METHODS FOR TESTING THE SECURITY OF WEB APPLICATIONS
DOI:
https://doi.org/10.28925/2663-4023.2024.26.668Keywords:
безпека; тестування на проникнення; вразливості; штучний інтелект; OWASP; BurpSuite.Abstract
Penetration testing is a key method of dynamic security assessment of computer networks, infrastructure, web and mobile applications aimed at identifying and exploiting vulnerabilities by simulating possible attacks by intruders. Traditionally, this process is carried out manually, requiring highly skilled cybersecurity professionals and considerable time to prepare, execute attacks, analyse the results and generate reports. However, with the growing complexity and number of cyber threats, there is a need for automated tools that can speed up the testing process while increasing its efficiency and accuracy. This article provides an overview of modern penetration testing tools, in particular those that use artificial intelligence (AI) methods to improve vulnerability detection and optimise pentesters’ performance. A number of popular commercial solutions are analysed, including RidgeBot, vPenTest, Metasploit Pro, BreachLock PTaaS, Edgescan, Burp Suite Professional, AppCheck, NetSPI, Astra, and Pentest-Tools.com. For each tool, we consider its main capabilities, the platforms it tests on, the main types of vulnerabilities it can detect (such as SQL injection, XSS, CSRF, RCE, etc.), as well as specific technical details of implementation. The article also examines the pricing policy for commercial platforms, which allows assessing the feasibility of their use depending on the needs and specifics of the enterprise. The article emphasises the importance of developing national solutions for penetration testing, in particular in Ukraine, where a tool of this level can play an important role in ensuring information security and reducing the risk of data leakage. The creation of Ukrainian solutions will also help to keep money in the country, supporting the national economy and creating new jobs for specialists. Given the increased level of cyber threats, the development of such tools is an urgent task to strengthen cybersecurity in both the private sector and public institutions.
Downloads
References
Piskozub, A., Zhuravchak, D., & Tolkacheva, A. (2023). Research of vulnerabilities in chatbots using large language models. Ukrainian Scientific Journal of Information Security, 29(3), 111–117. https://doi.org/10.18372/2225-5036.29.18069
Shebli, H. M. Z. A., & Beheshti, B. D. (2018). A study on penetration testing process and tools. In 2018 IEEE long island systems, applications and technology conference (LISAT). IEEE. https://doi.org/10.1109/lisat.2018.8378035
Chowdhary, A., Huang, D., Mahendran, J. S., Romo, D., Deng, Y., & Sabur, A. (2020). Autonomous security analysis and penetration testing. In 2020 16th international conference on mobility, sensing and networking (MSN). IEEE. https://doi.org/10.1109/msn50589.2020.00086
Vats, P., Mandot, M., & Gosain, A. (2020). A comprehensive literature review of penetration testing & its applications. In 2020 8th international conference on reliability, infocom technologies and optimization (trends and future directions) (ICRITO). IEEE. https://doi.org/10.1109/icrito48877.2020.9197961
Products in penetration testing tools category. (n. d.). https://www.gartner.com/reviews/market/penetration-testing-tools
Automated penetration testing tool | ridgebot | ridge security. (n. d.). Ridge Security. https://ridgesecurity.ai/products/
Network penetration testing platform | vpentest. (n. d.). Vonahi Security: Automated Penetration Testing & Cyber Security Services. https://www.vonahi.io/services/network-penetration-testing
Metasploit | penetration testing software, pen testing security | metasploit. (n. d.). Metasploit. https://www.metasploit.com/
PTaaS - BreachLock. (n. d.). BreachLock. https://www.breachlock.com/products/ptaas/
Home. (n. d.). Edgescan. https://www.edgescan.com/
Burp suite professional. (n. d.). Web Application Security, Testing, & Scanning - PortSwigger. https://portswigger.net/burp/pro
AppCheck | A complete enterprise security testing solution. (n. d.) https://appcheck-ng.com/
NetSPI penetration testing as a service (ptaas). (n. d.). https://www.netspi.com/netspi-ptaas/
Astra Pentest. (n. d.). https://www.getastra.com/pentest
Penetration testing toolkit, ready to use. (n. d.). Pentest-Tools.com. https://pentest-tools.com/
Hulak, H. M., Zhiltsov, O. B., Kyrychok, R. V., Korshun, N. V., & Skladannyi, P. M. (2024). Information and cyber security of the enterprise. Textbook. Lviv: Publisher Marchenko T. V.
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Анастасія Толкачова, Андріян Піскозуб
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
