Penetration Test Debrief

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Understand Database Security Concepts

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Introduction The concept of “SQL Injection”

Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.

Vulnerability Analysis Borrowed from the CLICS group.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Chapter 4 Application Security Knowledge and Test Prep

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Web Application Security Assessment and Vulnerability Assessment.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Approaches to Application Security – DSM

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

A Security Review Process for Existing Software Applications

Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Attacking Applications: SQL Injection & Buffer Overflows.

Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

SQL Injection Attacks An overview by Sameer Siddiqui.

SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Understanding Security Policies

Topic 5 Penetration Testing 滲透測試

Group 18: Chris Hood Brett Poche

Web Application Security

Module: Software Engineering of Web Applications

Critical Security Controls

Chapter 7: Identifying Advanced Attacks

Security Testing Methods

Penetration Test Debrief

Secure Software Confidentiality Integrity Data Security Authentication

Penetration Testing Karen Miller.

Web Application Firewall Bypassing – an approach for pentesters

SQL INJECTION ATTACKS.

A Security Review Process for Existing Software Applications

Marking Scheme for Semantic-aware Web Application Security

Common Operating System Exploits

CIT 480: Securing Computer Systems

Defense in Depth Web Server Custom HTTP Handler Input Validation

AppExchange Security Certification

Lecture 2 - SQL Injection

Lecture 3: Secure Network Architecture

Zach Garcia Keith Reiter

CULLEN ACHESON Samuel Garcia Zachary Blum

Exploring DOM-Based Cross Site Attacks

Enterprise Class Security Scanner

Presentation transcript:

Penetration Test Debrief Ted Vera & Mark Trynor September 2, 2010

Agenda Pen Test Review Recommendations Deliverables Overview NOTE: All trademarks referenced in this presentation are property of their respective owners.

Pen Test Review: Day 1 Badging / Training Reviewed customer ROE Installed pen test tools on attack laptop Performed automated port and vulnerability scans against target systems Identified listeners on ports 80 & 443 NOTE: All trademarks referenced in this presentation are property of their respective owners.

Pen Test Review: Day 2 Performed packet captures Performed automated scans and attacks using Metasploit Started comprehensive Nessus vulnerability scan Attempted manual XSS / SQL injection attacks NOTE: All trademarks referenced in this presentation are property of their respective owners.

Pen Test Review: Day 3 Validated false positives from automated scans (there were many) XSSer – automated scans/attacks Manual and custom automated XSS/SQL injection attacks Performed malformed packet / HTTP header attacks NOTE: All trademarks referenced in this presentation are property of their respective owners.

Pen Test Review: Day 4 Manually validated Nessus false positives Nikto web application vulnerability scanner Nikto false positives BigIP & Oracle buffer overflow attempts Caused ESX Server to migrate .116, and due to the config, the failover VM lacked network connectivity NOTE: All trademarks referenced in this presentation are property of their respective owners.

Pen Test Review: Day 5 Customer disabled one BIGIP ASM Two successful proof-of-concept exploits against known Oracle vulnerabilities (patched in July) Validates effectiveness of ASM positive security model NOTE: All trademarks referenced in this presentation are property of their respective owners.

Recommendations: General Enforce strong user passwords Ensure passwords at least 8 characters in length, use a combination of uppercase and lowercase letters (Aa–Zz), numbers (0–9), and symbols ( @ # $ % ^ & * ( ) _ + | ~ - = { } [ ] : ; < > ? , . /). To prevent injection attacks, do not allow passwords to use symbols \ (back slash) or ' ” (quotes). Patch Management Install operating system and application patches in a timely manner. NOTE: All trademarks referenced in this presentation are property of their respective owners.

Recommendations: F5 Create a well defined list of white-listed characters for positive security model. Disallow use of symbols \ (backslash) or ‘ “ (quotes) when possible. Utilize an automated web application test suite, such as Selenium (http://seleniumhq.org/), to produce consistent white-listing when training the system and limit human input errors that could create XSS attack possibilities. Ensure F5 administrative panels are only accessible from the internal network as they were susceptible to XSS attacks in previous patch levels. NOTE: All trademarks referenced in this presentation are property of their respective owners.

Recommendations: Oracle Remove access to the Oracle Diagnostics pages. Remove the ability to input SQL syntax directly into forms and replace with radio buttons / check boxes for “like”, “and/or”, “between”, “%”, etc. to limit the possibility of SQL injection. Verify all SQL queries, on code changes, have escape characters for all special SQL characters before executing queries to prevent injections or use parameterized statements  NOTE: All trademarks referenced in this presentation are property of their respective owners.

Deliverables Overview Deliverable # / Title Description Deliverable 1: Review with Suggested Improvements Review of vulnerabilities and suggested improvements (4pgs). Deliverable 2: Red Team Review Detailed description of Penetration Test activities, findings, and recommendations (15 pgs) Deliverable 3: Final Report Executive overview of Penetration Test, findings, and recommendations (5 pgs) NOTE: All trademarks referenced in this presentation are property of their respective owners.