Mebrahtu, Gebrekidan Gebremedhin (2015) Developing Black Box Web Application Penetration Testing Methodology Using Comparative Criteria. Masters thesis, Addis Ababa University.
![[img]](http://thesisbank.jhia.ac.ke/style/images/fileicons/application_pdf.png) |
PDF (Developing Black Box Web Application Penetration Testing Methodology Using Comparative Criteria)
Gebrekidan, Gebremdhin_2015.pdf - Accepted Version Restricted to Repository staff only Download (2MB) | Request a copy |
Abstract
The impact of exploiting web applications can be from stealing confidential information, loss of confidence to a war between countries and civil unrest. Attackers can deface university websites and post offending messages that target to make fighting between communities and civil war. As a result, developers, website and web application owners should take an appropriate measure from being attacked. One of the preventive measures to protect from attacks is to identify the possible vulnerabilities that can lead for attackers to exploit them through a black box penetration testing. To conduct such a test black box assessors need methodologies as without them leads the test to be non-effective and time consuming. That is why different testing methodologies and procedures are being developed. The security tester that may test for the identification of any vulnerability irrespective of the standard, however, hasn’t enough frameworks to compare those testing methodologies. In this research, the set of criteria for selecting and testing black box web application security methodologies was developed and the methodologies was compared based on a set of criteria. Once the strength and weakness of those standards were known, a complete testing methodology based on the current testing methodologies and additional reference was developed. The testing methodology was then tested on a sample of four Ethiopian universities and two intentionally vulnerable. From the research findings it can be concluded that NIST, OWASP, ISACA, ISSAF, and Penetration Testing Framework can be used for black box web application testing. However, they incorporate black box, white box, and gray box testing methodologies within one methodology. Hence, a black box security tester can’t directly use them. More importantly, a black box tester can’t only relay in only one of the testing methodologies as there are areas that each of them don’t cover. As a result a new and complete methodology was developed. Researches such as white box web application security testing, black and white box security testing on other targets besides to web application, risk calculation, knowledge and skill requirement for black and white box security assessors can be further conducted on this area.
| Item Type: | Thesis (Masters) |
|---|---|
| Subjects: | Q Science > QA Mathematics > QA75 Electronic computers. Computer science Q Science > QA Mathematics > QA76 Computer software Z Bibliography. Library Science. Information Resources > Z665 Library Science. Information Science |
| Divisions: | Africana |
| Depositing User: | Selom Ghislain |
| Date Deposited: | 19 Nov 2018 12:55 |
| Last Modified: | 19 Nov 2018 12:55 |
| URI: | http://thesisbank.jhia.ac.ke/id/eprint/7313 |
Actions (login required)
 |
View Item |