Vulnerability Analysis in Public Web Systems of Ecuador under OWASP API Security Top 10:2023: A Case Study

Authors

DOI:

https://doi.org/10.33936/isrtic.v10i1.8463

Keywords:

OWASP, web security, public portals, passive analysis, web vulnerabilities

Abstract

The growing digitalization of Ecuadorian state services exposes an attack surface whose security posture has barely been empirically evaluated in academic literature. This study analyzes identifiable vulnerabilities in nine Ecuadorian public sector websites, based on the OWASP API Security Top 10: 2023 framework. We implemented a Python 3.12 tool to perform a passive, non-intrusive analysis of HTTP headers, cookies, TLS configurations, publicly accessible HTML source code, standard files such as robots.txt and security.txt, and publicly accessible API endpoints. Because this methodology requires no active penetration testing, payload injection, or access to authenticated resources, it remains within the boundaries set by the applicable legal framework, specifically Article 232 of Ecuador's Comprehensive Organic Criminal Code (COIP). A total of 101 findings were identified and classified into five OWASP categories. Security Misconfiguration (API8:2023) accounted for 69.3% of the results, and high-severity findings represented 20.8% of the total. Nine portals lacked the necessary security headers, and eight presented cookies with incomplete security flags. The findings provide replicable empirical evidence of systemic hardening deficiencies in Ecuador's public sector, indicating that low-cost, high-impact interventions could be formalized as minimum requirements across all government portals.

Downloads

Download data is not yet available.

References

Awoleye, O. M., Ojuloge, B., & Ilori, M. O. (2014). Web application vulnerability assessment and policy direction towards a secure smart government. Government Information Quarterly, 31(S1), S118-S125. https://doi.org/10.1016/j.giq.2014.01.012

Buchanan, W. J., Helme, S., & Woodward, A. (2018). Analysis of the adoption of security headers in HTTP. IET Information Security, 12(2), 118-126. https://doi.org/10.1049/iet-ifs.2016.0621

Calzavara, S., Focardi, R., Squarcina, M., & Tempesta, M. (2017). Surviving the web: A journey into web session security. ACM Computing Surveys, 50(1), 13:1-13:34. https://doi.org/10.1145/3038923

Catota, F. E., Morgan, M. G., & Sicker, D. C. (2019). Cybersecurity education in a developing nation: The Ecuadorian environment. Journal of Cybersecurity, 5(1), tyz001. https://doi.org/10.1093/cybsec/tyz001

Compagna, L., Jonker, H., Krochewski, J., Krumnow, B., & Sahin, M. (2021). A preliminary study on the adoption and effectiveness of SameSite cookies as a CSRF defence. En 2021 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 49-59). IEEE. https://doi.org/10.1109/EuroSPW54576.2021.00012

Cuzme, M., Pinargote, R., & Sabando, E. (2018). Plan de gestión de incidentes de seguridad informática mediante ITIL y MAGERIT. Informática y Sistemas: Revista de Tecnologías de la Informática y las Comunicaciones, 2(1), 24-30. https://doi.org/10.33936/isrtic.v2i1.1129

De los Santos, S., & Torres, J. (2018). Analysing HSTS and HPKP implementation in both browsers and servers. IET Information Security, 12(4), 275-284. https://doi.org/10.1049/iet-ifs.2017.0030

Doupé, A., Cova, M., & Vigna, G. (2010). Why Johnny can’t pentest: An analysis of black-box web vulnerability scanners. En C. Kreibich & M. Jahnke (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2010) (LNCS, Vol. 6201, pp. 111-131). Springer. https://doi.org/10.1007/978-3-642-14215-4_7

Flor-Unda, O., Simbaña, F., Larriva-Novo, X., Acuña, Á., Tipán, R., & Acosta-Vargas, P. (2023). A comprehensive analysis of the worst cybersecurity vulnerabilities in Latin America. Informatics, 10(3), 71. https://doi.org/10.3390/informatics10030071

Foudil, E., & Shafranovich, Y. (2022). A file format to aid in security vulnerability disclosure (RFC 9116). Internet Engineering Task Force. https://doi.org/10.17487/RFC9116

Hodges, J., Jackson, C., & Barth, A. (2012). HTTP Strict Transport Security (HSTS) (RFC 6797). Internet Engineering Task Force. https://doi.org/10.17487/RFC6797

Ministerio de Telecomunicaciones y de la Sociedad de la Información (MINTEL). (2022). Estrategia Nacional de Ciberseguridad del Ecuador 2022-2025. Gobierno del Ecuador. https://www.gobiernoelectronico.gob.ec/wp-content/uploads/2022/08/ESTRATEGIA-NACIONAL-DE-CIBERSEGURIDAD-2022.pdf

Navia, M., & Zambrano-Romero, W. (2021). Instrumento para la auditoría técnica de seguridad informática en pequeños proveedores de Internet. Informática y Sistemas: Revista de Tecnologías de la Informática y las Comunicaciones, 5(2), 119-128. https://doi.org/10.33936/isrtic.v5i2.3952

Pellegrino, G., Tschürtz, C., Bodden, E., & Rossow, C. (2015). jÄk: Using dynamic analysis to crawl and test modern web applications. En H. Bos, F. Monrose, & G. Blanc (Eds.), Research in Attacks, Intrusions, and Defenses (RAID 2015) (LNCS, Vol. 9404, pp. 295-316). Springer. https://doi.org/10.1007/978-3-319-26362-5_14

Weichselbaum, L., Spagnuolo, M., Lekies, S., & Janc, A. (2016). CSP is dead, long live CSP! On the insecurity of whitelists and the future of Content Security Policy. En Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 1376-1387). Association for Computing Machinery. https://doi.org/10.1145/2976749.2978363

Weissbacher, M., Lauinger, T., & Robertson, W. (2014). Why is CSP failing? Trends and challenges in CSP adoption. En A. Stavrou, H. Bos, & G. Portokalidis (Eds.), Research in Attacks, Intrusions and Defenses (RAID 2014) (LNCS, Vol. 8688, pp. 212-233). Springer. https://doi.org/10.1007/978-3-319-11379-1_11

Published

2026-06-30

Issue

Section

Regular Papers