Penetration Testing on the Infrastructure of a Federated Identity and Authentication Provider

Abstract

This thesis journal aims to perform a Penetration Testing to the online identity and authentication provider web server that holds services and applications of INCOGNITO to assess its security and protection level against any type of cyber-attack from a malicious user. Also, another goal of this assessment is to check the defense mechanisms and safety policies that utilizes are adequate for its protection. At the same time, we evaluate the performance of the tools used in the process which are state of the art open-source tools that are widely used and accessible to anyone. More specifically, the research aims to find any possible vulnerabilities or misconfigurations that may exist in the system that the system administrators might be unaware of as this is a development server, that could allow a user with malicious intentions to gain unauthorized access to the system itself or to a part of information that shouldn’t have. This thesis presents the entire procedure of Penetration Testing during which are attempted a different kinds of attacks and techniques that a malicious user could perform along with the tools used and for what purpose. The results of this Penetration Testing can be a useful guide for the system administrators to learn about any possible vulnerabilities and release the appropriate security patches to fix those security flaws and prevent a future attack of any cybercriminal that could cause severe consequences not only for the data that are kept but also for the people responsible for the server.