Skip to main content
SpringerLink
Log in

Penetration Testing for the Cloud-Based Web Application

  • Conference paper
  • First Online:
ICT: Innovation and Computing (ICTCS 2023)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 879))

  • 53 Accesses

Abstract

This paper discusses methods, tools, approaches, and techniques used for the penetration testing on the cloud-based web application on Amazon AWS platform. The findings of a penetration test could be used to fix weaknesses and vulnerabilities and significantly improve security. The testing is implemented by undertaking a malicious attack aiming to breach system networks and thereby confirm the presence of cloud infrastructure. The research focuses on cloud-based web applications’ high-risk vulnerabilities such as unrestricted file upload, command injection, and cross-site scripting. The outcomes expose and approved some vulnerabilities, flaws, and mistakes in the utilised cloud-based web application. It is concluded that some vulnerabilities have to be considered before architecting the cloud system. Recommendations are proposing solutions to testing results.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Thompson C (2022) Penetration testing versus red teaming: clearing the confusion. https://securityintelligence.com/posts/penetration-testing-versus-red-teaming-clearing-the-confusion/. Last accessed 16 May 2022

  2. Fonseca J, Vieira M (2008) Mapping software faults with web security vulnerabilities. In: 2008 IEEE international conference on dependable systems and networks with FTCS and DCC (DSN). IEEE, Anchorage, AK, pp 257–266. https://doi.org/10.1109/DSN.2008.4630094

  3. Nettitude (2023) Cloud penetration testing | CREST Certified | Nettitude. https://www.nettitude.com/uk/penetration-testing/cloud-service-testing/. Last accessed 03 Jan 2023

  4. PurpleBox (2023) The ultimate guide for cloud penetration testing. https://www.prplbx.com/resources/blog/cloud-pentesting/. Last accessed 03 Jan 2023

  5. Varghese J (2023) Cloud penetration testing: a complete guide. https://www.getastra.com/blog/security-audit/cloud-penetration-testing/. Last accessed 03 Jan 2023

  6. Sun XD et al (2019) Artificial intelligence design research on the cyber security penetration testing of power grid enterprises. IOP Conf Ser Earth Environ Sci 354(1). https://doi.org/10.1088/1755-1315/354/1/012104

  7. Jones S (2019) Venezuela blackout: what caused it and what happens next? https://www.theguardian.com/world/2019/mar/13/venezuela-blackout-what-caused-it-and-what-happens-next

  8. Ukraine power cut “was cyber-attack” (2017). https://www.bbc.com/news/technology-38573074

  9. Solon O, Hern A (2017) “Petya” ransomware attack: what is it and how can it be stopped? https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how

  10. Fonseca J et al (2008) Training security assurance teams using vulnerability injection. In: 2008 14th IEEE Pacific rim international symposium on dependable computing, pp 297–304. https://doi.org/10.1109/PRDC.2008.43

  11. AWS (2023) Web hosting—Amazon web services (AWS). https://aws.amazon.com/websites/. Last accessed 03 Jan 2023

  12. Orebaugh A, Pinkard B (2008) Nmap in the enterprise: your guide to network scanning. Syngress Publishing, Burlington, MA

    Google Scholar 

  13. Mah BA (1997) An empirical model of HTTP network traffic. In: Proceedings of INFOCOM’97, vol 2, pp 592–600. https://doi.org/10.1109/INFCOM.1997.644510

  14. Huang J et al (2019) UChecker: automatically detecting PHP-based unrestricted file upload vulnerabilities. In: 2019 49th Annual IEEE/IFIP international conference on dependable systems and networks (DSN). IEEE, Portland, OR, USA, pp 581–592. https://doi.org/10.1109/DSN.2019.00064

  15. OWASP (2022) Unrestricted file upload | OWASP Foundation, https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload. Last accessed 28 Dec 2022

  16. Starov O et al (2016) No honor among thieves: a large-scale analysis of malicious web shells. In: Proceedings of the 25th international conference on World Wide Web. International World Wide Web conferences steering committee, Montréal, Québec, Canada, pp 1021–1032. https://doi.org/10.1145/2872427.2882992

  17. Acunetix (2022) How file upload forms are used by online attackers. https://www.acunetix.com/websitesecurity/upload-forms-threat/. Last accessed 28 Dec 2022

  18. Zheng Y, Zhang X (2013) Path sensitive static analysis of web applications for remote code execution vulnerability detection. In: 2013 35th International conference on software engineering (ICSE). IEEE, San Francisco, CA, USA, pp 652–661. https://doi.org/10.1109/ICSE.2013.6606611

  19. Choi H, Kim Y (2018) Large-scale analysis of remote code injection attacks in android apps. Secur Commun Networks 2018:1–17. https://doi.org/10.1155/2018/2489214

    Article  Google Scholar 

  20. OWASP (2022) OWASP Top Ten | OWASP Foundation. https://owasp.org/www-project-top-ten/. Last accessed 30 Dec 2022

  21. Mohan A et al (2022) Automated tools and techniques in vulnerability assessment. In: 2022 4th International conference on smart systems and inventive technology (ICSSIT). IEEE, Tirunelveli, India, pp 533–540. https://doi.org/10.1109/ICSSIT53264.2022.9716474

  22. López de Jiménez RE (2016) Pentesting on web applications using ethical-hacking. In: 2016 IEEE 36th Central American and Panama convention (CONCAPAN XXXVI), pp 1–6. https://doi.org/10.1109/CONCAPAN.2016.7942364

  23. Cheng K et al (2010) An optimizing Chinese string matching algorithm based on the URL encoding. In: 2010 WASE international conference on information engineering. IEEE, Beidaihe, Hebei, pp 23–25. https://doi.org/10.1109/ICIE.2010.13

  24. Khawaja G (2021) Bash scripting. In: Kali Linux penetration testing Bible, pp 49–63

    Google Scholar 

  25. Hasan A, Meva D (2018) Web application safety by penetration testing. Social Science Research Network, Rochester, NY

    Google Scholar 

  26. Zalbina MR et al (2017) Payload recognition and detection of Cross Site Scripting attack. In: 2017 2nd International conference on anti-cyber crimes (ICACC). IEEE, Abha, Saudi Arabia, pp 172–176. https://doi.org/10.1109/Anti-Cybercrime.2017.7905285

  27. Kalra U (2020) CSRF and XSS attacks and defense mechanisms 5(11)

    Google Scholar 

  28. Salas MIP, Martins E (2014) Security testing methodology for vulnerabilities detection of XSS in web services and WS-security. Electron Notes Theor Comput Sci 302:133–154. https://doi.org/10.1016/j.entcs.2014.01.024

    Article  Google Scholar 

  29. CNET News staff (2023) Netscape and Sun Unveil JavaScript. https://www.cnet.com/tech/services-and-software/netscape-and-sun-unveil-javascript/. Last accessed 05 Jan 2023

  30. Jensen SH et al (2009) Type analysis for JavaScript. In: Palsberg J, Su Z (eds) Static analysis. Springer, Berlin, pp 238–255. https://doi.org/10.1007/978-3-642-03237-0_17

  31. OWASP (2023) Types of XSS | OWASP Foundation. https://owasp.org/www-community/Types_of_Cross-Site_Scripting. Last accessed 04 Jan 2023

  32. Bellatriu OC (2014) Penetration testing automation system 105

    Google Scholar 

  33. Pierce J et al (2006) Penetration testing professional ethics: a conceptual model and taxonomy. Australas J Inf Syst 13:2. https://doi.org/10.3127/ajis.v13i2.52

    Article  Google Scholar 

  34. Khan ME, Khan F (2012) A comparative study of white box, black box and grey box testing techniques. Int J Adv Comput Sci Appl 3(6). https://doi.org/10.14569/IJACSA.2012.030603

Download references

Author information

Authors and Affiliations

  1. Computing Department, CDI, Buckinghamshire New University, High Wycombe, UK

    Rafid Al-Khannak

  2. Buckinghamshire New University, High Wycombe, UK

    Sajjan Singh Nehal

Authors
  1. Rafid Al-Khannak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sajjan Singh Nehal
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rafid Al-Khannak .

Editor information

Editors and Affiliations

  1. Global Knowledge Research Foundation, Ahmedabad, Gujarat, India

    Amit Joshi

  2. Nottingham Trent University, Nottingham, UK

    Mufti Mahmud

  3. University of Peradeniya, Kandy, Sri Lanka

    Roshan G. Ragel

  4. Department of Comp Sci & Engg, SNS College of Technology, Coimbatore, Tamil Nadu, India

    S. Karthik

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Al-Khannak, R., Nehal, S.S. (2024). Penetration Testing for the Cloud-Based Web Application. In: Joshi, A., Mahmud, M., Ragel, R.G., Karthik, S. (eds) ICT: Innovation and Computing. ICTCS 2023. Lecture Notes in Networks and Systems, vol 879. Springer, Singapore. https://doi.org/10.1007/978-981-99-9486-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-9486-1_3

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-9485-4

  • Online ISBN: 978-981-99-9486-1

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation