Analysis of Vulnerabilities and Stress Tests in the Academic System of the Escuela Superior Politécnica de Chimborazo: An Integral Evaluation

Authors

  • Andrea Vizuete 0705060614
  • Erika Astudillo

DOI:

https://doi.org/10.47187/perspectivas.5.2.196

Keywords:

Análisis de Vulnerabilidades, Metodología OWASP, Pruebas de Estrés, Sistema Académico de la ESPOCH

Abstract

In the digital age, it is important to ensure the security and optimal performance of web applications to protect sensitive information. With the constant increase in cyber threats and attacks, organizations must take proactive measures to prevent potential security breaches and data loss. Additionally, poor performance of web applications can have a negative impact on user experience and the efficiency of business processes. With this background, a comprehensive analysis of vulnerabilities in the academic system of ESPOCH was conducted, following the stages proposed by the OWASP methodology and using the OWASP ZAP tool. Stress tests were also performed on the mentioned application to verify if it can handle the expected number of requests through various calculations. As a result of this analysis, 15 weaknesses were identified in the academic system, and best practices were provided for their mitigation, yielding favorable results. Finally, it was determined that the academic system is prepared to handle many user requests over a period of five years and ensure the availability of services during critical moments.

Métricas

References

F. E. Arévalo Cordovilla, I. B. Ordoñez Sigcho, M. F. Peñaherrera Larenas, y V. J. Suárez Matamoros, «Importancia de la seguridad de los sistemas de información frente el abuso, error y hurto de información», Rev. Científica Dominio Las Cienc., vol. 6, n.o 2, p. 12, jun. 2020, doi: http://dx.doi.org/10.23857/dc.v6i2.1197.

R. Andrian y A. Fauzi, «Security Scanner For Web Applications Case Study: Learning Management System», J. Online Inform., vol. 4, n.o 2, p. 63, feb. 2020, doi: 10.15575/join.v4i2.394.

The OWASP Foundation, Web Security Testing Guide, 4.2. The OWASP Foundation, 2020.

S. Pradeep y Y. Kumar Sharma, «A Pragmatic Evaluation of Stress and Performance Testing Technologies for Web Based Applications», en 2019 Amity International Conference on Artificial Intelligence (AICAI), Dubai, United Arab Emirates: IEEE, feb. 2019, pp. 399-403. doi: 10.1109/AICAI.2019.8701327.

V. P. Agila Tinoco, «ANÁLISIS DE VULNERABILIDADES, AMENAZAS Y RIESGOS AL SISTEMA DE MATRICULACIÓN DE LA UNIDAD ACADÉMICA DE CIENCIAS EMPRESARIALES DE LA UTMACH», Universidad Técnica de Machala, Machala, ago. 2019.

Z. M. Jiang y A. E. Hassan, «A Survey on Load Testing of Large-Scale Software Systems», IEEE Trans. Softw. Eng., vol. 41, n.o 11, pp. 1091-1118, nov. 2019, doi: 10.1109/TSE.2015.2445340.

Anibal Herrera, «Entrevista para conocer la arquitectura del nuevo Sistema Académico de la ESPOCH», 13 de octubre de 2022.

D. Kornienko, S. Mishina, y M. Melnikov, «The Single Page Application architecture when developing secure Web services - IOPscience», J. Phys. Conf. Ser., p. 13, 2021, doi: 10.1088/1742-6596/2091/1/012065.

The MITRE Corporation, «CWE-352: Cross-Site Request Forgery (CSRF)», CWE - Common Weakness Enumeration, 31 de enero de 2023. https://cwe.mitre.org/data/definitions/352.html (accedido 31 de enero de 2023).

the ZAP Dev Team, «Absence of Anti-CSRF Tokens», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10202/ (accedido 29 de enero de 2023).

The MITRE Corporation, «CWE-693: Protection Mechanism Failure», CWE - Common Weakness Enumeration, 31 de enero de 2023. https://cwe.mitre.org/data/definitions/693.html (accedido 31 de enero de 2023).

the ZAP Dev Team, «Content Security Policy (CSP) Header Not Set», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10038/ (accedido 2 de febrero de 2023).

OWASP Foundation, Inc., «Clickjacking», OWASP Foundation, 2023. https://owasp.org/www-community/attacks/Clickjacking (accedido 3 de febrero de 2023).

The MITRE Corporation, «CWE-1021: Improper Restriction of Rendered UI Layers or Frames», CWE - Common Weakness Enumeration, 2023. https://cwe.mitre.org/data/definitions/1021.html (accedido 31 de enero de 2023).

The MITRE Corporation, «CWE-829: Inclusion of Functionality from Untrusted Control Sphere», CWE - Common Weakness Enumeration, 31 de enero de 2023. https://cwe.mitre.org/data/definitions/829.html (accedido 2 de febrero de 2023).

The MITRE Corporation, «CWE-1275: Sensitive Cookie with Improper SameSite Attribute», CWE - Common Weakness Enumeration, 31 de enero de 2023. https://cwe.mitre.org/data/definitions/1275.html (accedido 2 de febrero de 2023).

the ZAP Dev Team, «Cookie without SameSite Attribute», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10054/ (accedido 3 de febrero de 2023).

The MITRE Corporation, «CWE-200: Exposure of Sensitive Information to an Unauthorized Actor», CWE - Common Weakness Enumeration, 31 de enero de 2023. https://cwe.mitre.org/data/definitions/200.html (accedido 2 de febrero de 2023).

the ZAP Dev Team, «Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10037/ (accedido 3 de febrero de 2023).

the ZAP Dev Team, «Private IP Disclosure», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/2/ (accedido 2 de febrero de 2023).

the ZAP Dev Team, «Server Leaks its Webserver Application via “Server” HTTP Response Header Field», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10036-1/ (accedido 29 de enero de 2023).

ScanRepeat, «Strict-Transport-Security Header Not Set», ScanRepeat, 2020. https://scanrepeat.com/web-security-knowledge-base/strict-transport-security-header-not-set (accedido 29 de enero de 2023).

the ZAP Dev Team, «Strict-Transport-Security Header», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10035/ (accedido 29 de enero de 2023).

ScanRepeat, «X-Content-Type-Options Header Missing», ScanRepeat, 2020. https://scanrepeat.com/web-security-knowledge-base/${'https://scanrepeat.com/' + path} (accedido 30 de enero de 2023).

the ZAP Dev Team, «X-Content-Type-Options Header Missing», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10021/ (accedido 30 de enero de 2023).

ScanRepeat, «Information Disclosure - Suspicious Comments», ScanRepeat, 2020. https://scanrepeat.com/web-security-knowledge-base/${'https://scanrepeat.com/' + path} (accedido 30 de enero de 2023).

the ZAP Dev Team, «Modern Web Application», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10109/ (accedido 30 de enero de 2023).

The MITRE Corporation, «CWE-525: Use of Web Browser Cache Containing Sensitive Information», CWE - Common Weakness Enumeration, 31 de enero de 2023. https://cwe.mitre.org/data/definitions/525.html (accedido 3 de febrero de 2023).

the ZAP Dev Team, «Re-examine Cache-control Directives», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10015/ (accedido 30 de enero de 2023).

the ZAP Dev Team, «User Agent Fuzzer», OWASP ZAP, 2023. https://www.zaproxy.org/docs/alerts/10104/ (accedido 30 de enero de 2023).

M. C. Noboa Cevallos y D. E. Cuenca Obregon, «LEVANTAMIENTO Y ANÁLISIS ESTADÍSTICO DESCRIPTIVO DE LAS TASAS DE DESERCIÓN, RETENCIÓN Y TITULACIÓN DE LOS ESTUDIANTES DE LA ESPOCH EN LOS PERIODOS 2014-2020», Proyecto de Investigación, Escuela Superior Politécnica de Chimborazo, Riobamba, 2021.

Published

2023-08-16

How to Cite

[1]
A. Vizuete and E. Astudillo, “Analysis of Vulnerabilities and Stress Tests in the Academic System of the Escuela Superior Politécnica de Chimborazo: An Integral Evaluation”, Perspectivas, vol. 5, no. 2, pp. 1–14, Aug. 2023.

Issue

Section

Artículos arbitrados