Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing James Walden Northern Kentucky University.

Published byHarold Potter Modified over 9 years ago

Similar presentations

Presentation on theme: "Penetration Testing James Walden Northern Kentucky University."— Presentation transcript:

1 Penetration Testing James Walden Northern Kentucky University

2 Topics 1.What is Penetration Testing? 2.Rules of Engagement 3.Penetration Testing Process 4.Map the Application 5.Analyze the Application 6.Exploit the Application CSC 666: Secure Software Engineering

3 What is Pen Testing? Security testing is the process of providing evidence of how well an application satisfies its security requirements. Penetration testing is a method of security testing, in which testers simulate the efforts of attackers. CSC 666: Secure Software Engineering

4 What is Pen Testing? Penetration testing evaluates the security of software in its deployed environment.  Effect of firewalls  Deployed cryptographic libraries  Effect of other security services and processes CSC 666: Secure Software Engineering Security Operations RequirementsDesignCodingTestingMaintenance Risk Analysis Abuse Cases Code Reviews + Static Analysis Penetration Testing Security Testing

5 Purposes of Pen Tests 1.Identify vulnerabilities that may be difficult or impossible to detect in design or code reviews. 2.Determine the feasibility of certain attacks. 3.Assess the impact of potential attacks. 4.Test the ability of system to detect attacks. 5.Provide evidence to support increased investments in security. CSC 666: Secure Software Engineering

6 Black, White, Grey Box Testing CSC 666: Secure Software Engineering

7 Rules of Engagement Which systems are being tested?  Deployment or development?  Web, DB, others? What tests will be performed?  Read-only  Read-write  DoS When will the tests be performed? Who to contact if tests cause problems? CSC 666: Secure Software Engineering

8 Penetration Testing Tools CSC 666: Secure Software Engineering

9 Penetration Testing Process Map the Application Analyze the Application Exploit the Application CSC 666: Secure Software Engineering

10 Map the Application 1.Manual following of all links with browser. 2.Automatic mapping with a spider. 3.User-driven spidering of site with proxy. 4.Brute forcing URLs to find hidden content. CSC 666: Secure Software Engineering

11 Spidering an Application CSC 666: Secure Software Engineering

12 Automatic Mapping Limitations 1.Difficult to parse complex JavaScript menus. Use AJAX Spider in ZAP. 2.Difficult to find plug-in (Flash, Java) links. 3.Spider may not fill out every form field correctly to reach next step in registration, billing, etc. 4.Form-based navigation may use the same URL for each step, causing spider to ignore multiple requests to a URL already cached. 5.Spider may terminate its session by selecting Logout link before map is complete. CSC 666: Secure Software Engineering

13 User-Directed Spidering  Point browser at proxy tool.  User browses through site as normal.  User handles authentication and filling out complex forms.  Proxy builds map of site.  Parses out all links from HTML to add to map, but does not follow them automatically. CSC 666: Secure Software Engineering

14 Finding Hidden Content Check HTML for comments, hidden fields + Try URLs that are not links to find  Backup files, e.g. end in ~ or.bak -View source code -Possibility find db login credentials  Backup archives of entire site  Admin directories -Access admin functionality without credentials  Log files -May contain credentials or session IDs CSC 666: Secure Software Engineering

15 Finding Hidden Content CSC 666: Secure Software Engineering

16 Finding Hidden Content CSC 666: Secure Software Engineering

17 Analyze the Application 1.Application core functionality. 2.Peripheral functionality, like administrative, logging, and redirection services. 3.Security mechanisms, including 1.Authentication and password management. 2.Access control. 3.Session management. 4.Client-side technologies (JS, cookies, etc.) 5.Server-side technologies (PHP/JSP, DB, etc.) 6.All entry points where application accepts input. CSC 666: Secure Software Engineering

18 Identifying Entry Points  Every URL up to the query string marker  Every parameter within URL query string  Every parameter submitted within the body of a POST request  Every cookie  Every HTTP header that the app may process, especially User-Agent, Referer, Host, and Accept headers. CSC 666: Secure Software Engineering

19 HTTP Fingerprinting CSC 666: Secure Software Engineering

20 Exploiting the Application CSC 666: Secure Software Engineering

21 Fuzz Testing 1.Data Set Template  Create a template based on the protocol used by the application.  Ex: GET /query?[ ]&[ ] HTTP/1.1 2.Value Manipulation  Replace template placeholders with random values from data set (numeric, alphabetic, etc.) 3.Application Monitoring  Send data and monitor application behavior.  Does app crash, error, send unusual responses? CSC 666: Secure Software Engineering

22 Web App Pen Test Work Flow CSC 666: Secure Software Engineering

23 References 1.CERT, Black Box Security Testing Tools, https://buildsecurityin.us- cert.gov/bsi/articles/tools/black-box/261-BSI.html, 2009.https://buildsecurityin.us- cert.gov/bsi/articles/tools/black-box/261-BSI.html 2.Patrick Engebretson, The Basics of Hacking and Penetration Testing, Syngress, 2011. 3.NIST, Technical Guide to Information Security Testing and Assessment, NIST Special Publication 800-115, 2008. 4.PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, v1.2, 2008. 5.Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook 2 nd edition, Wiley, 2011. 6.Kenneth R. van Wyk, Adapting Penetration Testing for Software Development Purposes, https://buildsecurityin.us- cert.gov/bsi/articles/best-practices/penetration/655-BSI.html, 2008.https://buildsecurityin.us- cert.gov/bsi/articles/best-practices/penetration/655-BSI.html

Download ppt "Penetration Testing James Walden Northern Kentucky University."

Similar presentations

Module XII Web Application Vulnerabilities

Module XII Web Application Vulnerabilities
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 3 – Tools of the Trade & Crafting Malicious Input Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.

Ahmad Radaideh.  Abstract  Introduction  Google Cached Content  GOOGLE HACKING Procedures  Google Advance Operators  Google hacking Result Categories.
Authentication James Walden Northern Kentucky University.

Authentication James Walden Northern Kentucky University.
Web Database Programming Input Validation. User Input on the Web Web browser built-in mechanisms –HTML Forms HTTP POST method –Hyperlinks HTTP GET method.

Web Database Programming Input Validation. User Input on the Web Web browser built-in mechanisms –HTML Forms HTTP POST method –Hyperlinks HTTP GET method.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Similar presentations

Ads by Google