I am an undergraduate student, who want to do a project in penetration testing automation, and i want a conference or some official source to obtain some latest researches from inorder to see what to do in my project as i my objective are to make it automated, easy to use, reliable and implement something new (not proposed earlier!).
Asked
Active
Viewed 1,633 times
-1
-
Welcome to the site. Unfortunately this is a bit too own and broad a question here. That said, go and read the papers listed by @DW. You should have a good read of the range of questions already on this site as well as the regular security magazines to understand what research is underway in the industry, as well as what might be of interest. – Rory Alsop Nov 18 '12 at 21:59
-
maybe you could ask this question on this site proposal: [undergraduates](http://area51.stackexchange.com/proposals/49571/undergraduates). Follow it if you find it interesting! – Daniele B Jan 23 '13 at 17:11
1 Answers
1
Are you sure you want to read research papers on this? If so, here are a few good ones:
State of the Art: Automated Black-Box Web Application Vulnerability Testing, J. Bau, E. Bursztein, D. Gupta, J.C. Mitchell. IEEE Security & Privacy 2010.
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners, A. Doupe, M. Cova, G. Vigna, DIMVA 2010.
Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner, Adam Doupé, Ludovico Cavedon, Christopher Kruegel, and Giovanni Vigna. Usenix Security 2012.
Finding bugs in web applications using dynamic test generation and explicit state model checking, Shay Artzi, Adam Kieżun, Julian Dolby, Frank Tip, Danny Dig, Amit Paradkar, and Michael D. Ernst. IEEE Transactions on Software Engineering, vol. 36, no. 4, July/August 2010, pp. 474-494.
FLAX: Systematic Discovery of Client-side Validation Vulnerabilities in Rich Web Applications, Prateek Saxena, Steve Hanna, Pongsin Poosankam, Dawn Song, NDSS 2010.
A Symbolic Execution Framework for JavaScript, Prateek Saxena, Devdatta Akhawe, Steve Hanna, Stephen McCamant, Feng Mao, Dawn Song. IEEE Security & Privacy 2010.
Toward Automated Detection of Logic Vulnerabilities in Web Applications, V. Felmetsger, L. Cavedon, C. Kruegel, G. Vigna, Usenix Security 2010.
Fuzzing with Code Fragments, Christian Holler, Kim Herzig, and Andreas Zeller. Usenix Security 2012.
To find more, use standard literature search techniques: e.g., read these papers and their related work sections; if they cite or mention a paper that sounds relevant, add it to your set of papers to read (and read its related work section as well); use Google Scholar to find other papers that cite these, and if you spot any that seem relevant, add them to your list to read; and so on.
This will get you research papers. Note, however, that a lot of the state of the art in penetration testing happens outside of the research community. You should probably be paying attention to the forums where pentesters hang out. For instance, check out recent Blackhat and Defcon talks, and follow the blogs of prominent pentesters and security gurus.
One last piece of advice. Before you can invent something new, you usually first need to become a domain expert on the area. You need to gain some experience with pentesting. You're not going to get that simply by reading research papers. Therefore, my advice to you is: spend a little time actually doing some pentesting (not just reading about it). That may help you identify areas that are ripe for automation.
D.W.
- 98,420
- 30
- 267
- 572