|
|
Security Analysis of Selected SOHO Router
Richtarik, Jakub ; Holop, Patrik (referee) ; Tamaškovič, Marek (advisor)
Pre narastajúci počet zamestnancov pracujúcich na home office a zvyšujúci sa počet IoT zariadení v domácnostiach, je čoraz viac potrebné používať dostatočne zabezpečné smerovače. Cieľom tejto práce je preskúmať vybrané SOHO (small office/home office) smerovače, zástupcov aktuálne predávaných domácich smerovačov, z pohľadu bezpečnosti. Dokument taktiež demonštruje postup a metódy, ktoré je možné použiť pri testovaní a analýze iných smerovačov a IoT zariadení.
|
|
|
Creating a modern web application
Fanta, Tomáš ; Sikora, Marek (referee) ; Benedikt, Jan (advisor)
This bachelor thesis deals with the design and development of a web application to enable the user to better understand the behaviour of critical infrastructure. The thesis describes the modern technologies that were used in the implementation. Furthermore, the thesis discusses the security risks of web applications. The main goal is to create the mentioned web application and secure it against common vulnerabilities.
|
|
|
Security Analysis of Selected Android TV Box
Švenk, Adam ; Veigend, Petr (referee) ; Tamaškovič, Marek (advisor)
Popularita TV boxov so systémom Android v poslednom čase výrazne vzrástla. Okrem toho, že ponúkajú širokú škálu funkcií, je čoraz aktuálnejšia otázka, či sú dostatočne zabezpečené a chránené. Táto práca popisuje komplexnú bezpečnostnú analýzu vybraného Android TV boxu, ktorá zahŕňa hardvérové aj softvérové komponenty. Skúmaním zraniteľností prítomných v zariadení sa táto práca zameriava na identifikáciu potenciálnych rizík pre súkromie a bezpečnosť používateľov. Okrem toho navrhuje odporúčania na zmiernenie týchto zraniteľností.
|
|
|
Web Application for Evaluation of Security Testing Tools
Moravec, Vojtěch ; Lieskovan, Tomáš (referee) ; Ilgner, Petr (advisor)
The bachelor thesis focuses on the design, development, and implementation of an intentionally vulnerable environment in the form of a web application. The resulting web application encompasses vulnerabilities across categories outlined in the OWASP Top 10 project, specifically following its 2021 version. Through this application, it is possible to assess and compare automated tools for penetration testing, as well as tools for static code security analysis. The thesis is divided into five chapters. In the introduction, the OWASP Foundation, which oversees the OWASP project, is described. The analysis of selected intentionally vulnerable web applications is then presented. Subsequent chapters delve into the design of the custom intentionally vulnerable web application, detailing the technologies used in its development and outlining all vulnerabilities present in the application. In the conclusion of the thesis, testing of the resulting vulnerable application is conducted using the aforementioned tools, and a summary of the achieved results is provided. Apart from the aforementioned testing and comparison of automated tools in the fields of penetration testing and static analysis, the application can also be utilized for educational purposes. This is primarily facilitated by the attached fixes and explanations, which accompany each vulnerability within the application.
|
|
|
Lab tasks on compiled language vulnerabilities
Kluka, Peter Milan ; Štůsek, Martin (referee) ; Sysel, Petr (advisor)
This graduation thesis is devoted to a detailed analysis of vulnerabilities in freely distributed open-source programs. The thesis includes a description of different types of vulnerabilities that are often associated with software attacks. Static and dynamic code testing are examined in detail, as well as the tools used to detect vulnerabilities in source code. The thesis includes the development of three lab exercises, including detailed tutorials that demonstrate the consequences of incorrect implementations. The lab tasks focus on buffer overflow, path/directory traversal, and buffer over-read vulnerabilities. Every lab task includes a demonstration of the flawed code that was responsible for the vulnerability, as well as demonstration of the patched code that was used to fix the vulnerability. These tasks provide practical examples that illustrate the risks associated with inappropriate software design and implementation and demonstrate the importance of effective security techniques in software development.
|
|
|
The Tool for Penetration Tests of Web Applications
Dobeš, Michal ; Malinka, Kamil (referee) ; Barabas, Maroš (advisor)
The thesis discusses the issues of penetration testing of web applications, focusing on the Cross-Site Scripting (XSS) and SQL Injection (SQLI) vulnerabilities. The technology behind web applications is described and motivation for penetration testing is given. The thesis then presents the most common vulnerabilities according to OWASP Top 10. It lists the principles, impact and remediation recommendations for the Cross-Site Scripting and SQL Injection vulnerabilities. A penetration testing tool has been developed as a part of this thesis. The tool is extendable via modules. Modules for detection of Cross-Site Scripting and SQL Injection vulnerabilities have been developed. The tool has been compared to existing tools, including the commercial tool Burp Suite.
|
|
|
MCUXpresso Web application security
Mittaš, Tomáš ; Heriban, Pavel (referee) ; Roupec, Jan (advisor)
This thesis deals with testing of the security of web application MCUXpresso Web SDK Builder using ethical hacking techniques and tools. At the beginning, the history of ethical hacking and structure of web applications are briefly mentioned. The thesis then analyses the application itself from the user’s point of view, its parts before logging in and after logging in and the operation of this application. The following is a list of the most common vulnerabilities and weaknesses found in web applications to understand any vulnerabilities found. Furthemore, the thesis deals with the techniques and tools of web application security and compares them. The penultimate chapter deals with the use of Analysis and vulnerability scanning technique on the application MCUXpresso Web SDK Builder. Finally, an application security test plan is designed, while part of this plan is automated.
|
|
|
Specific modules for manual security testing support
Osmani, Jakub ; Safonov, Yehor (referee) ; Paučo, Daniel (advisor)
This bachelor thesis deals with the concept of penetration testing and the standards that coincide with it. The main aim of the theoretical part of this thesis is to describe the world of penetration testing, and the widely known OWASP documentation. Vulnerabilities from the top 10 vulnerabilities list as well as recommendations about secure web application development, from the Application Security Verification Standard (ASVS), are provided. The practical part of this thesis is focused on the development of three tools, that are to be used to help automate certain aspects of penetration testing.
|
|
|
Web application for testing web server vulnerabilities
Šnajdr, Václav ; Burda, Karel (referee) ; Smékal, David (advisor)
The Master’s Thesis deals with the design and implementation of a web application for testing the security of SSL/TLS protocols on a remote server. The web application is developed in the Nette framework. The theoretical part describes SSL/TLS protocols, vulnerabilities, recommendations and technologies used in the practical part. The practical part is devoted to the creation of a web application with the process of using automatic scripts to test and display the results on the website with a rating of A+~to~C. The web application also displays a list of detected vulnerabilities and their recommendations.
|
|
|
Design of methodology for vulnerability assesment
Pecl, David ; Martinásek, Zdeněk (referee) ; Gerlich, Tomáš (advisor)
The thesis deals with the assessment of security vulnerabilities. The aim of this work is to create a new method of vulnerability assessment, which will better prioritize critical vulnerabilities and reflect parameters that are not used in currently used methods. Firstly, it describes the common methods used to assess vulnerabilities and the parameters used in each method. The first described method is the Common Vulnerability Scoring System for which are described all three types of scores. The second analysed method is OWASP Risk Rating Methodology. The second part is devoted to the design of the own method, which aims to assess vulnerabilities that it is easier to identify those with high priority. The method is based on three groups of parameters. The first group describes the technical assessment of the vulnerability, the second is based on the requirements to ensure the confidentiality, integrity and availability of the asset and the third group of parameters evaluates the implemented security measures. All three groups of parameters are important for prioritization. Parameters describing the vulnerability are divided into permanent and up-to-date, where the most important up-to-date parameter are Threat Intelligence and easy of exploitation. The parameters of the impact on confidentiality, integrity and availability are linked to the priority of the asset, and to the evaluation of security measures, which increase the protection of confidentiality, integrity and availability. The priority of the asset and the quality of the countermeasures are assessed based on questionnaires, which are submitted to the owners of the examined assets as part of the vulnerability assessment. In the third part of the thesis, the method is compared with the currently widely used the Common Vulnerability Scoring System. The strengths of the proposed method are shown in several examples. The effectiveness of prioritization is based primarily on the priority of the asset and the security measures in place. The method was practically tested in a laboratory environment, where vulnerabilities were made on several different assets. These vulnerabilities were assessed using the proposed method, the priority of the asset and the quality of the measures were considered, and everything was included in the priority of vulnerability. This testing confirmed that the method more effectively prioritizes vulnerabilities that are easily exploitable, recently exploited by an attacker, and found on assets with minimal protection and higher priority.
|
guest ::
