A Proposed Framework of VAPT Services in Web Application Deployed on Infrastructure as a Service (IAAS)

Authors

  • Noraida Haji Ali Faculty of Ocean Engineering Technology and Informatics, Universiti Malaysia Terengganu.
  • Nuur Ezaini Akmar Ismail Faculty of Ocean Engineering Technology and Informatics, Universiti Malaysia Terengganu.
  • Masita Jalil Faculty of Ocean Engineering Technology and Informatics, Universiti Malaysia Terengganu.
  • Farizah Yunus Faculty of Ocean Engineering Technology and Informatics, Universiti Malaysia Terengganu.
  • Ahmad Dahari Jarno Department at CyberSecurity Malaysia Security Evaluation Facility CyberSecurity Malaysia

Keywords:

cloud computing, IaaS, Injection, SQL injection, Cross-Site Scripting (XSS), AWS and penetration testi

Abstract

Most companies in Malaysia require their employees to work from home due to the COVID-19 pandemic. This situation also increased the number of data generated from various sources, thus exposing them to different security risks. Even though the employees are encouraged to work from home because of the COVID-19 pandemic, they still need to communicate among themselves to do their work. However, working from home depends mainly on cloud computing (CC) applications that help employees accomplish their daily work efficiently. Injection attacks, such as SQL injection and Cross-Site Scripting (XSS), are critical security vulnerabilities that can lead to unauthorized access, data breaches, and potential service disruptions in web applications. With the increasing adoption of cloud computing, web applications deployed on cloud platforms like Amazon Web Services (AWS) are becoming more prevalent and vulnerable to such attacks. Therefore, it is crucial to develop practical Vulnerability Assessment and Penetration Testing (VAPT) techniques specifically tailored to identify and detect injection vulnerabilities in web applications deployed on AWS. However, existing VAPT methodologies often need more comprehensive coverage for injection vulnerabilities in cloud-based web applications, and they may not consider the unique characteristics and challenges associated with the AWS environment. This research addresses this gap by proposing an enhanced VAPT framework focusing specifically on injection attacks in web applications deployed on AWS.

Downloads

Download data is not yet available.

References

SANS GPEN 2013 (Page 10, 560.1)

Soon Bock, Loh. "4 Reasons Why Penetration Testing Is Important." Horangi Cyber Security, https://www.horangi.com/blog/4-reasons-why-penetration-testing-is-important.

International Journal of Scientific Research in Science, E., & IJSRSET, T. (2021). Vulnerability Assessment and Penetration Testing Approach Towards Cloud-Based Application and Related Services. International Journal of Scientific Research in Science, Engineering and Technology. https://doi.org/10.32628/IJSRSET218346

"NIST SP 800-145, The NIST Definition of Cloud Computing." NIST Technical Series Publications, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-145.pdf.

"An overview of cloud security." What is cloud security, IBM, https://www.ibm.com/cloud/learn/cloud-security.

"7 Cloud Computing Security Vulnerabilities and What to Do About Them". https://towardsdatascience.com/7-cloud-computing-security-vulnerabilities-and-what-to-do-about-them-e061bbe0faee

"How Does Cloud Penetration Testing Differ from Standard Penetration Testing? "https://www.guidepointsecurity.com/education-center/cloud-penetration-testing/

"Cloud Application Security Checklist And Best Practices". https://www.rishabhsoft.com/blog/cloud-application-security-best-practices.

"Cloud security" https://www.ibm.com/cloud/learn/cloud-security

OWASP Top 10 https://owasp.org/www-project-top-ten/

OWASP Code Review Guide 2.0 "https://owasp.org/www-pdf-archive/OWASP_Code_Review_Guide_v2.pdf"

Qi Li; Weishi Li; Junfeng Wang; Mingyu Cheng “A SQL Injection Detection Method based on Adaptive Deep Forest” https://ieeexplore.ieee.org/document/8854182

German Rodriguez “Cross-Site Scripting (XSS) Attacks And Mitigation: A Survey” https://www.sciencedirect.com/science/article/abs/pii/S1389128619311247

Joshua Crotts “Exploring Cross-Site Scripting (XSS): Attack Payloads, Prevention, and Mitigation Techniques”https://www.researchgate.net/publication/360400563_Exploring_Cross-Site_Scripting_XSS_Attack_Payloads_Prevention_and_Mitigation_Techniques.

Hansaka Dilshan Jayawardana “An Analysis of XSS Vulnerabilities and Prevention of XSS Attacks in Web Applications” https://www.researchgate.net/publication/371724261_An_Analysis_of_XSS_Vulnerabilities_and_Prevention_of_XSS_Attacks_in_Web_Applications

Jason Firch “What Are The Different Types Of Penetration Testing? ”https://purplesec.us/types-penetration-testing/

Neil Dupaul “Static testing vs Dynamic” https://www.veracode.com/blog/secure-development/static-testing-vs-dynamic-testing

Eetu Rinta-Jaskari “Testing Approaches And Tools For AWS Lambda Serverless-Based Applications” https://www.researchgate.net/publication/358138859_Testing_Approaches_And_Tools_For_AWS_Lambda_Serverless-Based_Applications

Tori Thurmond “What Are the Penetration Testing Steps?” https://kirkpatrickprice.com/blog/7-stages-of-penetration-testing/

EC-Council “Understanding the Five Phases of the Penetration Testing Process”https://www.eccouncil.org/cybersecurity-exchange/penetration-testing/penetration-testing-phases/

PCI Data Security Standard (PCI DSS) version 1.0 “Information Supplement: Penetration Testing Guidance ”https://listings.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf

Ahmed M. Eassa “NoSQL Racket: A Testing Tool for Detecting NoSQL Injection Attacks in Web Applications” https://thesai.org/Downloads/Volume8No11/Paper_78-NoSQL_Racket_A_Testing_Tool.pdf

Ms. Disha H. Parekh ”An Analysis of Security Challenges in Cloud Computing”https://thesai.org/Downloads/Volume4No1/Paper_6-An_Analysis_of_Security_Challenges_in_Cloud_Computing.pdf

Downloads

Published

29.01.2024

How to Cite

Ali, N. H. ., Akmar Ismail, N. E. ., Jalil, M. ., Yunus, F. ., & Jarno, A. D. . (2024). A Proposed Framework of VAPT Services in Web Application Deployed on Infrastructure as a Service (IAAS). International Journal of Intelligent Systems and Applications in Engineering, 12(13s), 673 –. Retrieved from https://ijisae.org/index.php/IJISAE/article/view/4639

Issue

Vol. 12 No. 13s (2024)

Section

Research Article

License

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.

IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.