Web Service Security Evaluation By Penetration Testing
Laakso, Teemu (2020-05-27)
Web Service Security Evaluation By Penetration Testing
Laakso, Teemu
(27.05.2020)
Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.
suljettu
Julkaisun pysyvä osoite on:
https://urn.fi/URN:NBN:fi-fe2020061744873
https://urn.fi/URN:NBN:fi-fe2020061744873
Tiivistelmä
Web services have become a common tool for transfering data and accessing remote functions. They help companies to integrate systems that use different languages and allow ordinary people to access the data they desire. Because web services have their interface and implementation separated on purpose, businesses are able to share functionalities with their partners without having to reveal how they were implemented. As it can be noted that web services have become significant part of data distribution and integration, it is necessary to make sure that developed web services are not vulnerable to attacks with malicious intents.
Nowadays businesses may automate their business process by using electronic data interchange to communicate their business information. However, in order for that to work the data must be error free. Truugo is a message validation platform for creating customized validators and validation services for structures files, intended to speed up the process of systematic data testing. In addition to message validation through browser, Truugo allows users to automate their testing by use of a web service. This thesis aims to evaluate security of this specific web service by penetration testing.
A framework is needed in order to penetration test the web service. This thesis presents a framework for web service penetration testing that was adapted from penetration testing execution standard. Since penetration testing execution standard is applicable to penetration test all kinds of systems ranging from networks to applications, it does not describe how to perform the testing in practice. The framework presented in this thesis on the other hand provides explicit practical examples on how to perform penetration test to a web service.
The testing conducted through the use of the framework was able to uncover vulnerabilities within the web service. These vulnerabilities could have been exploited to commit denial of service attacks that would have limited the availability of the web service. However, this thesis also provides a way to address these vulnerabilities and thus improve security of the web service.
Nowadays businesses may automate their business process by using electronic data interchange to communicate their business information. However, in order for that to work the data must be error free. Truugo is a message validation platform for creating customized validators and validation services for structures files, intended to speed up the process of systematic data testing. In addition to message validation through browser, Truugo allows users to automate their testing by use of a web service. This thesis aims to evaluate security of this specific web service by penetration testing.
A framework is needed in order to penetration test the web service. This thesis presents a framework for web service penetration testing that was adapted from penetration testing execution standard. Since penetration testing execution standard is applicable to penetration test all kinds of systems ranging from networks to applications, it does not describe how to perform the testing in practice. The framework presented in this thesis on the other hand provides explicit practical examples on how to perform penetration test to a web service.
The testing conducted through the use of the framework was able to uncover vulnerabilities within the web service. These vulnerabilities could have been exploited to commit denial of service attacks that would have limited the availability of the web service. However, this thesis also provides a way to address these vulnerabilities and thus improve security of the web service.