NON-INVASIVE SECURITY ANALYSIS OF GOVERNMENT WEB APPLICATIONS IN THE REPUBLIC OF SERBIA
DOI:
https://doi.org/10.24867/32OI03PanicKeywords:
Information Security, Reconnaissance, Information Security TestingAbstract
This paper explores a non-invasive security analysis of web applications in Republic of Serbia using the web fuzzing method. A customized web fuzzer was developed in the Go programming language which was inspired by military reconnaissance techniques, and enabling efficient automation of vulnerability identification. The system consists of a Job Scheduler as well as DNS and VPN servers, which allow scalability and task coordination. Automatic processing of results utilizes statistical methods for filtering and analysing data, focusing on the analysis of frequency and extreme values in the collected data.
References
[1] Jason Andress, “The Basics of Information Security: Understanding the Fundamentals of InfoSec in Theory and Practice”, ISBN 9780128008126.
[2] Martin Fletcher, „An introduction to information risk”. The National Archives, доступно: https://www.sciencedirect.com/science/article/abs/pii/S2214212616301806?via%3Dihub
[3] Jurgen Cito, Gerald Schermann, John Erik Wittern, Philipp Leitner, Sali Zumberi, Harald C. Gall, “An Empirical Analysis of the Doker Container Ecosystem on GitHub”, доступно: https://peerj.com/preprints/2905.pdf
[4] “National Intstitute Of Standards And Technology”, доступно: https://csrc.nist.gov/glossary/term/proxy
[5] Paul Ferguson, Geoff Huston, “What is a VPN?”, доступно: https://cpham.perso.univ-pau.fr/ENSEIGNEMENT/COMMUN/vpn_ferguson.pdf
[6] https://www.ibm.com/topics/redis
[7] S. Shepler, B. Callaghan, D. Robinson, R. Thurlow, C. Beame, M. Eisler, D. Noveck, “Network File System (NFS) version 4 Protocol”, доступно: https://www.rfc-editor.org/rfc/pdfrfc/rfc3530.txt.pdf
[8] Owen Garret, “HTTP Keepalive Connections and Web Performance”, доступно:
https://www.f5.com/company/blog/nginx/http-keepalives-and-web-performance
[9] “Mozilla Developer Network Web Docs”, доступно:
https://developer.mozilla.org/en-US/docs/Web/Security/Transport_Layer_Security
[10] “Mozilla Developer Network Web Docs”, доступно:
https://developer.mozilla.org/en-US/docs/Glossary/HTTPS
[11] Leyla Bilge, Engin Kirda, Christopher Kruege, Marco Balduzzi, “EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis”, доступно: https://sites.cs.ucsb.edu/~chris/research/doc/ndss11_exposure.pdf
[12] Списак домена резервисаних за потребе државних органа и организација, доступно: https://www.rnids.rs/registar_dokumenata/2016_10_24-spisak-rezervisani_drzavni.pdf
