The Reality of Internet Infrastructure and Services Defacement: A Second Look at Characterizing Web-Based Vulnerabilities

Abstract

In recent years, the number of people using the Internet has increased worldwide, and the use of web applications in many areas of daily life, such as education, healthcare, finance, and entertainment, has also increased. On the other hand, there has been an increase in the number of web application security issues that directly compromise the confidentiality, availability, and integrity of data. One of the most widespread web problems is defacement. In this research, we focus on the vulnerabilities detected on the websites previously exploited and distorted by attackers, and we show the vulnerabilities discovered by the most popular scanning tools, such as OWASP ZAP, Burp Suite, and Nikto, depending on the risk from the highest to the lowest. First, we scan 1000 URLs of defaced websites by using three web application assessment tools (OWASP ZAP, Burp Suite, and Nikto) to detect vulnerabilities which should be taken care of and avoided when building and structuring websites. Then, we compare these tools based on their performance, scanning time, the names and number of vulnerabilities, and the severity of their impact (high, medium, low). Our results show that Burp Suite Professional has the highest number of vulnerabilities, while Nikto has the highest scanning speed. Additionally, the OWASP ZAP tool is shown to have medium- and low-level alerts, but no high-level alerts. Moreover, we detail the best and worst uses of these tools. Furthermore, we discuss the concept of Domain Name System (DNS), how it can be attacked in the most common ways, such as poisoning, DDOS, and DOS, and link it to our topic on the basis of the importance of its infrastructure and how it can be the cause of hacking and distorting sites. Moreover, we introduce the tools used for DNS monitoring. Finally, we give recommendations about the importance of security in the community and for programmers and application developers. Some of them do not have enough knowledge about security, which allow vulnerabilities to occur.

1. Introduction

Due to the growing number of people using the internet and its resources, making sure their data are safe is of the utmost importance. Data breaches can damage the reputation of an organization or person, cost them money and resources, and cause sensitive information, such as social security numbers, credit card numbers, dates of birth, or passwords, to become public or to be stolen [1]. In recent years, many dynamic websites that use modern technologies to connect users to web applications and enhance their interactions with web resources (e.g., bulletin boards and feedback forms) have been developed. However, these innovations contain vulnerabilities that enable intruders to conduct computer attacks, such as SQL injection and cross-site scripting (XSS) [2].

The websites may be hacked as a result of vulnerabilities in the hosting infrastructure, the hosting software layer, or via the credentials of the hosting network or devices. Hacked or defaced websites are an enticing target for cybercriminals, who take advantage of their notoriety and exploit it to conduct illegal acts or distribute malware [3].

Website defacement is a cybercrime that includes trespassing on a website to modify its content and allowing hackers to upload comments and pictures that reflect their viewpoints and ideas, as well as acquiring prestige by stating their names [4].

A defacement attack on a website might have severe consequences for its owner. The defacement attack may rapidly disrupt the website’s usual functioning, harm the owner’s reputation, and trigger a potential data loss. All of these issues may result in substantial financial losses and more [5].

There are other aspects that are not taken into account, such as the infrastructure of Internet services, the most important of which is the DNS service on which Internet users depend for their operations. The DNS is fundamental to the infrastructure of the Internet; unfortunately, it has become a weakness because it is easily attacked by cybercriminals. The Domain Name System (DNS) is naming system for easily accessing websites on the internet by converting or locating a website’s name from the browser to its IP address. However, the DNS is prone to vulnerabilities such as cache poisoning and the malicious creation of misleading domain names for phishing attacks.

DNS cache poisoning is the most significant danger usually seen in DNS infrastructure. Among more complex assaults, it helps with several other attacks, such as phishing, malware insertion, denial of service, and website hijacking and defacing [6]. Additionally, DNS manipulation is one of the most prevalent methods of “defacing” a web server by redirecting its domain name to the address of a host under the attacker’s control [7]. This attack, called a DNS-hijacking attack, poses a substantial risk to consumers. In this type of attack, a target domain is sent to an attacker-controlled web server by a compromised DNS server. DNS cache poisoning and website defacement are two kinds of “attacks on data confidentiality”, which means an unauthorized user can obtain access to confidential information [8].

The issue of protecting web applications is of great concern since security flaws in web applications might result in the theft of personal data, a reduction in the availability of web applications, or a breakdown in the integrity of data [9]. A penetration test is now essential to uncover vulnerabilities and security gaps that can be exploited by cyberattackers [10]. Our research questions are as follows: What weaknesses or vulnerabilities do website programmers disregard that lead to the exploitation and disfigurement of these sites by hackers? How do tools such as Nikto, Zap, and Burp Suite help in testing sites and discovering vulnerabilities? How can we choose the best and the worst among these tools? What are the recommendations that can reduce this problem? Our contributions through this paper are as follows:

• The world’s expanded use of the Internet, applications, and websites in various fields has also increased the number of associated problems as well as causing material, social, and economic damage that negatively affects society and the world. Here, we investigate how to reduce and prevent these problems.
• We contribute to the clarification of the most common vulnerabilities in websites that may cause security problems from hackers, such as defacement.
• We compare penetration test tools and clarify the advantages and disadvantages of each tool.
• We use the three most popular tools and 1000 different websites are scanned in the case study presented in this paper.
• The results for various tools (Nikto, Burp Suite, OWASP-ZAP) are compared with the vulnerabilities that are discovered.
• In a study by Devi et al., the Nikto and ZAP tools were used on 100 sites, and they concluded that Nikto performed better in terms of the information on vulnerabilities [11], but in our study, we use 1000 sites and show that the Burp Suite tool is better than other tools for deducing and displaying vulnerabilities. Through the help of these tools, software developers can analyze sites and warn consumers about these vulnerabilities at all levels: medium, high, and low. This does not diminish the importance of Nikto, which can also offer information about servers, ciphers, and Secure Sockets Layer (SSL) in addition to gaps. Finally, ZAP provides information about gaps at various levels, and it is considered in our study to be the best after the Burp Suite tool, followed by Nikto.
• At the end of the paper, we mention information about the DNS, and we collect site data that were distorted from the Zone-H site and enter them into the DNS tools, including a display of the DNS records to help application and site developers to avoid problems and damage. We attack the server and summarize the most important recommendations and monitoring tools for the server.

In this paper, in Section 1, we present some related work in the field of scanning, penetration testing, and detection by specialized tools. In Section 2, we provide an analysis and assessment of vulnerabilities, describe the types of attacks used to exploit websites, and describe the tools used during that assessment. In Section 4, web application security assessment and pen testing tools for scanning malformed or vulnerable websites are presented. In the fifth section, we discuss the method and present a flowchart explaining the infiltration of the method and its clarification. Also in that section, the result contains a chart in which the gaps are located, and at the end of the section, a comparison of these tools is conducted. At the end of the paper, we talk about the domain name server and link it to our topic based on the importance of the infrastructure and how it can be the cause of hacking and distorting sites. In Section 6, we talk about the concept of a Domain Name System (DNS) and how it can be attacked in the most common ways, such as poisoning, DDOS, and DOS. In Section 7, we also introduce the tools used for DNS monitoring. In Section 8, we propose recommendations about the importance of security in the community and for programmers and application developers. Some of them do not have enough knowledge of security and some vulnerabilities can occur. Finally, we conclude with future research directions in Section 9.

2. Related Work

Shahid et al. presented a comparative study to evaluate the ability of 11 proprietary (Acunetix WVS, Nessus, NetSparker, APPSCAN, and HP WebInspect) and open-source (OWASP-ZAP, Wapiti, Arachni, Nikto, Burp Suite, and W3AF) web application scanners to detect true vulnerabilities in web applications based on multiple vulnerable web applications (according to a list of web application security vulnerabilities from OWASP Top 10 2021) to enhance the granularity and variety of vulnerabilities found. These tools were evaluated according to measures for web application scanning technologies, including the detection rate accuracy, precision, and the ability to detect various vulnerabilities and their levels of severity. Based on a number of research papers and their evaluations, OWASP-ZAP has a higher vulnerability detection rate in the open-source-tool category, while Acunetix and NetSparker have lower false positive rates and better vulnerability identification abilities compared with others in the proprietary-tool category [12].

Albahar et al. performed a literature review to empirically compare the contributions of various researchers in the field of web application penetration testing and suggested an approach to provide an improved benchmarking framework for web application penetration testing tools with new metrics and the application of the benchmarking approach. In addition, they conducted an empirical assessment of the top six web application pen test tools (OWASP ZAP, Burp Suite Professional, Qualys WAS, Arachni, Wapiti3, and Fortify WebInspect) used for pen testing in terms of their performance, vulnerability identification, test coverage, etc. The results showed that each tool had both strengths and disadvantages. Burp Suite Professional and Qualys WAS were the most effective for detecting vulnerabilities, despite their latency in completing the work. In contrast, Fortify WebInspect did not identify any vulnerabilities during its 15-minute scan. In addition, OWASP ZAP and Burp Suite Professional were shown to crawl effectively [10].

R. Sri Devi and M. Mohan Kumar [11] discussed how hackers can identify loopholes in the network infrastructure for attacking web applications. The authors also described the various types of vulnerabilities that can be identified through ethical hacking, such as SQL injection, cross-site scripting, and session hijacking. The paper included a case study of an ethical-hacking exercise conducted and executed on 100 websites using the host name/host ID, which resulted in the identification of several vulnerabilities that could have been exploited by attackers. In the end, a comparison was made between the Nikto tool and the OWASP ZAP tool, highlighting that the vulnerabilities and threats discovered by the Nikto tool were higher than those by the OWASP ZAP tool. In addition, the Nikto tool discovered several vulnerabilities that the OWASP ZAP tool missed.

Deepti Gupta [13] presented a review of currently available security scanning tools for WordPress, noting both their benefits and drawbacks. The author pointed out that many of these tools tended to create a large number of false positives and were typically more concerned with discovering existing vulnerabilities than they were with identifying new or undiscovered threats. To address these limitations, the author proposed the development of a next-generation security scanning tool for WordPress to detect new and unknown threats. The paper focused specifically on WordPress websites, and the proposed tool may not be applicable to other CMS platforms or web applications.

Previous research has provided experimental studies and comparisons between web application scanning tools and has shown different results based on different parameters such as types of scans, scanning time, tool cost, and the number of false positives [10]. A vulnerability analysis and assessment were also executed on 100 websites using host name/host ID [11]. In this work, we followed some of these criteria when comparing web apps scanning tools, such as scanning time, the number of vulnerabilities discovered, and the type of vulnerabilities detected (high, medium, and low risk). We scanned 1000 defaced websites and found most of the weaknesses that led to the problem of these sites being exploited by hackers. We conducted research in light of previous studies and overcame some of their limitations.

3. Analysis of Vulnerabilities

Websites are defaced for many reasons, mostly because they contain major security flaws that allow attackers to access the administration areas of websites and then inject a remote scripting file. However, attackers can deface a site because of a certain vulnerability that compromises the website. They can use a variety of hacking techniques, including SQL injection, cross-site scripting (XSS), local or remote file inclusion, improper account and password ownership, and nonupdated software [14].

Figure 1 provides a visual representation of the distribution of methods of attack used to deface websites in 2010–2017 [15].

A vulnerability can be defined as a mistake or state of being exposed to the possibility of being attacked by hackers [16]. The OWASP Top 10 2021 report provides a comprehensive statistical analysis of the most serious web application vulnerabilities. Below is a collection of web application vulnerabilities taken from the OWASP Top 10 2021 report:

• Broken access control
• Cryptographic failures
• Injection
• An insecure design
• Security misconfiguration
• Vulnerable and outdated components
• Identification and authentication failures
• Software and data integrity failures
• Security logging and monitoring failures
• Server-side request forgery

Vulnerabilities are of many types, but we focused on some types of vulnerability defined in the following.

3.1. SQL Injection

When examining defacement motivated by politics and patriotism between January 2010 and December 2016, the exploitation of an SQL injection vulnerability was the most frequent method of attack (18%) utilized to access a website [17]. SQL injection is regarded as one of the most significant risks to both websites and databases since it allows an attacker access to the web and databases by injecting the database with a malicious SQL request to perform the attack. As it accesses databases, it may alter, steal, or even destroy databases [18]. Not handling special sign characters, such as single quotes (’) or double minuses (−), which might enable an application to inject SQL instructions, is what leads to SQL injection, which allows an attacker to input SQL commands into a parameter or form [19]. Additional harmful attacks that SQL injections can carry out include updating, deleting, and inserting data by executing server-side commands that can take and install malicious software such as viruses, exporting valuable information such as emails and passwords to the attacker’s remote server, and obtaining user login information [20].

3.2. Cross-Site Scripting (XSS)

Cross-site webpage scripting (XSS) is now one of the most dangerous and most frequently used attacks. Nearly 65 percent of websites include at least one of the XSS vulnerabilities described in current network packages [2]. This vulnerability is used by the attacker to inject unfiltered scripting code into the web application, resulting in account takeover, session or cookie theft, and rerouting to the attacker’s website when the parser processes the script [21].

3.3. Local or Remote File Inclusion

File inclusion enables the attacker to include remote or local files by exploiting a vulnerable web parameter on the website and inserting their own remote attack script into the server-side script [22].

Vulnerability Assessment

Our vulnerability assessment definition is similar to that of Laksmiati and Dewi (2023) [23], who defined it as a method or procedure to discover security risks and vulnerabilities of a system and its data that could be exploited and hacked by attackers. This can allow companies and website owners to figure out their own vulnerabilities so that they can take security precautions and defend their websites as well.

There are several types of vulnerability assessment:

1.

Network vulnerability assessment.

2.

Host-based vulnerability assessment.

3.

Web-application vulnerability assessment.

4.

Penetration testing.

5.

Compliance assessment.

In this research, we used the OWASP ZAP tool, Burp Suite tool, and Nikto tool, which are all web application scanners and penetration testing tools.

4. Security Assessment for Web Application Tools

The following web application assessment tools were among the most frequently mentioned scanners in 2019 [12].

4.1. OWASP ZAP

The Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool that was developed in accordance with the Open Web Application Security Project (OWASP). ZAP is versatile and adaptable and was created primarily for testing web applications. ZAP, like Burp, is a “man-in-the-middle” proxy that sits between the user’s web browser and the application’s web server to intercept and inspect messages sent between them. ZAP has features for people of all skill levels. It is easy to use and is a good tool for developers and beginner testers who are new to penetration testing. ZAP has both automated scanners and a set of tools that one can use to find security vulnerabilities manually.

4.2. Burp Suite

Burp Suite is an effective platform and graphical tool for web application security testing. The tool is written in Java and was developed by PortSwigger Security. It is the most widely used tools among experts in online application security and bug bounty hunters. Burp Suite helps to automate the scanning of vulnerabilities and the verification of attack vectors that are affecting web applications. Burp Suite also has manual penetration testing features. The ability to intercept HTTP requests is one of Burp Suite’s main features. This is called a proxy service, which means that Burp stands between the user’s web browser and the application’s web server, which allows it to intercept or capture all traffic between them. Burp Suite offers advanced and custom automated attacks, such as “automatically modify HTTP messages”, and productivity tools, such as “Deep-Dive Message Analysis” and “Utilize both built-in and custom configurations”. The Burp Suite scanner can automatically crawl the application to discover its content and functionality and audit the application to discover vulnerabilities.

4.3. Nikto

Nikto is an open-source (GPL) and pluggable web server scanner written in Perl that performs scans on a web server to detect vulnerabilities that might be attacked and lead to server corruption, among several other things, including more than 6700 potentially harmful applications and files. Additionally, it considers HTTP server settings and the existence of multiple index files and tries to detect all installed web servers and applications. It tests a web server in the quickest time possible.

A comparative analysis of different pen tester tools is shown in

Table 1. Comparative analysis of different pen tester tools.

Name	OWASP ZAP	Burp Suite	Nikto
Web application scanning	Available	Available	Available
Active scan	Available	Available	Not available
Spider	Available	Available	Not available
Tool type	Proxy	Proxy	Scanner
Vulnerability assessment	Available	Available	Not available
Cost	Free	Free/Paid	Free
Version	Version: 2.12.0	Version: 2022.2.4	Version: 2.1.6
Last update	10 December 2021	28 October 2022	9 July 2015

:

5. Methodology

5.1. Basic Idea

Initially, 1000 defaced websites were collected from a public dataset site. Then, they were tested on three tools (Nikto, ZAP, and Burp Suite) to check for website defacement vulnerabilities. The results were inspected, but on some sites, there was no result, so we changed these sites to other ones. In the feature extraction step, we intended to extract features from the 1000 sites with each tool to show which are suitable for each tool and to distinguish the tools from each other. In that step, the tools were distinguished in a special table according to their results, including the time, performance, number of requests, number of discovered weaknesses, and the severity of their impact. Figure 2 shows the workflow of the steps of the analysis used to detect website defacement with vulnerability scanning tools.

5.2. Data Collection

Using a large dataset of 651,191 URLs that had already been collected, we scanned 1000 URLs using Nikto, OWASP ZAP, and Burp Suite to evaluate and compare the scanners’ abilities to detect vulnerabilities in web defacement URLs. A URL dataset (ISCX-URL-2016) for collecting benign, phishing, malware, and defacement URLs was used.

Collated URLs were classified into four types: benign, phishing, malware, and defacement URLs. Figure 3 depicts the distribution of their percentages.

We chose 1000 URLs randomly from the set of defacement URLs [24].

5.3. Experimental Results

Through penetration testing, vulnerabilities were discovered in all areas of the domains, with the OWASP ZAP tool finding medium- and low-level alerts but no high-level alerts, as shown in Figure 4.

The Nikto tool found some additional information, such as servers, ciphers, and Secure Sockets Layer (SSL) information. SSL encryption protocols are used in computer networks for communication security, as shown in Figure 5.

Nikto is quick to scan. It takes an average of two minutes for a single site and shows the port, vulnerability count, request count, item count, and time. However, the Nikto tool does not show the vulnerability risk levels, as shown in Figure 6.

The Burp Suite tool found high-risk vulnerabilities, such as SQL injections, as well as medium-level and low-level vulnerabilities, as shown in Figure 7.

Currently, Burp Suite is considered to be slower than Nikto and OWASP ZAP, taking an average of one hour per website to complete scanning, and it is not available for free. The vulnerabilities and threats discovered by the Burp Suite tool were of a higher level than those discovered by the OWASP ZAP tool and Nikto.

It is obvious that some vulnerabilities that were missed by the OWASP ZAP and Nikto tools were found by the Burp Suite tool. Advanced hackers may exploit certain vulnerabilities as a result of the absence of security. The possibility of a high level of risk in the future necessitates the early detection of vulnerabilities in network and website applications. “Prevention is better than cure” is the best rule of thumb for keeping hackers out of cyberspace.

A study by Devi et al. used the Nikto and ZAP tools on 100 sites and concluded that Nikto was better in terms of providing information about more vulnerabilities; however, in our study, we used 1000 sites and found that the Burp Suite tool was better than the other tools for deducing and displaying vulnerabilities, and with the help of this tool, software developers can analyze sites and warn consumers of these vulnerabilities at all levels: medium, high, and low. This does not diminish the importance of Nikto, which also offers information about servers, ciphers, and the Secure Sockets Layer (SSL) in addition to gaps. Finally, ZAP provides information about gaps and vulnerabilities at various levels, and it was considered in our study to be the best after the Burp Suite tool, followed by Nikto [11].

As a comparison between the strengths and weaknesses of each tool, we conclude that the burp suite is the best and strongest in terms of finding vulnerabilities because it shows three levels: high, medium, and low. Moreover, it is good for high-security applications. This tool conducts a penetration test and a vulnerability scan. Furthermore, it helps developers discover vulnerabilities that they can depend on to manage risks and vulnerabilities because it facilitates and sets a priority for each vulnerability so they can be classified as high, medium, or low. ZapTool is considered medium in terms of security because it does not disclose vulnerabilities or analyze them. However, it is the best in terms of speed. Nikto is considered at the medium level in security systems and the fastest in terms of time; the Nikto tool is a penetration test and also a vulnerability scan tool. Moreover, the Nikto tool can expose SSL and cipher suite vulnerabilities, and so on. However, this study’s conclusions make it easier for researchers to use the best tools based on their needs because sometimes, programmers and developers do not pay attention to security. This study helps them manage the risks and make sure they plan for software security as needed.

6. Comparison with DNS Tools

6.1. Zone-H Dataset

The Zone-H site is a portal that contains a huge archive of defaced websites from multiple countries around the world; basically, it is an IT security news site. Additionally, the site has significant “cybercrime archives”. The goals of Zone-H are to follow security trends and analyze the growing importance of hacktivism. In this study, we collected 1000 defaced websites from Zone-H to be used in the analysis of DNS tools. They were categorized according to the countries to which they belong, as shown in Figure 8.

6.2. Specialized DNS Tools

Dnsenum is a parallelization-scripted tool for discovering noncontiguous IP blocks and enumerating DNS metadata for a domain. This utility has multiple operation levels, including mail exchange records, name servers, and the host portion (A record) (MX, threaded). In addition to this, it conducts after-name server requests and retrieves the DNS type with master- and subdomains. Dnsmap is a very good program to use for vulnerability assessments and hacking, just like other tools. However, Dnsmap differs from other programs as it provides information such as the identification of intriguing deleted access servers, incorrectly configured or unpatched servers, new domains, and embedded devices set up using dynamic services. The majority of the information that this tool displays is the same. dnsrecon is a useful device that can perform a huge variety of tasks with multiple operators, such as identification with only the “-d” switch. We recognize that the search produces comparable results using the default domain. With “-g”, which can enumerate all of the Google search engine’s results, a Google search can be performed. Numerous other operators may be used to locate and enhance the data for something such as the target or it can be stored in any file format. Additionally, Dnsmap and other search tools can provide the same and other information, along with remote connection and trace paths and assessments of DNS and networks with additional related information. Web archiving, on the other hand, can provide us with a historical overview of objective lists and updates combined with query operations, which can be highly efficient for determining the associated material for the target, ultimately offering attackers and hackers an advantage [25].

6.3. Coding in Kali Linux OS

Kali Linux takes a long time and requires significant effort to create technologies for hacking and penetration testing. Penetration tests are simple to perform with the help of certain tools, such as those in Kali Linux OS, a well-liked Linux distribution for penetration testing, which is based on the Debian operating system. Offensive security is created and maintained. More than 600 tools are included, most of which are free tools for penetration testing, including tools for information collection, vulnerability identification, sniffing and masquerading, attacking, exploitation, and forensic investigation. Because it is accessible and freely distributed, anyone with access to these tools and its source code can improve and alter them. Kali Linux is compatible with a wide range of hardware and other devices with limited resources. The file hierarchy standard is followed. This makes it simple for users to find binaries, libraries, and supporting files for Kali Linux using offensive security [26].

6.4. Analysis and Reporting

Alharbi et al. attempted to categorize malicious DNS requests identified by blacklists according to their causes. They demonstrated through testing that their method could divide the 388 harmful requests into three clusters, each of which had questions with a similar root cause [27]. Network mapping was presented in great detail by domain records. A start of authority (SOA) is a DNS record that contains information about a zone and other DNS records that are maintained in the DNS zone. A DNS is the beginning of a domain for which a certain DNS server is in charge. For each zone, there is only one SOA record. The DNS mail exchange (MX) record identifies the mail server in charge of accommodating emails on behalf of a recipient’s domain. If there are numerous accessible mail servers, the preference value is utilized to prioritize message delivery. In contrast to a directory service, a DNS resolver is a hardware component or piece of software that offers a communication service for responding to requests. It converts a text-based identification that is frequently understandable by humans into a internal-system, typically numeric, identification or addressing portion. The server performs this verification in reply to a service protocol request. In addition, records such as A and AAAA offer crucial information. Checking for zone transfers in all network server (NS) records is possible with the help of the DNS reconnaissance tool, dnsrecon. Additionally, it lists general DNS records for a specific domain (MX, SOA, NS, A, AAAA, SPF, and TXT). This

Table 2. DNS tool analysis.

Tool	Records
dnsrecon	NS records for zone transfers.
	Given domain (MX, SOA, NS, A, AAAA, SPF, and TXT).
	Top-level domain (TLD)
	Perform a PTR record
	List of host records in a text file to check

also performs top-level domain expansion and popular SRV record enumeration (TLD) [28].

Zone files, or DNS records, are instructions kept on authorized DNS servers that provide details about a domain, including its IP address and how to handle a request for that domain. DNS records are also referred to as zone files. Nineteen text-file sequences in the DNS syntax make up these entries. Simply put, a DNS syntax is a string of characters that the DNS server interprets as commands. All DNS entries include a TTL, or time to live, which is a value that specifies how frequently a domain name server will update that record. All domains must have at least a few necessary DNS records to allow users to access their websites using a domain name, and some optional entries provide additional functions. The period required to modify records across the Internet is known as the propagation time. The most significant types of DNS records are

• A record: An A record identifies the Internet protocol address of the machine hosting the domain. Using a domain name, a record identifies a device’s IP address on the Internet. When a domain or subdomain is entered into the address bar of a browser, the AAAA record type of a DNS record tells the browser where to go by mapping the domain or subdomain to an IPv6 address.
• CNAME record: A classical name, or CNAME, record converts an alias name into a real or canonical domain name. Using CNAME records, a subdomain, such as a website or an email address, is transferred to the domains that house the information for that subdomain.
• Mail exchanger record, or MX record: this defines the mail server responsible for obtaining emails.
• TXT record: A resource record known as a TXT record enables text to be connected to a zone. Any text content can be added to DNS entries using this record, according to the domain management.
• NS record: An NS record, also known as a name-server record, contains the name of the authorization server inside a domain or DNS zone.
• Start of authority (SOA) record: The domain name system defines an SOA record containing administrative data about a zone (DNS). SRV stands for service discovery records, which help with service discovery. An SRV record typically specifies a single meaning and the transport protocol as part of the domain name. The importance, size, port, and target of the service are all specified in the record content.
• PTR record: As opposed to an A record, which points to a domain, a pointer (PTR) record in a DNS record converts an IP address to a domain or hostname [29].

The evaluation of vulnerability detection was conducted using open-source frameworks. The second evaluation led to the identification of vulnerable subdomains. For this, four open-source programs were used. Some of them had a built-in CNAME verification process that determined whether the domain contained any dead DNS records or records that referred to a nonexistent CNAME. Another method of checking whether a website is providing content was to use certain inherent fingerprints in response to the website’s response. Its verification could include everything from the rest of the website’s contents to the examination of status codes and page names. None of the cloud servers seemed to provide enterprise knowledge support. The number of vulnerable subdomains detected was also less than what was found using that method. This is because, in the test scenarios, certain subdomains had already been deleted. It follows that this approach would be more effective at identifying such instances. Second-order subdomain detection is currently only possible for Java and stylesheet resources in the prototype [30].

Many DNS records have been retrieved and checked for potential abuse (e.g., TXT and CNAME records). For instance, cross-site scripting (XSS) attacks are carried out by hackers using JavaScript and published in TXT records (XSS). Attackers insert frame tags and scripts into TXT records, which domains load. Multiple instances of record misuse were identified by evaluating data illustrating cases of record misuse (XSS DNS record). Additionally, information gathering or penetration communication between compromised workstations and C&C domains was conducted using TXT records. For instance, TXT records were used by Morto botnets to transmit commands for downloading additional harmful software or for updating malware instances. The Morto TXT record was an example of a different kind of DNS record abuse that our system identified. Furthermore, information about the network traffic produced by the Morto virus was obtained by comparing the suspect domain e.ppift.in with our malware database. The suspicious domain e.ppift.in and its variants (such as e.ppift.com, accessed on 6 March 2023) appeared to have been queried repeatedly for TXT records. Hackers frequently utilize CNAME records to make aliases for unauthorized domains. We investigated a known phishing operation against a social networking site to demonstrate that case (vk.com, accessed on 6 March 2023). The perpetrators of this campaign used aliases to drive users to malicious domains while using a proxy service as their domain name (anonymizer.proxy.irl**k.ru). These domains were mostly used to gather personal information from users who had accounts on social networking sites such as vk.com, accessed on 6 March 2023. Furthermore, after examining the primary domain name, we noted that the second category, irl**k.ru, appeared to be a valid domain for the sale of goods. The investigation revealed that the domain was concealing phishing and spam activities, which may have been started by the domain owner(s) directly or indirectly through the use of compromised servers [31].

7. Attacks on DNS

As one of the most fundamental and established protocols on the Internet, the DNS provides a wide range of network services and applications. A well-known example of a significant assault on the DNS is the DNS cache poisoning attack and denial-of-service attacks. Unfortunately, the DNS was not designed with security in mind and is vulnerable to a number of serious attacks. Retrofitting robust security mechanisms into it has proven to be incredibly difficult over the course of its decades-long existence. Only less-effective variants of randomization-based defenses have been widely used up to this point [32].

7.1. DNS Poisoning Attack

DNS poisoning, which involves injecting malicious entries into the DNS resolution and forcing clients to be redirected from legitimate to malicious servers, is one of the most serious attack vectors. Typically, poisoning attacks target a DNS resolver, giving attackers the ability to taint all workstations using the hacked resolver by poisoning a DNS entry. However, recently developed defenses significantly reduce these attacks and shield resolvers [27]. To replace legitimate IP address records with bogus entries, an attacker must deceive a DNS server into thinking they have authentic information. To manipulate people or steal information, the attacker can, for instance, replace a specific IP address with the IP address of a forgery or phishing website. The attacker has two options for carrying out a DNS poisoning attack: either inside an intranet (LAN) or by replacing entries kept on a proxy server. The bypassing of phishing filters and security toolbars is made possible by DNS poisoning [33].

Figure 9 explains the attack mechanism. In the following, we discuss DNS spoofing, or what is called the abbreviation of the DNS. This actual system highlights some lessons from networks and show its importance in interpreting websites. We can request sites through it, because the Internet does not understand a site’s name; for example, when we type Facebook in Google, Google does not understand what Facebook means. It works behind the scenes through this system known as DNS, which matches a name to an IP address. We know that in networking, an IP address is the only way to request websites through the Internet. After understanding these matters, we talk about DNS again and explain, in detail, how it works. We consider a scenario in which we make a request and see how the browser deals with it. We explain how DNS deals with this request After that, we discuss the danger associated with the DNS, how governments take advantage of it by spying on people, and how they exploit hackers to infiltrate people. We carry out an attack using the DNS.

We require users to go to the requested sites, for example, a site about a second requested site, such as sites of a certain university, by performing something known as DNS security.

For example, we go into the browser, ask Facebook what normally happens behind the scenes, and enter the site as everyone else would. Now that we have reviewed all scenarios in the DNS request process, we show how to convert a domain into an IP address. The only scenario left is a scenario in which we are sure that we can actually go to a file named host. Anyone able to access this file can modify the IP address, and it is estimated by modifying the IP address. We use the IP address in the communication process, so we can go to any website we want, where we can find fake registration plates, malicious software, codes, etc. We note here that when someone opens three browsers and asks each one for a site, the first browser will ask Facebook to open normally, the second browser will ask for a security site that is normal but rigged, and the third browser will try and ask for high-security sites, which is impossible, because it will show a message that something has been forged, including alerts to users to avoid problems, intrusions, and malware.

Now, let us carry out the attack. Through this experiment, if we divide the work into files, there is a win file, and the hacker has a victim’s win file.

Now, the victim’s file for someone we want to hack is available. We cannot connect to it. We cannot modify it because our device cannot access it.

We write “How are you!”. Now, we can settle the file or settle the device after the victim goes to a fake DNS file. We want to do something known as transfer connections or IP transfer through the victim’s device, so we perform the order. When the victim asks, we transfer it to the site that we have settled perfectly, so that we can write the orders. Which domain will it ask for? We transfer it to the correct private IP address. We do not transfer it to the fake IP address that we put in a file. When modifying files and using eavesdropping programs and compressing them, the DNS spoofing attack begins. Suppose now you request a resources website; thus, the interface will change. It appears to us that the site has changed and is asking for a login that is on the air network. Before we prove that the website is a network, we click on “Network”, and we can see the IP that Anna has created. Now, we also try a second site. The DNS is picked up from the site, in addition to turning it into a login page for this site, and as mentioned previously, the site is targeted. Then, we use a medium protection level for the sites. The user enters the site, but we cannot convert it and it gives us an error message. Now, we choose the site, and it appears that the site does not exist, but in fact, it does exist and works, although we cannot turn it into fraud. Then, we try high-protection sites which give us a message and detect that an attack is occurring. In order to determine the role of programmers in the encryption certificate and protection of sites, text appears to indicate exposure to a DNS attack. In the second method, we use eavesdropping using a program after the special commands have been modified in it. After that, we choose the IP that we want to eavesdrop on, and the eavesdropping process starts from the time that the program runs, transferring the victim to the domain according to the hackers’ intent. In the end, we learn how to settle the spying process in two different ways. We are able to transfer requests for updates in browsers. The question is how the browser can protect the user from fraudulent requests by just knowing that the DNS of the browser that has taken information from us is fake or contains a fake DNS. We have to consider the browser as having sites with high protection and remember the importance of accessing highly protected content to protect individuals and society from hackers. As for the sites that do not have an encryption certificate, we decide how to manipulate their private users. We must always pay attention to HTTPS, which must be present for several reasons, and remember the importance of the recommendations we have mentioned.

7.2. DOS, DDoS Attacks by DNS Flooding

The number of devices connected to the Internet is increasing quickly, and there is a huge requirement for electronic services, which has resulted in a significant increase in cyberattacks targeting cyberspace and the development of related methods. Therefore, there need to be systems, laws, and guidelines that govern how these applications perform and protect them from electronic attacks. The most significant weakness in the Domain Name System (DNS) is that the answer size is always larger than the size of the request, which allows cybercriminals to launch their assaults. Attacks that generate a distributed denial of service (DDoS) are among the most serious risks on the Internet. Only some varieties of DDoS attacks are designed to be detected using the current approaches. They are therefore unable to identify other attack types, let alone the more difficult combined DDoS attacks [28].

In Figure 10, we explain the attack mechanism. We present our experiment with the attack’s technique (DOS, DDoS). Windows acts as the victim while Kali Linux acts as the attacker in our experiment. We start by listening in on the Windows victim using the Kali Linux command screen, and as soon as we begin browsing the Facebook website, the Kali Linux screen is displayed to stop the victim from accessing the browser and closing it. Additionally, given the complexity of the problem and the fact that more than one device is utilized to carry out a multiattack (DDoS), safeguards and recommendations must be made in order to prevent vulnerabilities, penetration, and the loss of service from the site.

8. Tools to Monitor DNS Attacks

Internet connections are becoming larger and more complex with a variety of connected assets that require different types of security. Since almost all connected assets use the Domain Name System (DNS) to resolve addresses, attackers can discreetly conduct command and control (C&C) communication, data theft, and service disruption on a variety of connected assets using the DNS. In order to access any online service, enterprise security appliances that monitor network traffic often permit all DNS traffic to pass through. These appliances are ineffective against zero-day attacks, since they can only, at best, match against a database of known dangerous patterns [33].

IoT remote control has scalability, secure communication, and privacy preservation challenges, while traditional methods (HTTPS) have been shown to have poor scalability issues and privacy issues. In this research, we propose a unique DNS-based IoT remote monitoring system that is lightweight, secure, and that protects privacy. In general, CoAP and MQTT are used for communication between IoT devices and gateways, and the DNS protocol is solely used for remote monitoring. That is, only the designated users are permitted to query and decrypt the encrypted IoT data due to TSIG authentication of the DNS protocol and asymmetric cryptography. Encrypted IoT data are stored as a DNS TXT record of the domain name of the IoT device after being encoded with base64. They use a prototype name-bound virtual network (NBVN) system that restricts network traffic within each NBVN and automatically registers all virtual nodes in the DNS. The efficiency of secure communication and privacy protection in IoT remote monitoring in the suggested mechanism was proven by preliminary assessments [34].

Malware assaults that pose a threat to cybersecurity have emerged as one of the biggest problems facing the Internet today. Most malware types attempt to connect to the corresponding command and control (C&C) servers using IP addresses or fully qualified domain names (FQDNs) after infiltrating a specific computer in order to receive additional instructions (such as attacking target IP addresses and FQDNs) and carry out subsequent cyberattacks. It has become clear in recent years that C&C servers and malware-infected PCs communicate with each other via DNS traffic. These idiosyncrasies have been a focus of research and a technique has been suggested for identifying malware-infected PCs that involves keeping an eye on unauthorized DNS activity on wireless networks in conjunction with DHCP (Dynamic Host Configuration Protocol) servers. When various types of malware infect computers within DHCP-configured environments and try to interact with the relevant C&C servers via the DNS (Domain Name System) protocol, they can be identified by installing the suggested system onto wireless networks. A high level of detail on the suggested method’s design is presented in [35].

Modern society is rapidly adopting smart gadgets, and Android OS is the most widely used operating system on smartphones and tablets currently. However, one of the biggest issues and fastest-growing security threats now affecting the Android platform’s Internet usage is rogue applications. Thus, in order to combat the widespread malware attacks, we need approaches and methods. A dynamic analysis is one of the most pertinent methods for exposing Android applications’ sensitive run-time behaviors. Previous research has suggested the use of a virus detection tool known as Network Sentinel for the network-based dynamic DNS request monitoring of applications. Its primary driving force was the widespread exploitation of the DNS by hostile groups seeking to connect botnets and dangerous networks to the Internet. The testing results, which enabled the capture of DNS queries made by smartphones to distant servers from the gathered network traces with incredibly low battery consumption, were also encouraging [36].

9. Recommendations

We talked about why domain name systems, often known as DNS, are one of the most rapidly expanding attack vectors and why they should be secured against various forms of cybercrime. The number of assaults employing DNS today is rising alarmingly. The combination of organizations failing to protect their domains is not surprising. If we think about it, every host and system in the network must convert domain names into IP addresses in order to connect to the internet. Because of this, the DNS is necessary for operation and cannot be stopped. The second DNS is a bidirectional protocol that is data-carrying, internet-facing, and all of these things together constitute it. The DNS is a robust and adaptable system. In this regard, the DNS is a very strong and highly adaptable protocol for attackers to employ. The DNS is extremely similar to emails and the Web, and almost everyone has a solution. DNS security cannot be compared to that of email security or web security. The DNS is frequently disregarded, so why can the current solutions not stay up to date and offer defense against these dangers? The majority of enterprises nowadays rely on some sort of static domain block list, but every single day, millions and millions of new names are being released. These static database signatures cannot keep up with new developing dangers and are not scalable. A powerful machine learning tool can analyze data quickly, in real time; moreover, machine learning is powerful for guarding against the unknown of today’s hostile DNS attacks. The use of monitoring tools means that if you choose a resolver-independent security solution, the resolver and whatever protection it provides can both be simply disregarded by altering the host’s DNS settings. Securing the DNS traffic throughout one’s entire infrastructure is important by integrating nature, firewalls, and network edges such as Prisma Access.

The number of devices connected to the Internet is growing quickly, and there is a rising demand for electronic services, which has resulted in a significant increase in cyberattacks targeting cyberspace and the development of their methods. Therefore, there have to be systems, laws, and guidelines governing how these applications operate and shielding them from electronic assaults. Numerous flaws in the Domain Name System (DNS) can be used by online attackers to start their attacks [37].

The DNS over HTTPS (DoH) resolution technology was recently approved by the Internet for privacy-conscious network applications. DoH has developed into a research area for network monitoring as it gets more widely used. Real-world datasets are required for a thorough evaluation and comparison of the produced classifiers, which is what motivated our contribution [38].

Firewalls are typically installed at the network’s edge. However, many security experts disagree that this is the ideal position for DNS firewalls. Finding on-premise resources makes up a large portion, if not the majority, of an organization’s DNS resolution traffic. For instance, when a user logs in, Windows utilizes the DNS to find a domain controller. In order to access additional targets, MA also exploits the DNS to travel laterally across infiltrated networks. To monitor both internal and external DNS traffic, organizations should think about using DNS firewalls [39].

DDoS assaults have increased in recent years to target the crucial DNS authoritative infrastructure. A study suggested a unique DDoS mitigation technique for DNS authoritative name servers. The approach made use of DNAME records to inform recursive resolvers of domain redirection directives; these resolvers subsequently diverted their following query traffic to the redirection domains as necessary. Multiple domains could be connected to elastically and adaptively provision and release authoritative resources to scale quickly as needed in response to DDoS attacks. The outcomes of the simulation confirmed the effectiveness of the solution [40].

10. Conclusions and Future Work

In this paper, we presented an empirical comparison of three web application penetration testing tools (OWASP ZAP, Burp Suite Professional, and Nikto), using them to scan 1000 defaced websites and extract vulnerabilities and their ratings from each scanned website. Moreover, each tool had strengths and weaknesses. For instance, Burp Suite Professional was the best in vulnerability detection, notwithstanding its delay in performing the task as it was very slow. On the other hand, the Nikto tool did not show the risk levels of vulnerabilities. In addition, the OWASP ZAP tool found medium- and low-level alerts but did not issue any high-level alerts.

In the second part of this paper, using a comparison with the DNS, we added the steps for collecting data, defining the tool, and coding in the Kali operating system, and in the end, we showed the transmission and how to take advantage of the records for finding weaknesses, performing penetration tests, and so on. We showed some of the attacks that DNS was exposed to, including poisoning, DOS, and DDOS attacks. Methods for monitoring DNS were also highlighted. In the end, we presented some recommendations that must be taken into consideration as a preventive measure against attacks.

Future work will include extending our analysis to more new tools and scanning a larger number of infected websites to detect vulnerabilities.