|Hauck, Fabian: Enhancement of a tool for comprehensive security scanning. |
Universität Stuttgart, Fakultät Informatik, Elektrotechnik und Informationstechnik, Bachelorarbeit Nr. 15 (2020).
65 Seiten, englisch.
The demand for web applications is rapidly increasing worldwide. Since the world wide web is accessible to everyone with a connection to the internet, web-based systems are especially vulnerable to attacks. This is why cybersecurity is getting increased attention. While it is difficult to defend a system from sophisticated attacks it is rather easy to find and fix insecure system configurations. Since web applications and their infrastructure are rapidly changing, it is hard to manually detect security breaches. Therefore advanced testing software is needed to detect security leaks automatically. The present work describes several extensions of an automated security scanning tool called yesses. The yesses tool was originally designed to scan web servers for basic security properties like open ports, insecure HTTP methods and missing cookie security features. The tool is accessible open-source on GitHub. Within the scope of this work, the yesses tool was extended by seven modules. Hereby the following three main topics were investigated: Transportation Layer Security (TLS), Domain Name System Security Extensions (DNSSEC) and information leakages. Within the TLS topic, TLS scans of the TLS settings of a server are performed and the differences compared to a Mozilla TLS profile were analyzed. Among other things this gives important insights into possible insecure encryption algorithms. In the scope of DNSSEC, the DNSSEC configuration of a domain name was scanned. Hereby the tool can detect possible misconfigurations, e.g. a missing signature for a DNS resource record. Concerning information leakages, the yesses tool was extended in such a way, that it detects sensitive data exposures which are very useful for potential adversaries. The described extensions do not only make the yesses tool more powerful, they also enable it to detect security leaks that could not have been detected beforehand.
|Abteilung(en)||Universität Stuttgart, Institut für Informationssicherheit und Kryptographie|
|Betreuer||Küsters, Prof. Ralf; Fett, Dr. Daniel; Schmitz, Guido|
|Eingabedatum||5. August 2020|