An automated approach to Web Offensive Security

Abstract

Web Application Penetration testing is a popular approach that aims at discovering vulnerabilities by emulating real attacks. Experts often use a variety of publicly available attack tools, define attack methodologies and orchestrate them throughout the separate phases of testing. In doing so, they leverage personal experience and intuition, making any automation effort very challenging. In this paper, we propose the design and implementation of a framework for Web Penetration Testing that allows for the integration, as well as orchestration, of several types of attacks. We identify the generic tasks performed during a penetration test. Then, we provide a way to integrate attacks that implement such tasks in a component responsible for executing them. A further component holds the logic that decides which task to execute and aggregates the results of completed tasks. We also define the communication protocol between the two components to enable the orchestration of tasks across all phases of a testing campaign. As a concrete example of the application of the proposed framework, we show how it is possible to integrate several types of attacks, as well as embed an ad hoc defined behavioral model in order to discover cross-site scripting vulnerabilities.