude this article, let us keep in mind the importance of conducting Pentesting tests on Web Applications, in the context of information security, since these tests give the organization the perspective of what type of security they have implemented and if some aspect needs to be improved that has been restricted. If security policies are well targeted, the gaps in the development life cycle will be smaller in your web applications.
In this project, it was proposed to design a Pentesting to evaluate the security of the Orfeo Web Application (Document Management system) through the design of the Pentesting based on the OWASP V.4 methodology. This was gratifying, demonstrating through the exploratory study that there are vulnerabilities in the Orfeo application and that these same threats possibly exist in the other Systems that the New Age Support Group Telematics Office has.
The findings in this report are subject to at least 5 limitations: First, security policies that restrict access to some system resources, the sample size for testing. It is suggested that measures be taken in the security of web applications not only those applications that are in a production environment, but also those that are in the development and testing phase.
Finally, because Orfeo is an Open Source Web application, any entity wishing to implement its Open Source code is recommended to make adjustments to the coding and implementation of the infrastructure to mitigate the security risks it presents.
SAW. ACKNOWLEDGMENTS
To the managers who intervened in the orientation of this work, which allowed us to move forward, the teachers who left their mark in the course of this Specialization, especially the Engineer Jairo E. Márquez D, for inspiring us to follow the line of Pentesting, for his passion to what he does through teaching and the contribution made through his subject.
Likewise, to the people who were interested in this investigation, such as Eng. Fabián Blanco for their advice and help to allow us to complete ours.
VII. BIBLIOGRAPHIC REFERENCES
Web Pages:
- Fernando Candle (2017). Test Guide V.4 see Spanish Version. Recovered from https: // www. OWASP V.4.org/index.php/Sobre_ OWASP V.4 ISECOM (2.017). OSSTMM Open Source Security Testing Methodology Manual. Recovered from: http://www.isecom.org/home.html and http://www.isecom.org/mirror/OSSTMM.3.pdf OS (2.013). Want to be hidden in the Internet? Recovered from http://anonym-url.com/index.html. Limitations of Penetration Testing. (2016). Why Pen Testing? Why Penetration Testing is Important? Recovered from http://www.pen-tests.com/tag/penetration-testing Intrusion test (III). (2007). A computer scientist next to evil. Last update (2.015). Recovered from: http://www.elladodelmal.com/2015/03/test-de-intrusin-iii-de-vi.html Gathering information. (2,011). DragonJar community. Recovered from: https: // issuu.com / dragonjar / docs / information_gathering__gu_a_de_pentesting National Open and Distance University. Tools for Testing and Evaluation. (2015). Recovered from: http://datateca.unad.edu.co/contenidos/233016/EXE_SAM/leccin_30_herr amientas_para_pruebas_y_evaluacin.html
Online magazine articles:
- Portafolio Magazine. (2014). Portfolio Business Section. Bogota Colombia. Briefcase. Recovered from: http://www.portafolio.co/negocios/empresas/colombia-principal-fuenteciberataques-latinoamerica-50768). Chapter from a book Tori Carlos (2008). "Intrusion techniques in systems, methodologies on security checks and real examples. In C Mastroianni (Ed.). SQL code injection (pp. 164-172). Rosario, Argentina. Kim Peter (2015). The Hacker Playbook 2 Practical Guide To Penetration Testing North Charleston. At MHID Planet (Ed.). Cross Site Scripting and Cross Site Request (pp. 149-155). South Carolina Video: http://www.youtube.com/watch?v=sQe7d_2WG30
