Robin: A Web Security Tool
Authors:
Guilherme Girotto,
Avelino Francisco Zorzo
Abstract:
Thanks to the advance of technology, all kinds of applications are becoming more complete and capable of performing complex tasks that save much of our time. But to perform these tasks, applications require that some personal information are shared, for example credit card, bank accounts, email addresses, etc. All these data must be transferred securely between the final user and the institution a…
▽ More
Thanks to the advance of technology, all kinds of applications are becoming more complete and capable of performing complex tasks that save much of our time. But to perform these tasks, applications require that some personal information are shared, for example credit card, bank accounts, email addresses, etc. All these data must be transferred securely between the final user and the institution application. Nonetheless, several applications might contain residual flaws that may be explored by criminals in order to steal users data. Hence, to help information security professionals and developers to perform penetration tests (pentests) on web applications, this paper presents Robin: A Web Security Tool. The tool is also applied to a real case study in which a very dangerous vulnerability was found. This vulnerability is also described in this paper.
△ Less
Submitted 13 July, 2020;
originally announced July 2020.
Pentest on an Internet Mobile App: A Case Study using Tramonto
Authors:
Daniel Dalalana Bertoglio,
Guilherme Girotto,
Charles Varlei Neu,
Roben Castagna Lunardi,
and Avelino Francisco Zorzo
Abstract:
Mobile applications are used to handle different types of data. Commonly, there is a set of personal identifiable information present in the data stored, shared and used by these applications. From that, attackers can try to exploit the mobile application in order to obtain or to cause private data leakage. Therefore, performing security assessments is an important practice to find vulnerabilities…
▽ More
Mobile applications are used to handle different types of data. Commonly, there is a set of personal identifiable information present in the data stored, shared and used by these applications. From that, attackers can try to exploit the mobile application in order to obtain or to cause private data leakage. Therefore, performing security assessments is an important practice to find vulnerabilities in the applications and systems before the application is deployed, or even during their use. Regarding security assessments, Penetration Test (Pentest) is one of the security test types that can be used to detect vulnerabilities through simulated attacks. Additionally, Pentest can be performed using different methodologies and best practices, through several frameworks to: organize the test execution, execute tools, provide estimations, provide reports and document a Pentest. One such framework is Tramonto, which aims to assist a cybersecurity expert during the Pentest execution by providing organization, standardization and flexibility to the whole Pentest process. This paper presents a Pentest case study applied to a Brazilian university Mobile App using the Tramonto framework. The main goal of this case study is to present how Tramonto can be applied during a Pentest execution, assisting cybersecurity experts in the tasks included in the Pentest process. Our results show details on how to perform a Pentest using Tramonto and the found vulnerabilities in the Mobile App. Besides that, there is a discussion about the main contributions obtained from our results, and we were able to verify that Tramonto managed, organized and optimized the whole Pentest process.
△ Less
Submitted 20 December, 2019;
originally announced December 2019.