{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,4,4]],"date-time":"2022-04-04T12:25:47Z","timestamp":1649075147060},"reference-count":27,"publisher":"Walter de Gruyter GmbH","issue":"5","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2019,5,27]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Industrial automation and control systems (IACS) play a key role in modern production facilities. On the one hand, they provide real-time functionality to the connected field devices. On the other hand, they get more and more connected to local networks and the internet in order to facilitate use cases promoted by \u201cIndustrie 4.0\u201d. A lot of IACS are equipped with web servers that provide web applications for configuration and management purposes. If an attacker gains access to such a web application operated on an IACS, he can exploit vulnerabilities and possibly interrupt the critical automation process. Cyber security research for web applications is well-known in the office IT. There exist a lot of best practices and tools for testing web applications for different kinds of vulnerabilities. Security testing targets at discovering those vulnerabilities before they can get exploited. In order to enable IACS manufacturers and integrators to perform security tests for their devices, ISuTest was developed, a modular security testing framework for IACS.<\/jats:p>\n               <jats:p>This paper provides a classification of known types of web application vulnerabilities. Therefore, it makes use of the worst direct impact of a vulnerability. Based on this analysis, a subset of open-source vulnerability scanners to detect such vulnerabilities is selected to be integrated into ISuTest. Subsequently, the integration is evaluated. This evaluation is twofold: At first, willful vulnerable web applications are used. In a second step, seven real IACS, like a programmable logic controller, industrial switches and cloud gateways, are used. Both evaluation steps start with the manual examination of the web applications for vulnerabilities. They conclude with an automated test of the web applications using the vulnerability scanners automated by ISuTest.<\/jats:p>\n               <jats:p>The results show that the vulnerability scanners detected 53\u2009% of the existing vulnerabilities. In a former study using commercial vulnerability scanners, 54\u2009% of the security flaws could be found. While performing the analysis, 45 new vulnerabilities were detected. Some of them did not only break the web server but crashed the whole IACS, stopping the critical automation process. This shows that security testing is crucial in the industrial domain and needs to cover all services provided by the devices.<\/jats:p>","DOI":"10.1515\/auto-2019-0021","type":"journal-article","created":{"date-parts":[[2019,6,14]],"date-time":"2019-06-14T09:09:10Z","timestamp":1560503350000},"page":"383-401","source":"Crossref","is-referenced-by-count":1,"title":["Automated security testing for web applications on industrial automation and control systems"],"prefix":"10.1515","volume":"67","author":[{"given":"Steffen","family":"Pfrang","sequence":"first","affiliation":[{"name":"Fraunhofer IOSB , Karlsruhe , Germany"}]},{"given":"Anne","family":"Borcherding","sequence":"additional","affiliation":[{"name":"Fraunhofer IOSB , Karlsruhe , Germany"}]},{"given":"David","family":"Meier","sequence":"additional","affiliation":[{"name":"Fraunhofer IOSB , Karlsruhe , Germany"}]},{"given":"J\u00fcrgen","family":"Beyerer","sequence":"additional","affiliation":[{"name":"Fraunhofer IOSB , Karlsruhe , Germany"},{"name":"Vision and Fusion Laboratory , Karlsruhe Institute of Technology , Karlsruhe , Germany"}]}],"member":"374","published-online":{"date-parts":[[2019,5,14]]},"reference":[{"key":"2021062112522191437_j_auto-2019-0021_ref_001_w2aab3b7d280b1b6b1ab2ab1Aa","doi-asserted-by":"crossref","unstructured":"Jason Bau et al.\u201cState of the art: Automated black-box web application vulnerability testing.\u201d In: Security and Privacy (SP), 2010 IEEE Symposium on. IEEE (2010), pp.\u2009332\u2013345.","DOI":"10.1109\/SP.2010.27"},{"key":"2021062112522191437_j_auto-2019-0021_ref_002_w2aab3b7d280b1b6b1ab2ab2Aa","unstructured":"CIRT.net. Nikto Homepage. URL: https:\/\/cirt.net\/Nikto2 (visited on 02\/06\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_003_w2aab3b7d280b1b6b1ab2ab3Aa","unstructured":"Google Information Security Engineering. Skipfish Homepage. URL: https:\/\/github.com\/spinkham\/skipfish (visited on 02\/06\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_004_w2aab3b7d280b1b6b1ab2ab4Aa","unstructured":"ethicalhack3r. Damn Vulnerable Web Application. URL: http:\/\/www.dvwa.co.uk\/ (visited on 05\/14\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_005_w2aab3b7d280b1b6b1ab2ab5Aa","unstructured":"FIRST. FIRST Homepage. URL: https:\/\/www.first.org\/ (visited on 09\/04\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_006_w2aab3b7d280b1b6b1ab2ab6Aa","unstructured":"General Electric (GE). Achilles Test Platform. https:\/\/www.ge.com\/digital\/products\/achilles-vulnerability-testing-platform (visited on 09\/11\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_007_w2aab3b7d280b1b6b1ab2ab7Aa","unstructured":"Baptiste Gourdin et al.\u201cToward Secure Embedded Web Interfaces.\u201d In: USENIX Security Symposium, Vol.\u200914.34 (2011), p.\u2009113."},{"key":"2021062112522191437_j_auto-2019-0021_ref_008_w2aab3b7d280b1b6b1ab2ab8Aa","unstructured":"SE Idrissi et al.\u201cPerformance Evaluation of Web Application Security Scanners for Prevention and Protection against Vulnerabilities.\u201d In: International Journal of Applied Engineering Research, Vol.\u200912.21 (2017), pp.\u200911068\u201311076."},{"key":"2021062112522191437_j_auto-2019-0021_ref_009_w2aab3b7d280b1b6b1ab2ab9Aa","unstructured":"Industrial communication networks\u2014Network and system security\u2014Part 1-1: Terminology, concepts and models. International Electrotechnical Commission (IEC). Geneva, Switzerland, 2009."},{"key":"2021062112522191437_j_auto-2019-0021_ref_010_w2aab3b7d280b1b6b1ab2ac10Aa","unstructured":"Ralph Langner. Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon. TED, 2011."},{"key":"2021062112522191437_j_auto-2019-0021_ref_011_w2aab3b7d280b1b6b1ab2ac11Aa","doi-asserted-by":"crossref","unstructured":"Peter\u2009Kok Keong Loh and Deepak Subramanian. \u201cFuzzy classification metrics for scanner assessment and vulnerability reporting.\u201d In: IEEE Transactions on Information Forensics and security, Vol.\u20095.4 (2010), pp.\u2009613\u2013624.","DOI":"10.1109\/TIFS.2010.2075926"},{"key":"2021062112522191437_j_auto-2019-0021_ref_012_w2aab3b7d280b1b6b1ab2ac12Aa","doi-asserted-by":"crossref","unstructured":"Yuma Makino and Vitaly Klyuev. \u201cEvaluation of web vulnerability scanners.\u201d In: Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), 2015 IEEE 8th International Conference on, Vol.\u20091. IEEE (2015), pp.\u2009399\u2013402.","DOI":"10.1109\/IDAACS.2015.7340766"},{"key":"2021062112522191437_j_auto-2019-0021_ref_013_w2aab3b7d280b1b6b1ab2ac13Aa","unstructured":"OWASP. Application Security Attacks. 2016. URL: https:\/\/www.owasp.org\/index.php\/ Category:Attack (visited on 02\/28\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_014_w2aab3b7d280b1b6b1ab2ac14Aa","unstructured":"OWASP. Overview of Vulnerability Scanning Tools. 2018. URL: https:\/\/www.owasp.org\/index.php\/ Category:Vulnerability_Scanning_Tools (visited on 01\/30\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_015_w2aab3b7d280b1b6b1ab2ac15Aa","unstructured":"OWASP. OWASP Website. 2018. URL: https:\/\/www.owasp.org\/index.php\/Main_Page (visited on 01\/30\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_016_w2aab3b7d280b1b6b1ab2ac16Aa","unstructured":"OWASP. Testing for Input Validation. URL: https:\/\/www.owasp.org\/index.php\/Testing_for_Input_Validation (visited on 09\/06\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_017_w2aab3b7d280b1b6b1ab2ac17Aa","unstructured":"OWASP. WebGoat Project. URL: https:\/\/www.owasp.org\/index.php\/ Category:OWASP_WebGoat_Project (visited on 05\/14\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_018_w2aab3b7d280b1b6b1ab2ac18Aa","unstructured":"OWASP. ZAP Homepage. URL: https:\/\/www.owasp.org\/index.php\/OWASP_Zed_Attack_Proxy_Project (visited on 02\/06\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_019_w2aab3b7d280b1b6b1ab2ac19Aa","doi-asserted-by":"crossref","unstructured":"Steffen Pfrang, David Meier and Valentin Kautz. \u201cTowards a Modular Security Testing Framework for Industrial Automation and Control Systems: ISuTest.\u201d In: Proceedings of the 22nd IEEE International Conference on Emerging Technologies and Factory Automation, ETFA 2017. Limassol, Cyprus, 2017.","DOI":"10.1109\/ETFA.2017.8247727"},{"key":"2021062112522191437_j_auto-2019-0021_ref_020_w2aab3b7d280b1b6b1ab2ac20Aa","doi-asserted-by":"crossref","unstructured":"Steffen Pfrang et al.\u201cAdvancing Protocol Fuzzing for Industrial Automation and Control Systems.\u201d In: Proceedings of the 4th International Conference on Information Systems Security and Privacy\u2014Volume 1: ForSE, INSTICC. SciTePress (2018), pp.\u2009570\u2013580. ISBN:978-989-758-282-0. doi:10.5220\/0006755305700580.","DOI":"10.5220\/0006755305700580"},{"key":"2021062112522191437_j_auto-2019-0021_ref_021_w2aab3b7d280b1b6b1ab2ac21Aa","unstructured":"Stefan Heiss et\u2009al. Schwachstellenanalyse von Automatisierungskomponenten. Forschungsbericht, DFAM Nr.\u200930\/2013. inIT and ifak, Dec. 2012."},{"key":"2021062112522191437_j_auto-2019-0021_ref_022_w2aab3b7d280b1b6b1ab2ac22Aa","unstructured":"s4n7h0 und samanL33T. Extreme Vulnerable Web Application. URL: https:\/\/github.com\/s4n7h0\/xvwa (visited on 05\/14\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_023_w2aab3b7d280b1b6b1ab2ac23Aa","unstructured":"Subgraph. Vega Homepage. URL: https:\/\/subgraph.com\/vega\/ (visited on 02\/06\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_024_w2aab3b7d280b1b6b1ab2ac24Aa","unstructured":"Nicolas Surribas. Wapiti Homepage. URL: http:\/\/wapiti.sourceforge.net\/ (visited on 02\/06\/2018)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_025_w2aab3b7d280b1b6b1ab2ac25Aa","unstructured":"Natasa Suteva, Dragi Zlatkovski and Aleksandra Mileva. \u201cEvaluation and testing of several free\/open source web vulnerability scanners.\u201d In: Proceedings ofthe Tenth International Conference on Informatics and Information Technology (2013)."},{"key":"2021062112522191437_j_auto-2019-0021_ref_026_w2aab3b7d280b1b6b1ab2ac26Aa","unstructured":"F. Tilaro and B. Copy. \u201cAssessment And Testing of Industrial Devices Robustness Against Cyber Security Attacks.\u201d In: Conf. Proc. C111010.CERN-ATS-Note-2011-108 TECH (Nov. 2011), WEPMU029. 4 p. URL: http:\/\/cds.cern.ch\/record\/1398647."},{"key":"2021062112522191437_j_auto-2019-0021_ref_027_w2aab3b7d280b1b6b1ab2ac27Aa","unstructured":"UtiliSec. SamuraiSTFU. URL: http:\/\/www.samuraistfu.org\/ (visited on 09\/11\/2018)."}],"container-title":["at - Automatisierungstechnik"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.degruyter.com\/view\/j\/auto.2019.67.issue-5\/auto-2019-0021\/auto-2019-0021.xml","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.degruyter.com\/document\/doi\/10.1515\/auto-2019-0021\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.degruyter.com\/document\/doi\/10.1515\/auto-2019-0021\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,6,21]],"date-time":"2021-06-21T19:06:24Z","timestamp":1624302384000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.degruyter.com\/document\/doi\/10.1515\/auto-2019-0021\/html"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,5,1]]},"references-count":27,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2019,5,14]]},"published-print":{"date-parts":[[2019,5,27]]}},"alternative-id":["10.1515\/auto-2019-0021"],"URL":"https:\/\/doi.org\/10.1515\/auto-2019-0021","relation":{},"ISSN":["2196-677X","0178-2312"],"issn-type":[{"value":"2196-677X","type":"electronic"},{"value":"0178-2312","type":"print"}],"subject":[],"published":{"date-parts":[[2019,5,1]]}}}