Penetration testing for the inexperienced ethical hacker : A baseline methodology for detecting and mitigating web application vulnerabilities / Penetrationstestning för den oerfarne etiska hackaren : En gedigen grundmetodologi för detektering och mitigering av sårbarheter i webbapplikationer

Ottosson, Henrik, Lindquist, Per

January 2018

Having a proper method of defense against attacks is crucial for web applications to ensure the safety of both the application itself and its users. Penetration testing (or ethical hacking) has long been one of the primary methods to detect vulnerabilities against such attacks, but is costly and requires considerable ability and knowledge. As this expertise remains largely individual and undocumented, the industry remains based on expertise. A lack of comprehensive methodologies at levels that are accessible to inexperienced ethical hackers is clearly observable. While attempts at automating the process have yielded some results, automated tools are often specific to certain types of flaws, and lack contextual flexibility. A clear, simple and comprehensive methodology using automatic vulnerability scanners complemented by manual methods is therefore necessary to get a basic level of security across the entirety of a web application. This master's thesis describes the construction of such a methodology. In order to define the requirements of the methodology, a literature study was performed to identify the types of vulnerabilities most critical to web applications, and the applicability of automated tools for each of them. These tools were tested against various existing applications, both intentionally vulnerable ones, and ones that were intended to be secure. The methodology was constructed as a four-step process: Manual Review, Testing, Risk Analysis, and Reporting. Further, the testing step was defined as an iterative process in three parts: Tool/Method Selection, Vulnerability Testing, and Verification. In order to verify the sufficiency of the methodology, it was subject to Peer-review and Field experiments. / Att ha en gedigen metodologi för att försvara mot attacker är avgörande för att upprätthålla säkerheten i webbapplikationer, både vad gäller applikationen själv och dess användare. Penetrationstestning (eller etisk hacking) har länge varit en av de främsta metoderna för att upptäcka sårbarheter mot sådana attacker, men det är kostsamt och kräver stor personlig förmåga och kunskap. Eftersom denna expertis förblir i stor utsträckning individuell och odokumenterad, fortsätter industrin vara baserad på expertis. En brist på omfattande metodiker på nivåer som är tillgängliga för oerfarna etiska hackare är tydligt observerbar. Även om försök att automatisera processen har givit visst resultat är automatiserade verktyg ofta specifika för vissa typer av sårbarheter och lider av bristande flexibilitet. En tydlig, enkel och övergripande metodik som använder sig av automatiska sårbarhetsverktyg och kompletterande manuella metoder är därför nödvändig för att få till en grundläggande och heltäckande säkerhetsnivå. Denna masteruppsats beskriver konstruktionen av en sådan metodik. För att definiera metodologin genomfördes en litteraturstudie för att identifiera de typer av sårbarheter som är mest kritiska för webbapplikationer, samt tillämpligheten av automatiserade verktyg för var och en av dessa sårbarhetstyper. Verktygen i fråga testades mot olika befintliga applikationer, både mot avsiktligt sårbara, och sådana som var utvecklade med syfte att vara säkra. Metodiken konstruerades som en fyrstegsprocess: manuell granskning, sårbarhetstestning, riskanalys och rapportering. Vidare definierades sårbarhetstestningen som en iterativ process i tre delar: val av verkyg och metoder, sårbarhetsprovning och sårbarhetsverifiering. För att verifiera metodens tillräcklighet användes metoder såsom peer-review och fältexperiment.

Web Applications

Vulnerabilitiy Scanning

Automation

Ethical Hacking

Penetration Testing

Information Security

Computer Sciences

Datavetenskap (datalogi)

Att få vara sig själv : Om skolkuratorers arbete med HBTQI-elever i grundskolan / To be oneself : About school counselors work with LGBTQI students in primary school

Alwan, Jomna, Abdi, Jasmin

January 2022

The aim of this study is to explore and understand school counselors' experiences and work methods towards students in elementary school who identify as LGBTQI and experience vulnerability as a result of this. LGBTQI-youth are described by the Swedish government as particularly vulnerable in schools because of their LGBTQI-identity. Previous international research confirms that LGBTQI-students experience vulnerability, which affects them in their health, wellbeing and school experience. However the context in Sweden is quite unexplored, which implicates a research problem. A qualitative method was used to answer these questions by conducting eight digital semi-structured interviews with school counselors from different municipalities in Sweden. These interviewees were contacted by gathering their email addresses from school websites. Two theories were implemented in order to understand the empirical data, which include queertheory and the critical theory. Both of which are part of a social constructionist theory approach. The results of this study shows that Swedish school counselors have different opinions on the targeted group’s vulnerability and the possibilities, conditions and obstacles of their work. Therefore they also work in different ways. Still there is a consensus that this is an important issue that all schools should prioritize and that the responsibility does not lie solely on school counselors. These results are important because they shine light on the Swedish context and inspire further research.

LGBTQI

Gender identity

sexual orientation

school counselor/school conselor

queer theory

critical theory

Sweden

vulnerabilitiy

work methods

Social Work

Socialt arbete