Abstract
This paper discusses methods, tools, approaches, and techniques used for the penetration testing on the cloud-based web application on Amazon AWS platform. The findings of a penetration test could be used to fix weaknesses and vulnerabilities and significantly improve security. The testing is implemented by undertaking a malicious attack aiming to breach system networks and thereby confirm the presence of cloud infrastructure. The research focuses on cloud-based web applications’ high-risk vulnerabilities such as unrestricted file upload, command injection, and cross-site scripting. The outcomes expose and approved some vulnerabilities, flaws, and mistakes in the utilised cloud-based web application. It is concluded that some vulnerabilities have to be considered before architecting the cloud system. Recommendations are proposing solutions to testing results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Thompson C (2022) Penetration testing versus red teaming: clearing the confusion. https://securityintelligence.com/posts/penetration-testing-versus-red-teaming-clearing-the-confusion/. Last accessed 16 May 2022
Fonseca J, Vieira M (2008) Mapping software faults with web security vulnerabilities. In: 2008 IEEE international conference on dependable systems and networks with FTCS and DCC (DSN). IEEE, Anchorage, AK, pp 257–266. https://doi.org/10.1109/DSN.2008.4630094
Nettitude (2023) Cloud penetration testing | CREST Certified | Nettitude. https://www.nettitude.com/uk/penetration-testing/cloud-service-testing/. Last accessed 03 Jan 2023
PurpleBox (2023) The ultimate guide for cloud penetration testing. https://www.prplbx.com/resources/blog/cloud-pentesting/. Last accessed 03 Jan 2023
Varghese J (2023) Cloud penetration testing: a complete guide. https://www.getastra.com/blog/security-audit/cloud-penetration-testing/. Last accessed 03 Jan 2023
Sun XD et al (2019) Artificial intelligence design research on the cyber security penetration testing of power grid enterprises. IOP Conf Ser Earth Environ Sci 354(1). https://doi.org/10.1088/1755-1315/354/1/012104
Jones S (2019) Venezuela blackout: what caused it and what happens next? https://www.theguardian.com/world/2019/mar/13/venezuela-blackout-what-caused-it-and-what-happens-next
Ukraine power cut “was cyber-attack” (2017). https://www.bbc.com/news/technology-38573074
Solon O, Hern A (2017) “Petya” ransomware attack: what is it and how can it be stopped? https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how
Fonseca J et al (2008) Training security assurance teams using vulnerability injection. In: 2008 14th IEEE Pacific rim international symposium on dependable computing, pp 297–304. https://doi.org/10.1109/PRDC.2008.43
AWS (2023) Web hosting—Amazon web services (AWS). https://aws.amazon.com/websites/. Last accessed 03 Jan 2023
Orebaugh A, Pinkard B (2008) Nmap in the enterprise: your guide to network scanning. Syngress Publishing, Burlington, MA
Mah BA (1997) An empirical model of HTTP network traffic. In: Proceedings of INFOCOM’97, vol 2, pp 592–600. https://doi.org/10.1109/INFCOM.1997.644510
Huang J et al (2019) UChecker: automatically detecting PHP-based unrestricted file upload vulnerabilities. In: 2019 49th Annual IEEE/IFIP international conference on dependable systems and networks (DSN). IEEE, Portland, OR, USA, pp 581–592. https://doi.org/10.1109/DSN.2019.00064
OWASP (2022) Unrestricted file upload | OWASP Foundation, https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload. Last accessed 28 Dec 2022
Starov O et al (2016) No honor among thieves: a large-scale analysis of malicious web shells. In: Proceedings of the 25th international conference on World Wide Web. International World Wide Web conferences steering committee, Montréal, Québec, Canada, pp 1021–1032. https://doi.org/10.1145/2872427.2882992
Acunetix (2022) How file upload forms are used by online attackers. https://www.acunetix.com/websitesecurity/upload-forms-threat/. Last accessed 28 Dec 2022
Zheng Y, Zhang X (2013) Path sensitive static analysis of web applications for remote code execution vulnerability detection. In: 2013 35th International conference on software engineering (ICSE). IEEE, San Francisco, CA, USA, pp 652–661. https://doi.org/10.1109/ICSE.2013.6606611
Choi H, Kim Y (2018) Large-scale analysis of remote code injection attacks in android apps. Secur Commun Networks 2018:1–17. https://doi.org/10.1155/2018/2489214
OWASP (2022) OWASP Top Ten | OWASP Foundation. https://owasp.org/www-project-top-ten/. Last accessed 30 Dec 2022
Mohan A et al (2022) Automated tools and techniques in vulnerability assessment. In: 2022 4th International conference on smart systems and inventive technology (ICSSIT). IEEE, Tirunelveli, India, pp 533–540. https://doi.org/10.1109/ICSSIT53264.2022.9716474
López de Jiménez RE (2016) Pentesting on web applications using ethical-hacking. In: 2016 IEEE 36th Central American and Panama convention (CONCAPAN XXXVI), pp 1–6. https://doi.org/10.1109/CONCAPAN.2016.7942364
Cheng K et al (2010) An optimizing Chinese string matching algorithm based on the URL encoding. In: 2010 WASE international conference on information engineering. IEEE, Beidaihe, Hebei, pp 23–25. https://doi.org/10.1109/ICIE.2010.13
Khawaja G (2021) Bash scripting. In: Kali Linux penetration testing Bible, pp 49–63
Hasan A, Meva D (2018) Web application safety by penetration testing. Social Science Research Network, Rochester, NY
Zalbina MR et al (2017) Payload recognition and detection of Cross Site Scripting attack. In: 2017 2nd International conference on anti-cyber crimes (ICACC). IEEE, Abha, Saudi Arabia, pp 172–176. https://doi.org/10.1109/Anti-Cybercrime.2017.7905285
Kalra U (2020) CSRF and XSS attacks and defense mechanisms 5(11)
Salas MIP, Martins E (2014) Security testing methodology for vulnerabilities detection of XSS in web services and WS-security. Electron Notes Theor Comput Sci 302:133–154. https://doi.org/10.1016/j.entcs.2014.01.024
CNET News staff (2023) Netscape and Sun Unveil JavaScript. https://www.cnet.com/tech/services-and-software/netscape-and-sun-unveil-javascript/. Last accessed 05 Jan 2023
Jensen SH et al (2009) Type analysis for JavaScript. In: Palsberg J, Su Z (eds) Static analysis. Springer, Berlin, pp 238–255. https://doi.org/10.1007/978-3-642-03237-0_17
OWASP (2023) Types of XSS | OWASP Foundation. https://owasp.org/www-community/Types_of_Cross-Site_Scripting. Last accessed 04 Jan 2023
Bellatriu OC (2014) Penetration testing automation system 105
Pierce J et al (2006) Penetration testing professional ethics: a conceptual model and taxonomy. Australas J Inf Syst 13:2. https://doi.org/10.3127/ajis.v13i2.52
Khan ME, Khan F (2012) A comparative study of white box, black box and grey box testing techniques. Int J Adv Comput Sci Appl 3(6). https://doi.org/10.14569/IJACSA.2012.030603
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Al-Khannak, R., Nehal, S.S. (2024). Penetration Testing for the Cloud-Based Web Application. In: Joshi, A., Mahmud, M., Ragel, R.G., Karthik, S. (eds) ICT: Innovation and Computing. ICTCS 2023. Lecture Notes in Networks and Systems, vol 879. Springer, Singapore. https://doi.org/10.1007/978-981-99-9486-1_3
Download citation
DOI: https://doi.org/10.1007/978-981-99-9486-1_3
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-9485-4
Online ISBN: 978-981-99-9486-1
eBook Packages: EngineeringEngineering (R0)