Detecciones de vulnerabilidades web a través de la evaluación de pruebas de penetración

Juan Manuel Bernal Ontiveros; Margarita Bailón Estrada; Anilu Flores Regalado; Juan Pedro Benítez Guadarrama; Susan Alexandra Cervantes Cardenas

doi:10.61273/neyart.v2i2.49

Authors

Juan Manuel Bernal Ontiveros Tecnológico Nacional de México https://orcid.org/0000-0002-3819-5750
Margarita Bailón Estrada Tecnológico Nacional de México https://orcid.org/0000-0003-2830-5829
Anilu Flores Regalado Tecnológico Nacional de México https://orcid.org/0000-0003-4352-259X
Juan Pedro Benítez Guadarrama Universidad Autónoma del Estado de México https://orcid.org/0000-0002-2826-6359
Susan Alexandra Cervantes Cardenas Tecnológico Nacional de México https://orcid.org/0009-0008-6125-3657

DOI:

https://doi.org/10.61273/neyart.v2i2.49

Keywords:

Vulnerabilities, Infiltration, Security, Penetration Testing, Pentesting

Abstract

Sure, here is the translation of the text into English:

Pentesting: A Crucial Technique for Fortifying Cybersecurity

In recent years, security administrators have influenced software developers to design software more resistant to malicious software attacks. They have also influenced security methodologies and techniques that support the detection of vulnerabilities in a company's information infrastructure. Based on the emergence of fraud and information theft suffered by organizations, the pentesting (penetration testing) practice has emerged. It is one of the most innovative techniques in the field of Information Security.

This technique is a way to detect vulnerabilities after they have been implemented, benefiting a company in reinforcing those flaws that attackers could exploit. Therefore, the main goal is to find vulnerabilities in web applications. With pentesting, an exhaustive tracking of all vulnerabilities that can be found will be carried out. The impacts and the probability of exploitation of each vulnerability found will also be qualified according to the standard vulnerability scoring scheme based on the OWASP methodology.

In addition, the vulnerabilities will be classified according to the consequences of the exploitation identified through the findings. Therefore, a report will be provided with a recommendation for each vulnerability to mitigate or stop the threat. Vulnerability tracking will be based on work processes and innovative ways to protect any web application from threats. This report would help developers, providers, and users of web applications to better understand the potential security problems related to web applications and how they should be treated.

One way to test the robustness of a site is to perform a test in such a way that it can be attacked. This technique is called penetration testing (Pentesting in English). Before launching a site, the security of the network and the web application must be completely secure and tested. This study aims to find weaknesses and flaws in web applications. The penetration test will collect information about network strength, security holes, and access. The result of the report is to indicate the recommendations to improve the security of an organization's infrastructure. Regarding the results of the penetration tests, the interested organization or company can correct the vulnerabilities that exist on the website.

The importance of having a strong system against attacks and infiltrations is to avoid vulnerabilities, which are exploited by a malicious attacker (attacker/hacker), so it can affect the confidentiality, integrity, and availability of a web application or distributed information.

Downloads

Download data is not yet available.

References

Bitdefender. (2023).¿Qué es un Exploit? Prevención de Exploits. Consumer Support.https://www.bitdefender.es/consumer/support/answer/22884/.

Campderrós Vilà, J. (2019), Ataques y vulnerabilidades web.Dipòsit Digital de la Universitat de Barcelona. http://hdl.handle.net/2445/143419.

Gómez González,I.C. (2012), Diseño de Metodología para Verificar la Seguridad en Aplicaciones Web Contra Inyecciones SQL. Universidad Militar Nueva Granada, Bogotá Colombia.

Hernández,M.(2022).Pentesting con OWASP: fases y metodología.https://www.hiberus.com/crecemos-contigo/pentesting-owasp-fases-metodologia/.

Incibe (Instituto Nacional de Ciberseguridad)(2023). Google Dorks te ayuda a encontrar información sobre ti en la Red. Oficina de seguridad del internauta.https://www.incibe.es/ciudadania/blog/google-dorks-te-ayuda-encontrar-informacion-sobre-ti-en-la-red.

KeepCoding. (2023). ¿Qué hace un pentester?.KeepCoding Tech School.https://keepcoding.io/blog/que-hace-un-pentester/.

Mendhurwar, S., y Mishra, R. (2021). Integration of social and IoT technologies: architectural framework for digital transformation and cyber security challenges. Enterprise Information System. DOI: https://doi.org/10.1080/17517575.2019.1600041

Montero,V.H.(2005).Técnicas de Penetration Testing.CYBSEC Security System, Buenos Aires Argentina.

Ortega,K.(2022).¿Qué tipos de pentesting existen?.Saint Leo University, https://worldcampus.saintleo.edu/noticias/que-tipos-de-pruebas-de-penetracion-existen-en-seguridad-informatica.

OSSTMM (Open Source Security Testing Methodology Manual). (2023). Manual de la Metodología de Pruebas de Seguridad de Recurso Abierto (Open Source).https://www.ciberseguridad.eus/ciberpedia/vulnerabilidades/open-source-security-testing-methodology-manual-osstmm.

OWASP (Open Web Application Security Project). (2017). Estándar de Verificación de Seguridad en Aplicaciones 3.0.1. OWASP. https://owasp.org/www-pdf-archive/Est%C3%A1ndar_de_Verificaci%C3%B3n_de_Seguridad_en_Aplicaciones_3.0.1.pdf.

OWASP (Open Web Application Security Project).(2021). Introducción: OWASP Top 10:2021. OWASP.https://owasp.org/Top10/es/A00_2021_Introduction/

Sánchez Cano,G. (2018).Seguridad Cibernética: Hackeo Ético y Programación defensiva. Alfaomega Grupo Editor.

Saucedo, A.L.H., yMiranda, J.M. (2015). Guía de ataques, vulnerabilidades, técnicas y herramientas para aplicaciones web. ReCIBE. Revista electrónica de Computación, Informática, Biomédica y Electrónica, (1), 1-12.

Siahaan, A. P. U. (2016). Intrusion Detection System in Network Forensic Analysis and Investigation. Journal of Computer Engineering, 11(5), 1-18.

Sreenivasa Rao B.,yKumar N. (2012). Web Application Vulnerability Detection Using Dynamic AnalysisWith Peneteration Testing.International Journal of Computer Science and Security, (6), 1-12.

Tori, C.(2008).HackingÉtico.Mastroianni Impresiones.

Vañó Chic,J.(2014).Exploits.Universitat Oberta de Catalunya.