Penetration Testing. James Walden Northern Kentucky University

Similar documents
Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Application Penetration Testing

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

CSC 482/582: Computer Security. Cross-Site Security

Lab 5: Web Attacks using Burp Suite

Certified Secure Web Application Engineer

Solutions Business Manager Web Application Security Assessment

F5 Big-IP Application Security Manager v11

CSWAE Certified Secure Web Application Engineer

Checklist for Testing of Web Application

Configuring BIG-IP ASM v12.1 Application Security Manager

DreamFactory Security Guide

Load testing with WAPT: Quick Start Guide

Release Notes. Dell SonicWALL SRA Release Notes

Lecture 9a: Sessions and Cookies

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Application Security. Philippe Bogaerts

AppSpider Enterprise. Getting Started Guide

CERTIFICATION RESOURCE GUIDE

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Human vs Artificial intelligence Battle of Trust

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Notes From The field

BIG-IP Access Policy Manager : Portal Access. Version 12.1

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

IBM Security Access Manager Version December Release information

Web Security, Summer Term 2012

OWASP Broken Web Application Project. When Bad Web Apps are Good

Administrative Guide

GOING WHERE NO WAFS HAVE GONE BEFORE

Release Notes Version 7.8

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

WatchGuard AP - Remote Code Execution

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

WHY CSRF WORKS. Implicit authentication by Web browsers

C IBM. IBM WebSphere App Server Network Deployment V8.0- Core Admin

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

IBM Security Access Manager Version 9.0 October Product overview IBM

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Preparing for the Cross Site Request Forgery Defense

Multi-Post XSRF Web App Exploitation, total pwnage

Deltek Touch T&E Startup Guide

Release Notes. Dell SonicWALL SRA Release Notes

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

HTTP Security. CSC 482/582: Computer Security Slide #1

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

TWO-FACTOR AUTHENTICATION Version 1.1.0

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

Certified Secure Web Application Secure Development Checklist

How to Configure Authentication and Access Control (AAA)

WFUZZ! for Penetration Testers! Christian Martorella & Xavier Mendez! SOURCE Conference 2011! Barcelona!

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

EasyCrypt passes an independent security audit

Ruby on Rails Secure Coding Recommendations

Web Application Attacks

RiskSense Attack Surface Validation for Web Applications

Web Security. Thierry Sans

Scan Report Executive Summary

hidden vulnerabilities

Security Penetration Test of HIE Portal for A CUSTOMER IMPLEMENTION. Services provided to: [LOGO(s) of company providing service to]

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

SonicOS Enhanced Release Notes

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Advanced Web Technology 10) XSS, CSRF and SQL Injection

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

CA Single Sign-On and LDAP/AD integration

DEPLOYMENT GUIDE DEPLOYING F5 WITH ORACLE ACCESS MANAGER

Building a Web-based Health Promotion Database

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Sophos Mobile as a Service

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Webthority can provide single sign-on to web applications using one of the following authentication methods:

TIBCO LiveView Web Getting Started Guide

NEST Kali Linux Tutorial: Burp Suite

Certified Secure Web Application Security Test Checklist

Device Recognition Best Practices Guide

Scan Report Executive Summary

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Introduction to Ethical Hacking

Web Applications Penetration Testing

Barracuda Web Application Firewall Advanced Security Features - WAF02

F5 Azure Cloud Try User Guide. F5 Networks, Inc. Rev. September 2016

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

IBM A Assessment- IBM WebSphere Appl Server ND V8.0, Core Admin.

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

PROCE55 Mobile: Web API App. Web API.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Configuring the SMA 500v Virtual Appliance

Transcription:

Penetration Testing James Walden Northern Kentucky University

Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application 6. Exploit the Application

What is Pen Testing? Security testing is the process of providing evidence of how well an application satisfies its security requirements. Penetration testing is a method of security testing, in which testers simulate the efforts of attackers.

What is Pen Testing? Penetration testing evaluates the security of software in its deployed environment. Effect of firewalls Deployed cryptographic libraries Effect of other security services and processes Abuse Cases Risk Analysis Code Reviews + Static Analysis Security Testing Penetration Testing Security Operations Requirements Design Coding Testing Maintenance

Purposes of Pen Tests 1. Identify vulnerabilities that may be difficult or impossible to detect in design or code reviews. 2. Determine the feasibility of certain attacks. 3. Assess the impact of potential attacks. 4. Test the ability of system to detect attacks. 5. Provide evidence to support increased investments in security.

Black, White, Grey Box Testing

Rules of Engagement Which systems are being tested? Deployment or development? Web, DB, others? What tests will be performed? Read-only Read-write DoS When will the tests be performed? Who to contact if tests cause problems?

Penetration Testing Tools

Penetration Testing Process Map the Application Analyze the Application Exploit the Application

Map the Application 1. Manual following of all links with browser. 2. Automatic mapping with a spider. 3. User-driven spidering of site with proxy. 4. Brute forcing URLs to find hidden content.

Spidering an Application

Automatic Mapping Limitations 1. Difficult to parse complex JavaScript menus. Use AJAX Spider in ZAP. 2. Difficult to find plug-in (Flash, Java) links. 3. Spider may not fill out every form field correctly to reach next step in registration, billing, etc. 4. Form-based navigation may use the same URL for each step, causing spider to ignore multiple requests to a URL already cached. 5. Spider may terminate its session by selecting Logout link before map is complete.

User-Directed Spidering Point browser at proxy tool. User browses through site as normal. User handles authentication and filling out complex forms. Proxy builds map of site. Parses out all links from HTML to add to map, but does not follow them automatically.

Finding Hidden Content Check HTML for comments, hidden fields + Try URLs that are not links to find Backup files, e.g. end in ~ or.bak - View source code - Possibility find db login credentials Backup archives of entire site Admin directories - Access admin functionality without credentials Log files - May contain credentials or session IDs

Finding Hidden Content

Finding Hidden Content

Analyze the Application 1. Application core functionality. 2. Peripheral functionality, like administrative, logging, and redirection services. 3. Security mechanisms, including 1. Authentication and password management. 2. Access control. 3. Session management. 4. Client-side technologies (JS, cookies, etc.) 5. Server-side technologies (PHP/JSP, DB, etc.) 6. All entry points where application accepts input.

Identifying Entry Points Every URL up to the query string marker Every parameter within URL query string Every parameter submitted within the body of a POST request Every cookie Every HTTP header that the app may process, especially User-Agent, Referer, Host, and Accept headers.

HTTP Fingerprinting

Exploiting the Application

Fuzz Testing 1. Data Set Template Create a template based on the protocol used by the application. Ex: GET /query?[ ]&[ ] HTTP/1.1 2. Value Manipulation Replace template placeholders with random values from data set (numeric, alphabetic, etc.) 3. Application Monitoring Send data and monitor application behavior. Does app crash, error, send unusual responses?

Web App Pen Test Work Flow

References 1. CERT, Black Box Security Testing Tools, https://buildsecurityin.uscert.gov/bsi/articles/tools/black-box/261-bsi.html, 2009. 2. Patrick Engebretson, The Basics of Hacking and Penetration Testing, Syngress, 2011. 3. NIST, Technical Guide to Information Security Testing and Assessment, NIST Special Publication 800-115, 2008. 4. PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, v1.2, 2008. 5. Dafydd Stuttart and Marcus Pinto, The Web Application Hacker s Handbook 2 nd edition, Wiley, 2011. 6. Kenneth R. van Wyk, Adapting Penetration Testing for Software Development Purposes, https://buildsecurityin.uscert.gov/bsi/articles/best-practices/penetration/655-bsi.html, 2008.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback