Vulnerability Analysis in Public Web Systems of Ecuador under OWASP API Security Top 10:2023: A Case Study
DOI:
https://doi.org/10.33936/isrtic.v10i1.8463Keywords:
OWASP, web security, public portals, passive analysis, web vulnerabilitiesAbstract
The growing digitalization of Ecuadorian state services exposes an attack surface whose security posture has barely been empirically evaluated in academic literature. This study analyzes identifiable vulnerabilities in nine Ecuadorian public sector websites, based on the OWASP API Security Top 10: 2023 framework. We implemented a Python 3.12 tool to perform a passive, non-intrusive analysis of HTTP headers, cookies, TLS configurations, publicly accessible HTML source code, standard files such as robots.txt and security.txt, and publicly accessible API endpoints. Because this methodology requires no active penetration testing, payload injection, or access to authenticated resources, it remains within the boundaries set by the applicable legal framework, specifically Article 232 of Ecuador's Comprehensive Organic Criminal Code (COIP). A total of 101 findings were identified and classified into five OWASP categories. Security Misconfiguration (API8:2023) accounted for 69.3% of the results, and high-severity findings represented 20.8% of the total. Nine portals lacked the necessary security headers, and eight presented cookies with incomplete security flags. The findings provide replicable empirical evidence of systemic hardening deficiencies in Ecuador's public sector, indicating that low-cost, high-impact interventions could be formalized as minimum requirements across all government portals.
Downloads
References
Awoleye, O. M., Ojuloge, B., & Ilori, M. O. (2014). Web application vulnerability assessment and policy direction towards a secure smart government. Government Information Quarterly, 31(S1), S118-S125. https://doi.org/10.1016/j.giq.2014.01.012
Buchanan, W. J., Helme, S., & Woodward, A. (2018). Analysis of the adoption of security headers in HTTP. IET Information Security, 12(2), 118-126. https://doi.org/10.1049/iet-ifs.2016.0621
Calzavara, S., Focardi, R., Squarcina, M., & Tempesta, M. (2017). Surviving the web: A journey into web session security. ACM Computing Surveys, 50(1), 13:1-13:34. https://doi.org/10.1145/3038923
Catota, F. E., Morgan, M. G., & Sicker, D. C. (2019). Cybersecurity education in a developing nation: The Ecuadorian environment. Journal of Cybersecurity, 5(1), tyz001. https://doi.org/10.1093/cybsec/tyz001
Compagna, L., Jonker, H., Krochewski, J., Krumnow, B., & Sahin, M. (2021). A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence. En 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 49-59). IEEE. https://doi.org/10.1109/EuroSPW54576.2021.00012
Cuzme, M., Pinargote, R., & Sabando, E. (2018). Plan de gestión de incidentes de seguridad informática mediante ITIL y MAGERIT. Informática y Sistemas: Revista de Tecnologías de la Informática y las Comunicaciones, 2(1), 24-30. https://doi.org/10.33936/isrtic.v2i1.1129
De los Santos, S., & Torres, J. (2018). Analysing HSTS and HPKP implementation in both browsers and servers. IET Information Security, 12(4), 275-284. https://doi.org/10.1049/iet-ifs.2017.0030
Doupé, A., Cova, M., & Vigna, G. (2010). Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. En C. Kreibich & M. Jahnke (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2010) (LNCS, Vol. 6201, pp. 111-131). Springer. https://doi.org/10.1007/978-3-642-14215-4_7
Flor-Unda, O., Simbaña, F., Larriva-Novo, X., Acuña, Á., Tipán, R., & Acosta-Vargas, P. (2023). A comprehensive analysis of the worst cybersecurity vulnerabilities in Latin America. Informatics, 10(3), 71. https://doi.org/10.3390/informatics10030071
Foudil, E., & Shafranovich, Y. (2022). A file format to aid in security vulnerability disclosure (RFC 9116). Internet Engineering Task Force. https://doi.org/10.17487/RFC9116
Hodges, J., Jackson, C., & Barth, A. (2012). HTTP Strict Transport Security (HSTS) (RFC 6797). Internet Engineering Task Force. https://doi.org/10.17487/RFC6797
Ministerio de Telecomunicaciones y de la Sociedad de la Información (MINTEL). (2022). Estrategia Nacional de Ciberseguridad del Ecuador 2022-2025. Gobierno del Ecuador. https://www.gobiernoelectronico.gob.ec/wp-content/uploads/2022/08/ESTRATEGIA-NACIONAL-DE-CIBERSEGURIDAD-2022.pdf
Navia, M., & Zambrano-Romero, W. (2021). Instrumento para la auditoría técnica de seguridad informática en pequeños proveedores de Internet. Informática y Sistemas: Revista de Tecnologías de la Informática y las Comunicaciones, 5(2), 119-128. https://doi.org/10.33936/isrtic.v5i2.3952
Pellegrino, G., Tschürtz, C., Bodden, E., & Rossow, C. (2015). jÄk: Using dynamic analysis to crawl and test modern web applications. En H. Bos, F. Monrose, & G. Blanc (Eds.), Research in Attacks, Intrusions, and Defenses (RAID 2015) (LNCS, Vol. 9404, pp. 295-316). Springer. https://doi.org/10.1007/978-3-319-26362-5_14
Weichselbaum, L., Spagnuolo, M., Lekies, S., & Janc, A. (2016). CSP is dead, long live CSP! On the insecurity of whitelists and the future of Content Security Policy. En Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1376-1387). Association for Computing Machinery. https://doi.org/10.1145/2976749.2978363
Weissbacher, M., Lauinger, T., & Robertson, W. (2014). Why is CSP failing? Trends and challenges in CSP adoption. En A. Stavrou, H. Bos, & G. Portokalidis (Eds.), Research in Attacks, Intrusions and Defenses (RAID 2014) (LNCS, Vol. 8688, pp. 212-233). Springer. https://doi.org/10.1007/978-3-319-11379-1_11
Downloads
Published
Issue
Section
License
Copyright (c) 2026 Jaime Rubén Borja Ulloa, Rodrigo Cadena Martínez

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Articles submitted to this journal for publication will be released for open access under a Creative Commons Attribution Non-Commercial No Derivative Works licence (http://creativecommons.org/licenses/by-nc-nd/4.0).
The authors retain copyright, and are therefore free to share, copy, distribute, perform and publicly communicate the work under the following conditions: Acknowledge credit for the work specified by the author and indicate if changes were made (you may do so in any reasonable way, but not in a way that suggests that the author endorses your use of his or her work. Do not use the work for commercial purposes. In case of remixing, transformation or development, the modified material may not be distributed.
https://orcid.org/0009-0004-2578-4275

