The Best of PenTest

Page 1




EDITOR’S NOTE

THE BEST OF Dear Readers!

TEAM Managing Editor: Maciej Kozuszek maciej.kozuszek@software.com.pl Associate Editor: Aby Rao abyrao@gmail.com Betatesters / Proofreaders: Aby Rao, Rishi Narang, Jeff Weaver, Scott Christie, Dennis Distler, Massimo Buso, Ed Werzyn, Jonathan Ringler, Johan Snyman, Michael Munty, Alberto Alvarez, Juan Bidini, Eric Stalter Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic ewa.dudzic@software.com.pl Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl DTP: Ireneusz Pogroszewski Production Director: Andrzej Kuca andrzej.kuca@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes.

All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by

Dear PenTest community members! It will soon be a year since the PenTest first issue was released. So here comes the time to summarize the first year of our work, but also to celebrate our first birthday. And, as most of us know, there is no birthday without a gift! And this gift from PenTest to you is The Best of PenTest – 200 pages of content, the best 32 articles chosen from 28 PenTest Magazine issues. As I’ve mentioned before, apart from celebrating, this special moment is also a time to look back behind us and see what we’ve managed to achieve for this time! Four issues in a month. Perhaps not everyone reading this is aware that at the beginning we’ve published only one issue in a month – PenTest Regular. After 5 issues were released, we’ve started releasing PenTest Extra on October 15th, which was recently transformed into PenTest Market. Soon after that, we’ve launched PenTest Starterkit, which first issue was released on November 7th. After releasing 3 issues, we’ve decided to change the profile of the issue, and therefore it’s name, into Auditing & Standards PenTest. The youngest, and seems that the most popular magazine, is Web App Pentesting. Firstly released on November 22nd , now it has the most downloads and views amongst all other issues. Heaps of books and trainings given to our community members, to help raise pentesting & ethical hacking skills. We’ve partnered with dozens of companies to help spread the word about our publication, and also spent countless hours to get all the books and trainings in return, in order make our offer even more attractive and give you what you really need – true value knowledge for a reasonable price. Sponsored numbers of different conferences all around the world to help the community – beginning from the biggest one, like Hacker Halted or Black Hat, ending with even the smallest like AthCon. Delivered a lot of reviews and other free content, all to help educate you! What we shouldn’t forget about, is also our editorial staff – all people who have helped us in a various ways to make existence of our magazine possible. Here, we believe that we owe a special thanks to the following people: Aby Rao, Rishi Narang, Jeff Weaver, Scott Christie, Dennis Distler, Massimo Buso, Ed Werzyn, Jonathan Ringler – thank you, we wouldn’t be where we are without your help & support! As always, we hope, you will find this issue of PenTest compelling and valuable. Enjoy reading! Maciej Kozuszek & PenTest Team

Mathematical formulas created by Design Science MathType™

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

THE BEST OF 01/2012

Page 4

http://pentestmag.com


CONTENTS

PENTEST REGULAR

08

Fixing the Industry

12

What Should You Look For?

16

Physical Goes First On The Importance of Physical Pentesting (With Some Practical Advice)

By Iftach Ian Amit and Chris Nickerson

Penetration testing has been a skill (some say an art) for as long as we can remember information security and the computer industry. Nevertheless, over the past decade or so, the term has been completely ambiguated.

38

By Bill Mathews

Why would you ever need a penetration test? The answer per usual, depends on your perspective and needs. Most companies that have sensitive data in their enterprises should look at getting some form of penetration testing Why do I say, some form? Simply put, there are as many definitions of penetration testing as there are fish in the ocean. Seriously, sometimes I think we make this stuff up as we go along.

By Emerson Lima

Physical pentesting is still dangerously neglected by enterprises. With a top-notch digital protection they seem to forget that it will all come to nothing if a physical security breach happens. Let’s try to look into this problem.

22

Great Pen Test Coverage Too Close for Missiles, Switching to Bullets! By Aaron Bryson

Tell me if this sounds familiar…you are asked to perform a penetration test on customer network to determine the security posture of their assets, and the first thing they do is give you a list of assets that you are NOT allowed to test, because they are critical systems to the business. Ironic isn’t it? This is exactly the difficulty you can expect when performing penetration testing in the cloud, but multiplied by ten.

26

Attacking the Mobile Infrastructure By Bill Mathews

We will explore a few philosophies for attacking a mobile management infrastructure. The article will cover the differences in testing mobile stuff vs “everything else” as well as reusing some of the things you know to demystify the mobile world.

30

Fuzzing in a Penetration Test By Joshua Wright

Protocol fuzzing has been a popular technique for bug discovery with a number of tools, books and papers

THE BEST OF 01/2012

describing the benefits and drawbacks. Although typically used for bug discovery in a lab environment, there are opportunities to use fuzzing in a penetration testing role too. Here, you will certainly get convinced by Josh, that fuzzing can be used in a wide range of ways.

SQL Injection: Inject Your Way to Success By Christopher Payne

Databases are the backbone of most commercial websites on the internet today. They store the data that is delivered to website visitors (including customers, suppliers, employees, and business partners). Backend databases contain lots of juicy information that an attacker may be interested in. Here the author makes a great introduction into the art of SQL Injection.

46

Hi! I Hacked Your Computer

52

Mastering the Behavioral Techniques for Quick Rapport and Elicitation

By Milind Bhargava

With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.

By Robin Dreeke

There are skilled conversationalists that can induce an individual tounwittingly divulge their deepest secrets, their closest held personal information, and even their banking information and passwords without being asked any direct or related questions.

60

Tool Jockeys in Disguise: Defeating the Push Button Penetration Testers By Wardell Motley

What drives your search for a penetration tester? Was a recent security breach, or a compliance requirement, or maybe just a conversation over a round of golf with someone that recently underwent an assessment?

62

On the Automated Black-Box Security Testing of Web Applications By Cristian Tancov and Cristian Opinacru

Fuzzing. Although this technique has been around since 1989, it had gained significant importance only with the rise of cloud computing era, which, ironically,means it is still in its early days (at least for the web applications fuzzing).

Page 5

http://pentestmag.com


CONTENTS

PENTEST EXTRA

70

Regardless of method, going after physical security in a PenTest often proves one of the easiest ways to gain access to a network.

From Footprinting to Exploitation By Piotr Chynał

Tenable Nessus is a very popular tool for scanning for vulenrabilities. Piotr Chynał will show you all task that you need to know to do penetration test using Nessus and Metasploit. He will answer to typical questions: Is it really good? Can we use it for penetration testing?

76

Web Application Security By Jakub Gałczyk

By using our web site, managers can send us their documents and resume. In our web page, we have installed and configured some kind of popular CMS (Content Management System). Jakub Gałczyk, in his short article, presents how to check whether the web application is vulnerable to Internet attacks.

82

The Benefits of Ethical Hacking

86

Is That A Phone In Your Pocket Or Are You Scanning My Network?

By Bryan Soliman

The wide growth of the Internet has brought good things to the modern societies such as easy access to online stores, electronic commerce, emails, and new avenues of information distribution and advertising. As with most technological advances, there is always a dark side: the criminal hackers where they represent a threat to these information avenues.

Penetration Testing For iPhone and iPad Applications

Dumpster diving, if you are up for it and have physical access to the target, means sifting through trash to get useful information, but in recent times social media can provide us with even more. Sites like LinkedIn, Facebook and Twitter can provide you with lists of employees, projects that the organization is involved with and perhaps even information about third party products and suppliers that are in use.

PENTEST MARKET

The aim of this article is to give the reader and idea of the criteria assessed by headhunters to identify trustworthy and technically capable pentesters. By shedding light on those aspects, this article will therefore give the readers an understanding of the usual education, competencies and soft skills a valuable pentester should demonstrate.

PENTEST STARTERKIT

PenTesting and risk management

124 By Alessandro Manotti

By Kunjan Shah

This article focuses specifically on helping security professionals understand the nuances of penetration testing iPhone/iPad applications. It attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the simulator, configuring the proxy tool and decompiling applications etc.

Guaranteed Access

Everyone has different ideas of what physical security is, what it encompasses, and how to exploit it. It can include a wide range of exploits, many being surprisingly simple.

THE BEST OF 01/2012

Finding your target

116 By Willem Mouton

The Hunt for Pentesters

By Ken Westin

102 By Jon Derrenbacker

By Marsel Nizamutdinov

The goal of this article is to demonstrate the real danger of post-authenticated vulnerabilities. We will not explain the basics of web application attacks in this article, as that has already been done many times before by others. We will focus on a practical way to exploit postauthentication XSS’s and CSRF, which remain a highly underestimated attack vector in the security scene.

120 By Fabiana Schütz

When most people think of penetration testing, they think of a simulated external attack where the tester tries to break into a network from a remotely. Companies focus most of the security spending and policies on keeping hackers from the outside in, from firewalls and other security hardening appliances, software and tools.

92

108

XSS & CSRF Practical exploitation of post-authentication vulnerabilities in web applications

As far as attack popularity goes, the analysts determined that DDoS was mentioned in 22 percent of internet forums discussions. SQL injection, a technique commonly used to compromise websites, is the second most frequently discussed attack method.

QRbot – iPhone QR botnet

128 By Nir Valtman

This article is related to both social engineering and cybercrime. Why social engineering? Since QR usage is based on interactive actions of mobile users, which might lead to threats on their devices, as will be explained in detail later.

Page 6

http://pentestmag.com


CONTENTS IT Security & Risk to data – the

Web Session Management – reality is a nightmare!

134 ever changing landscape

160

The world of corporate governance has brought added pressure and cost to organisations safeguarding themselves against external (and not forgetting the internal) threats. Sarbanes Oxley, PCI, Solvency, MiFID, (to name but a few) has forced organisations to take a closer look at how they apply control over their operations.

Session Management is fundamentally a process of keeping track of a user’s activity across multiple connections or interactions with the machine. Rishi Narang shows checklist of precautions for developers to follow as a benchmark option for web applications.

AUDITING & STANDARDS PENTEST

166

By Carl Nightingale

Operating System Security Re-

138 visited

By Ian Tibble

Information security, in terms of the risk management of electronic information, is a young and relatively new practice in the business world. Information security departments are less than a decade old in many businesses.

Separating Fact from Fiction – The

144 realities of Cyber War By Don Eijndhoven

Cyber War. Two words that you’ll have heard in the news a few times by now. You’ll have heard it more and more over the last year or so. Maybe two or three years if you’ve been halfway interested or happened to be browsing on IT websites that cover cyber warfare.

PENTEST STANDARD

148

Network Segmentation – The clues to switch a PCI DSS compliance’s nightmare into an easy path By Marc Segarra López

There is no better description of network segmentation in PCI DSS than the one Marc Segarra López presents in his in-depth article. Everything there is to know, from addressing PCI DSS compliance to special recommendations on any situation can be found in here.

WEB APP PENTESTING

The significance of HTTP and

154 the Web for Advanced Persistent

Modeling Security Penetration Tests with Stringent Time Constraints By Alan Cao

In this article author Alan Cao discusses the modeling aspect of XBOSoft Modeling, Planning, Execution, and Analysis (MPEA) approach and explains how to best model security projects with little time. Company’s overall goal of penetration testing is to reduce vulnerabilityassociated risks in a limited time.

Cloud Computing – Legal Issues

172 By Abhijeet Parandekar &Sagar Rahurkar

Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections.

Web Application Security and

180 Penetration Testing By Bryan Soliman

Author shows the importance of Penetration Testing in Web Application Security. Penetration testing includes all of the process in vulnerabilities assessment plus the exploitation of vulnerabilities found in the discovery phase.

Open Source Web Application

188 Security Testing Tools By Vinodh Velusamy

Author shows us the significance of Open Source Web Application Security Testing Tools. As he claims „When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish.

A chance to ease automated Web

Threats

By Matthieu Estrade The means used to achieve an APT are often substantial and proportional to the criticality of targeted data – note Matthieu Esterade. Author claims that APT are not just temporary attacks, but real and constant threats with latent effect that need to fought in the long run.

THE BEST OF 01/2012

By Rishi Narang

196 Site testing

By Marek Zachara

„Testing a web application is a tedious task. Also, the requirements for a perfect tester are almost impossible to meet. Such person should be thorough, resistant to boredom of numerous repetitions and yet creative to invent new testing scenarios” maintains author.

Page 7

http://pentestmag.com


PENTEST REGULAR

Fixing the Industry Penetration testing has been a skill (some say an art) for as long as we can remember information security and the computer industry. Nevertheless, over the past decade or so, the term has been completely ambiguated. It has been cannibalized, commercialized, and transformed into a market where charlatans and professionals are on the same playing field.

T

he commercial industry has embraced the Sexyness of penetration tests, built products around it uprooted its values with product marketing and sales speak, and conned organizations into buying deeper and deeper to the dreaded pentest unit (as in I need 2 units of pentest to complete this compliance effort). Backed by a thriving regulatory compliance rush to checkoff as many items as they can on audit lists, pentesting was given the final blow to its heritage of value. A once surgical skill that required innovation, critical thinking, technical savvy, business understanding, and good old hacker-sense was reduced to a check box on the back of a consulting companies marketing material. This type of market commoditization has led to the frustration of many businesses and consultants alike. With this in mind, a group of security veterans (each one

Commercializing security tools and Compliance are giving the industry a double-blow with at least a decade under their belts, and numerous successful penetration tests in various industries) have gotten together to discuss the state of the industry, and a common gripe was echoed. Many of the venting sessions from professionals around the world centered around the wide array of testing quality within penetration tests. This huge gap was often boiled down to the Scanner/ Tool Tests and the Real Testing arguments. Another common theme for these sessions was the decided THE BEST OF 01/2012

lack of value presented by the Scanner type of testing and some brainstorming of how that could be resolved worldwide. This issue was not localized or specific to any vertical but it was something that InfoSec professionals from all around the globe were experiencing. From these sessions happening at EVERY security conference thrown an idea was born. The idea – to finally standardize and define what a penetration test really is. This would help the testers increase the quality and repeatability of the testing while also giving the organizations doing the testing, a reference list of what is to be done during the test. This is where the Penetration Testing Execution Standard (PTES) started. After a couple of months of working behind the scenes, a group of about a dozen security practitioners from different parts of the industry put forth a basic mind map of how they did penetration tests. Later on, that blended map was released to a larger group of InfoSec professionals. This group tore apart the original map and streamlined it to fit a larger and wider audience. At that point a final rendition of the mindmap was constructed between 25+ International InfoSec Professionals. With over 1800 revisions to the Alpha mindmap, the team then opened up the stage for more massive collaboration and started building one of the more exciting concepts in the security industry. Currently the Penetration Testing Execution Standard is backed by dozens of volunteers from all around the world, working in teams on writing the finer details of what will be the golden

Page 8

http://pentestmag.com


���������� �����

��������������������������������������������������������������������� ������������������������������������������������������������������ ��������������������������������������������������������������������� ������������������������������������������������������������������ ��������������������������� � ������������������������������������������������������������������ ������������������������������������������������������������������ �������������������������������������������������������������� ������������������������������������������������������������������� �������������������������������������������������������������������� ������������������������������������������������������

���������������������� ������������������������� �������������������


PENTEST REGULAR

Great Pen Test Coverage Too Close For Missiles, Switching to Bullets

Tell me if this sounds familiar…you are asked to perform a penetration test on customer network to determine the security posture of their assets, and the first thing they do is give you a list of assets that you are NOT allowed to test, because they are critical systems to the business. Ironic isn’t it? This is exactly the difficulty you can expect when performing penetration testing in the cloud, but multiplied by ten.

T

here is a lot to think about and plan for when you want to perform a penetration test in a cloud service provider’s (CSP) network. Before we get into the technical details, we need to start with the basics. Questions to ask yourself: • •

What does my contract and SLA state about penetration testing? Does the CSP already have a team of penetration testers? And is this enough to meet your security requirements or compliance objectives?

THE BEST OF 01/2012

• •

Are we hiring a 3rd party company to perform the penetration tests for us? Do we have our own penetration testing team?

CSP in-house pen test team: If your cloud service provider has their own penetration testers that is great news! Not only does it show that they take security seriously, but it means that you can leverage their internal testing results for your own audits. If you do not have the money for your own penetration testing team (either in-house or 3rd party), you may be able to request detailed audit reports from the CSP relative to your

Page 22

http://pentestmag.com


Global I.T. Security Training & Consulting

������������������������������������������������������������ ���������������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������������

IS YOUR NETWORK SECURE?

www.mile2.com ��

mile2 Boot Camps

A Network breach... Could cost your Job! Available Training Formats � � � � �

������������������������� ����������������� ������������������������������������������� ���������������������������������� ����������������������������������������������

� � ����������������������������������������� �������� � ������������������������������������� ��������� � ��������������������������������������� � ��������

� ���������������������� � �������������������������������

� � �������������������������� ������� ����������������������������������� ��������� �������������������������������������������������� ��������������� ������� � ������������������������������������������������ ������������������������������ ����������������������������������������

���������

� ��������

� ����������������� � �����������������������������������

(ISC)2 & CISSP are service marks of the IISSCC. Inc. Security+ is a trade mark of CompTIA. ITIL is a trade mark of OGC.GSLC & GCIH are trademarks of GIAC.

������������������������ �������������� �������������������� ������������������ ����������������������������

Other New Courses!! ���� �������� ����

��������������������� ������������������� �����������

�������������������

� ������� �������� ������ ������

�� ���� ��� ���� ��� ���� ��������� ��� ����

���������� ��������������������������� ��������� ��������������������������� ���������� ��������������������������

INFORMATION ASSURANCE SERVICES

����������������� �������������

���������������������������������������� ��� ������������������� ��� ������������������������� ��� ������������������������������������� ��� �������������� ��������������������������������������������

�������������� ���������������

11928 Sheldon Rd Tampa, FL 33626


PENTEST REGULAR

SQL Injection: Inject Your Way to Success SELECT * FROM winners WHERE pentester = ‘YOU’ or 1=1--’ SQL Injection is one of the many web attack mechanisms used by hackers to steal data from organizations. SQL Injection is one of the most common vulnerabilities in web applications today. It is (as of the time of writing) ranked as the top web application security risk by OWASP[1].

D

atabases are the backbone of most commercial websites on the internet today. They store the data that is delivered to website visitors (including customers, suppliers, employees, and business partners). Backend databases contain lots of juicy information that an attacker may be interested in. Data such as: User credentials, PII, PII, confidential company information, and anything other data that a legitimate user may need access to through a web portal. At its most basic form, web applications allow legitimate website visitors to submit and retrieve data over the Internet using nothing more than a web browser which allow the internet to be the giant consumer market that it is. SQL Injection is the attack technique which attempts to pass SQL commands through a web application for execution by the backend database. If not sanitized properly, web applications may result in SQL Injection attacks that allow hackers to view or modify information from the database. The attack tries to convince the application to run SQL code that will result in access that was not intended by the application developers. The attacker uses SQL queries and creativity to bypass typical controls that have been put in place. Common web application features introduce the SQL injection attack vector. These features include login pages, search pages, e-commerce checkout systems, THE BEST OF 01/2012

a myriad of user submit able forms and the delivery of dynamic web content. Many of these features users take for granted and demand in modern websites to provide businesses with the ability to communicate customers. These website features are may be susceptible to SQL Injection attacks and are good place to start during a pentest engagement that includes a web application testing component.

A Simple SQL Injection Example

Take a simple login page where a legitimate user would enter his username and password combination to enter a secure area to view his personal details or upload his comments in a forum. When the legitimate user submits their information, a SQL query is generated from this information and submitted to the database for verification. The web application in question that controls authentication will communicate with the backend database through a series of commands to verify the username and password combination that was submitted. Once verified, the legitimate user should be granted the appropriate access for their account to the web application. Through SQL Injection, the attacker may input specifically crafted SQL commands with the intent of bypassing the login form authentication mechanism. This is only possible if the inputs are not properly

Page 38

http://pentestmag.com


������������������������������ ���������������������������������

��������

�������

�������������

�������������

������������������������������������� ��������������������������������� ����������������

�������������������������������������� ����������

��������������������������������� ������������������������������������� ������������

������������������������������������ ������

��������������������������

�������������������������������

��������������������������� �������������������������������������� ��� �������������������

���������������������������� ������������������������� ��� ���������������������������

������������������ ������������������������������������������������������������������������������������������������������������ ����������������������������������������������������������������������������������������������������������������� ������������������������������������������������������������������������������������������������� THE BEST OF 01/2012

Page

���� ���������� �����


PENTEST REGULAR

Hi! I hacked your computer

With every passing day, with each new software, hackers around the world start looking for vulnerabilities and write exploit codes for them. Patching those vulnerabilities takes a lot of time and by then the systems have been compromised. As an attacker, there are many ways to compromise the client side systems, my preferred method involves social engineering.

I

magine you receive a PDF attachment from a friend or a colleague, you open it and you get an Figure 2 PDF attachments because the file maybe damaged or not created properly. Your first thought is that the source may not be good, you run it through antivirus and it shows the file is clean; this gives you the feeling of safety. You now click ok to continue with your tasks to ask your IT for help for to try something else. You didn’t realize that you just got owned! In a traditional scenario, an attacker would do dumpster diving and get emails and other printouts to get some information about you. I feel there are better ways to get such information and that’s where the art of social engineering comes in. Many a times I have used social engineering techniques to prove that anything can be done if you know how to talk your way through it. In our scenario our attacker has been doing a lot of information gathering using tools such as the (MetaSploit Framework), (Maltego) and other tools to gather email addresses and information to launch a social engineering client side attack on the victim.

Vulnerability Description

A remote overflow exists in Adobe Reader and Adobe Acrobat. The document reader fails to properly bounds check input to the util.printf() javascript function resulting in a stack-based overflow. With a specially THE BEST OF 01/2012

crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

Classi�cation

Location: Remote / Network Access Attack Type: Input Manipulation Impact: Loss of Integrity Solution: Upgrade Exploit: Exploit Public, Exploit Commercial Disclosure: OSVDB Verified, Vendor Verified

Scenario

For our demonstration we will talk about how the said Social Engineering will be done to extract the required information. First we choose a victim, then we do go to their website and search the careers section for the available IT Jobs of the company to find out what jobs are vacant, their individual descriptions will give us the information about various software technologies in use. Getting a brief idea, we can then search major vendor’s websites for their testimonials or clients. Every vendor displays its client list on its website proudly to show credibility and to have major organizations vouch for their quality and work. A call to these vendors posing as a large organization, spoofing your caller id to reflect the same and talking to them, we can ask them to tell us about the victim company, saying we have worked with them before,

Page 46

http://pentestmag.com



PENTEST REGULAR

Mastering

the Behavioral Techniques for Quick Rapport and Elicitation There are skilled conversationalists that can induce an individual to unwittingly divulge their deepest secrets, their closest held personal information, and even their banking information and passwords without being asked any direct or related questions. In today’s high paced competitive environment individuals and companies that are unscrupulous and obsessed with winning will go to any extreme to achieve a competitive edge in the marketplace, including penetrating a competitor’s computer operating system.

T

he most successful will accomplish the unimaginable by employing age old spy-craft skills as well as technology. These master elicitors of information utilize directed, purposeful, and well planned out conversations in order to elicit and gain whatever information they deem of value. The first president of the United States, George Washington, was our countries first spy master. At the onset of the war for independence, the British were occupying the city of Boston. Washington was desperate for information in order to give him and the Americans a tactical edge. Washington employed a master observer and elicitor, a spy, in order to gather the necessary information on the opposing force. Instead of hacking a computer operating system, Washington hacked a human operating system and successfully penetrated the British information network in Boston for $333.00. The human hacking skills used throughout history are now being combined with the computer network penetration skills of today to form the most advanced information gathering system ever known, the Social Engineer. This article will highlight and demonstrate the advanced social psychological skills (soft skills) used by master Social Engineers. Developing these skills is not difficult, it requires a desire to build upon that which we all do every day, interact with people. The difference is that these interactions will be with a purpose and a plan. In order to build these skills to a mastery level, you THE BEST OF 01/2012

must practice at every opportunity. Most individuals fear rejection when attempting these skills, but you must have the courage to Enter the Arena (Figure 1). Today’s professionals entering the workforce bring with them a critical and highly sought after skill set in regards to technology that tends to exceed the generations prior to them. Likewise, the prior generations in the work force tend to have a skill set in regards to developing quick rapport and conversations with individuals oneon-one. As in many situations, when you combine skill sets, the end result is a much better capability than each alone. Breaking down the art form of interpersonal

Figure 1. The Man in the Arena

Page 52

http://pentestmag.com



PENTEST REGULAR

Tool Jockeys in Disguise

Defeating the Push Button Penetration Testers What drives your search for a penetration tester? Was it a recent security breach or a compliance requirement or maybe just a conversation over a round of golf with someone that recently underwent an assessment? No matter what is the reason you will need someone who is not only competent and familiar with the latest threats and technologies but also someone that can associate the vulnerability you have with the business risk to your organization.

T

his message is meant for you, all of you. The CISO and the IT Director the decision maker and the network administrator’s the people that man the front lines of the information security trenches. If there was ever a time for you to take stock in your information security capital it’s now! What’s your security strategy? When was the last time it was tested and by whom? Was the individual or entity qualified? How did the results of that engagement positively impact the security strategy within your organization? If you can’t honestly answer those questions then you may want to take a second look at the vendor and your choice of penetration tester. Do you know what to expect from your vendor and penetration tester? Unfortunately many companies do not know what to look for when engaging an information security vendor for a penetration test or vulnerability assessment and can only smile and thank the vendor when handed a report with lots of vulnerabilities marked with highs, mediums and lows. As the customer you need to understand how those vulnerabilities affect your bottom line and your business.

on the engagement and the client. There have been times where no tools were used at all during an engagement to exploit a site while other times a custom built script will be the most efficient way to go. You should pay less attention to tools and timing and more attention to what your end goal should be for the engagement. I know a lot of people have the check list mentality and want to see a set list of things to do or a certain toolset that should be used during an engagement but if your pen tester’s sticks to one particular method or toolset I guarantee you he will miss things. Penetrating testing tools are useful during an engagement and they can be used to perform trivial tasks but they should not be the crux of a penetration testers skill set.

The Right Questions?

Defining what you need to test is as important to your security strategy as having the proper policies and procedures in place to govern the security of your organization. If your development team just built a web facing application for your sales division and you want to

The Wrong Questions

During a recent engagement meeting we were asked by the client, what tools do you use and how long does it normally take you to break in during a penetration test? Well in answer to that I have to say that it really depends THE BEST OF 01/2012

Figure 1. Push button for PenTest

Page 60

http://pentestmag.com


Page


PENTEST EXTRA

Penetration Testing for iPhone and iPad Applications

Mobile application penetration testing is an up and coming security testing need that has recently obtained more attention, with the introduction of the Android, iPhone, and iPad platforms among others.

T

he mobile application market is expected to reach a size of $9 billion by the end of 2011 (http://www.mgovworld.org/topstory/mobile-ap plications-market-to-reach-9-billion-by-2011) with the growing consumer demand for smartphone applications,

including banking and trading. A plethora of companies are rushing to capture a piece of the pie by developing new applications, or porting old applications to work with the smartphones. These applications often deal with personally identifiable information (PII), credit card and other sensitive data. This article focuses specifically on helping security professionals understand the nuances of penetration testing iPhone/iPad applications. It attempts to cover the key steps the reader would need to understand such as setting up the test environment, installing the simulator, configuring the proxy tool and decompiling

Figure 1. iPhone SDK Installer

Figure 2. Location of all the iPhone tools installed with the SDK

THE BEST OF 01/2012

Page 92

http://pentestmag.com


101


PENTEST EXTRA

Guaranteed Access Everyone has different ideas of what physical security is, what it encompasses, and how to exploit it. It can include a wide range of exploits, many being surprisingly simple. Regardless of method, going after physical security in a PenTest often proves one of the easiest ways to gain access to a network. Sometimes physical exploits are almost looked on as cheating, simply because some of them are so simple, so obvious, and yet completely unprotected.

W

ith the advent of Svartkasts and PwnPlugs, physical security is no longer a boring subject for pentesters. To pentesters these devices are some of the most exciting exploits at any level. To businesses they’re a nightmare. The criticality of physical security can’t be overstated, with high value

targets such as the Nuclear Power plants in Iran, and the U.S. Governments Secret SIPR networks being victims to physical layer compromise. If there’s one guaranteed way to gain access to any network, it’s with a physical layer exploit. Everyone has different ideas of what physical security is, what it encompasses, and

Figure 1. Traffic Lights guarantee security on roads

THE BEST OF 01/2012

Page 102

http://pentestmag.com


107


PENTEST EXTRA

XSS & CSRF Practical exploitation of post-authentication vulnerabilities in web applications These days many people do not consider post-authentication vulnerabilities dangerous, such as Stored XSS in the administrator’s portion of a web application.

T

his situation is probably aggravated by some misinformation websites and some selfproclaimed security experts, which try to deny disclosed vulnerabilities by posing them as a feature implemented by design. The problem is that they simply do not understand the exploitation’s vectors of these vulnerabilities and they consider them as benign, as long as they impact webpages which do not remain available to unauthenticated users. In the past year, High-Tech Bridge SA Security Research Lab has been performing vendor awareness on a non-profit bases, explaining that post-authentication vulnerabilities are dangerous and they should be fixed. This case-by-case approach is paying off by vendor’s patch statistics for our Security Advisories:

Figure 1. Testing the Proof of Concept

THE BEST OF 01/2012

• •

Only 32% of post-authenticated vulnerabilities were fixed during the first and second quarter of 2011. However, 65% were fixed during the third and fourth quarter of 2011.

The goal of this article is to demonstrate the real danger of post-authenticated vulnerabilities. We will not explain the basics of web application attacks in this article, as that has already been done many times before by others. We will focus on a practical way to exploit post-authentication XSS’s and CSRF, which remain a highly underestimated attack vector in the security scene.

Post-authentication XSS

Let’s start with something very simple. One of the most popular post-authentication vulnerabilities is XSS (Cross Site Scripting). This type of vulnerability is a perfect attack against web-site administrators. Actually, despite the limited exploitation’s vector (against website administrators only), our Research Lab assigns a medium risk level (for a standard XSS) to these vulnerabilities for the simple reason that the most efficient exploitation vector of XSS is carried out against website administrators, not against common users. For our example, we will take an old version of Zikula, which is vulnerable to XSS against website

Page 108

http://pentestmag.com


������������������������ ���������������������� ��������������������� �������������������� ���������������������� ������������������� ��������������� ����������


PENTEST STARTERKIT

Pen Testing and Risk Management According to new research from security vendor Imperva, distributed denial of service and SQL injection are the main types of attack discussed on hacking forums. Underground discussion forums are an important piece in the cybercriminal ecosystem. They offer a place for hackers to sell and exchange information, software tools, exploits, services and other illegal goods.

F

orums are the cornerstone of hacking – they are used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction, Imperva stressed. In recent years, the movement in hacking forums has increased by 150%. We believe this increase reflects the higher number of failures, simply because there are more attackers chasing security breaches, the company said. Imperva’s researchers have recently analyzed discussions going back several years from HackForums.net, one of the largest hacker forums with over 220,000 registered members. Their effort was aimed at determining the most common attack targets, what business trends can be observed, and what directions hackers are leaning toward. As far as attack popularity goes, the analysts determined that DDoS was mentioned in 22 percent of discussions. SQL injection, a technique commonly used to compromise websites, is the second most frequently

discussed attack method, being at the center of 19 percent of conversations. Unsurprisingly, with a 16 percent discussion occurrence rate, spam is the third most favorite attack type according to Imperva’s content analysis. That’s probably because it is one of the primary methods of generating illegal income. Network and computer vulnerabilities caused by misconfiguration, unsafe coding and lack of proper security updates still are a nightmare for mission-critical applications in organizations worldwide, impacts the dayto-day organizations in such challenging security world. For instance a simple virus activity in IT environment causing a main server outage and huge financial losses as well as affect the image of the whole organization, whenever service outage cause any direct impact to customers. Security guidelines and awareness for infrastructure and development staff, as well as use of sophisticated Intrusion Prevention Systems, vulnerability scanners, antivirus,

������������������

��������

��������

�������������������������������������� ������������������ �����������������

��������������� �������������������������� ��������������������������������������� ������������������������������������������� ������������������������ ������������������������� ������������������

Figure 1. Pentest plan

THE BEST OF 01/2012

Page 124

http://pentestmag.com


������������������������ ���������������������������

������

��� ������ ���� ����������������������

� ����������������� �������������������������

������������������������������������������������ ������������������������������������������������� �����������������������������������������������

� ��������������������������� �������������������������� ���������������������

������������������������������������������

���������������������������������������������������� ��������������������������������������������������� ���������������� ����������������������������������������������������

��������

�������������� ���������

���������� ��������������

��������� ���������������������������������������� �������������������������������������������������������������������������������������������������������������������������

�������������������������������

���� ����� ������

��������������������������������


PENTEST STARTERKIT

IT Security & Risk to data – the ever changing landscape

“Data loss!”; “Industrial Espionage”; “Security Breach!” – Terms which we’ve heard of before, but unfortunately are becoming increasingly popular given the disturbing levels disclosed recently. The new world of ‘Cyber Security’ is facing an increasing rise in awareness across organisations as the risks associated to these threats are realised.

T

here are many forms of security breaches taking various guises, and its because of this diverse array of types of attack, that organisations are finding it challenging to protect themselves against. On the other hand, clever countermeasures are now available to help the fight against targeted or opportunistic forms of attack. So that’s OK you might say. However, these tools can be extremely costly to buy, implement and then maintain. It is having a blended mix of effective countermeasures and an effective risk management regime that organisations seem to struggle with, which I will now discuss. The world of corporate governance has brought added pressure and cost to organisations safeguarding themselves against external (and not forgetting the internal) threats. Sarbanes Oxley, PCI, Solvency, MiFID, (to name but a few) has forced organisations to take a closer look at how they apply control over their operations. Given the cost in the early days of organisations having to comply with the likes of Sarbanes Oxley (running into tens of millions for some larger FTSE based examples), organisations are turning to various frameworks (COBiT, COSO etc) and standards as a way of applying control over their IT landscape. The problem comes when there is a misunderstanding between what the world of compliance and governance state you must comply with, and interpreting this as an appropriate baseline set THE BEST OF 01/2012

of controls for your organisation. Organisations spend hundreds of thousands having consultancies tell them things that they probably already know all in the name of compliance. They hand over a report, the client pays the invoice and that’s it until the next quarter. There is no doubt that there is value in having elements of your operations assessed by a third-party set of eyes, but it is how you then use this information which is critical. I’ve been lucky to work in both the private and public sector in my career to date, and witnessed how organisations within these sectors have striking similarities surrounding issues addressing IT Risk across the organisation. Many organisations I’ve visited on my travels all understand risks to their dayto-day operations, but few understand how to integrate the management of risk into their organisation throughout. I have seen various approaches to managing risk, mainly dependant upon available budget and appetite. The private sector trend is to rely upon the results of a statutory audit to determine any exposure across their IT landscape and to drive remediation. The public sector has tighter controls surrounding their systems (mainly for accreditation purposes) which requires them to undertake health checks (vulnerability assessment) to again assess vulnerabilities which could compromise the security of their systems and data. Both though have a common thread being that they have an external

Page 134

http://pentestmag.com


Now Hiring Teamwork Innovation Quality Integrity

Passion

Sense of Security

Compliance, Protection and

Sense of Security is an Australian based information security and risk management consulting practice. From our offices in Sydney and Melbourne we deliver industry leading services and research to our clients locally, nationally and internationally. Since our inception in 2002, our company has performed tremendously well. We thrive on team work, service excellence and leadership through research and innovation. We are seeking talented people to join our team. If you are an experienced security consultant with a thorough understanding of Networking, Operation Systems and Application Security, please apply with a resume to careers@senseofsecurity.com.au and quote reference PTM-TS-12.

info@senseofsecurity.com.au www.senseofsecurity.com.au


AUDITING & STANDARDS PENTEST

Operating System Security Re-visited Information security, in terms of the risk management of electronic information, is a young and relatively new practice in the business world. Information security departments are less than a decade old in many businesses. The mid-to-early 90s saw the wider scale adoption of the public Internet, and along with it came technical gurus (some would say “hackers”) who professed to know how to keep bad guys out of good guys’ corporate networks.

T

he earliest face of information technology security expertise was one of hackers and small service providers. Businesses at this time did not have dedicated security departments. The information security practice was handled by IT operations typically. IT operations staff would install a firewall, configure it badly (in most cases) and they would roll out some sort of a token gesture in the way of malware protection (although it seems the effectiveness of malware protection controls are limited by the products available in this space – and so how advanced can it possibly be as of January 2012?). This was the earliest incarnation of information security where it concerned the preservation of the confidentiality, integrity, and availability of information assets and services (yes – I got my CISSP too, although it was 2005 – seemingly a lifetime ago). In the decade-plus since the world first realized that it might need to think about the protection of information assets held in electronic form, has there been much progress in the field? Major information security incidents regularly make the headlines even in business-related publications such as the UK’s Financial Times. In the early to mid-2000s, the frequency of reported security incidents was, to say the least – very low. So when I was proclaiming at the time that corporate networks were wide open, my comments were greeted with some skepticism, sideways glances, and other expressions of derision, disapproval or discomfort. THE BEST OF 01/2012

Many in the field of information security wouldn’t care to admit it, but whenever the bad guys target the good guys with (among others) intentions of corporate espionage, intellectual property theft, and / or theft of personal information, they are rarely met with any significant resistance. Way back in the early 2000s, with the outbreak of the famous worms known as Nimda and Code Red (ah those were the days!), dropped packet logs from our firewall revealed that worm propagation connections were attempted to our corporate network from some famous names, including IBM, Oracle, and many other Wall Street favorites. Corporate networks were being routinely infected across the globe. These days the malware is less noisy, but even more pervasive, and there is more of an economic element behind it. Botnets are common, consisting of many thousands or millions of nodes, and corporates are unknowingly assisting the efforts of the botnet architects. Without permanently online corporate desktop PCs and Microsoft Windows (predominantly) servers, the botnets would not be so effective and widespread. Botnets are rented out for any parties wishing to spam, loot, hoard, or whatever it is the bad guys do to make money. Sufficed to say, when the botnet propagates, it does not discriminate based on the ownership of the real estate within which it decides to squat.

Page 138

http://pentestmag.com


���������

��������������

������������������ �������������������� ������������� ������������

������������ �������

� � � � � � � � �

�� ����������������� ���� ������������������������������������ ������ ����������������� �������� ���������

���������������������� ���������������������

� ���������������� �� ��������������������� ����������������������������� ������������


AUDITING & STANDARDS PENTEST

Separating Fact from Fiction – The realities of Cyber War

Cyber War. Two words that you’ll have heard in the news a few times by now. You’ll have heard it more and more over the last year or so. Maybe two or three years if you’ve been halfway interested or happened to be browsing on IT websites that cover cyber warfare. Especially if you’re living in the US, you’ll have heard some pretty fear-inducing stories.

A

nd not by just anybody; Richard Clarke himself has said that a Cyber War is the next big threat to national security. He was, of course, referring to the national security of the US, but his critique certainly holds water for other modernized nations. What may be surprising is that he was absolutely right, even though he may be understood poorly. Let me first start out by trying to explain what Cyber Warfare actually is. I say try because it’s hard to capture exactly what the definition is. With having this seeming inability to describe it, I find myself in good company. At his confirmation hearing for the role of the first Cyber Warfare General in US history, four-star General Keith Alexander could not explain to the Senate Committee what the exact definition of Cyber Warfare is. This has everything to do with the fact that we, as a global civilization, are still trying to figure out what it means (culturally) to have all our collective knowledge at our fingertips, all the time. And make no mistake: this is exactly what we’ve created through the Internet and mobile devices capable of internet access. Add to that the fact that technology changes so rapidly that it’s hard to see where we’re going. The final element of uncertainty in this mix is that very few people (if any) know or understand where internet technology is used. It’s so pervasive that we may discover entirely new fields of vulnerabilities, even though they’ve been around for decades. SCADA systems are an excellent example of THE BEST OF 01/2012

this; up till STUXNET only the experts knew and realized that an attack on such systems could cripple us.

So what is Cyber Warfare?

For a very broad definition of Cyber Warfare, I will steal a bit from Wikipedia’s entry on Aerial Warfare: Cyber Warfare is the use of both military and other computer networks and systems to further the national interest on (and off) the Cyberspace battlefield. I realize that this is such a broad definition that it almost becomes worthless, but any further narrowing down may make it factually incorrect. Wikipedia’s entry on Cyber Warfare refers to politically motivated hacking, which I feel is wrong because while hacking is certainly a part of it, it is not the whole of it. Richard Clarke’s definition, as he wrote it in his book Cyber War, also seems too narrow because he limits it to an activity performed only by nation states. With this statement he discards non-state actors and I feel this is a mistake. Regardless of exact definitions, Cyber Warfare involves the use of computer systems and networks with the aim to corrupt, deny or destroy enemy information and information systems, while protecting one’s own. My friend and fellow publicist Peter Rietveld emailed me an excellent definition recently that I’d like to share with you:

In war, information about your own capabilities and your opponents capabilities is the ultimate

Page 144

http://pentestmag.com



WEB APP PENTESTING

Web Session Management – Reality is a nightmare! Session Management is fundamentally a process of keeping track of a user’s activity across multiple connections or interactions with the machine.

I

n web based applications, the primary protocol is HTTP which we all know is a stateless protocol. It means instead of relying on the established TCP connections for anything more than GET/POST request, we need a session management to make this stateless protocol support session states. On a broad spectrum following are the primary identifiers that support and/or manage the established session between the server and the client, • •

• • •

Cookie transfers and information disclosure Session Expiration timelines Session handling when a user logs out

Session ID Cookie Values/Parameters

A browser can maintain the state information in an HTTP session with Cookies, URL rewriting, Codes (Challenge/Response), Hidden form fields (SessionID) etc. (Figure 1). In scope of this article, and real world scenarios, I will target the SessionID and Cookie parameters of different requests. Here are some ideal conditions and requirements for the web session management, and should always be thought upon before deploying a web Figure 1. HTTP Sesion application on the production servers, THE BEST OF 01/2012

Page 160

http://pentestmag.com



WEB APP PENTESTING

Modeling Security Penetration Tests with Stringent Time Constraints

At XBOSoft, it often happens that our clients decide to do security testing late in their test cycle, after we have finished the regular functionality or performance tests. With time often the most important constraint, how to best execute these security tests depends on many factors.

I

n order to create a test strategy that allows us to execute security tests with enough coverage in the given time frame we created the Modeling, Planning, Execution, and Analysis (MPEA) approach. MPEA divides the penetration testing into four phases, allowing us to implement the tests more effectively and efficiently:

Determining Project Objectives

• • •

Modeling phase: Deliver a risk profile that can be used as input for the activities of the remainder of the project. The profile contains the scope of the tests and the stop criteria Planning: Deliver the test strategy and the test plan Execution: Execute the penetration and deliver the tests results according to the test plan Analysis: Analyze the test results and deliver a report

This article discusses the modeling aspect of our approach and will explain how to best model security projects with little time, including: • • • • • •

Determining Project Objectives Modeling goal Gathering System Information Developing a Risk Profile Testing tools or manual testing Vulnerability Investigation-Stop Criteria THE BEST OF 01/2012

We usually see two types of stakeholders: managers and developers, both expecting something different. Managers want to know whether the product is secure or how secure it is, whereas developers want to know exactly where the flaws are located in the system. To satisfy both, our test objectives should include:

A high level summary that explains the general state of the security of the system. Managers need this to answer the question: Am I looking at a fundamental flaw that stops going live or do we have a generally faulty build process that needs tidying up? Satisfying management’s objectives should be done through easy to read and understand graphs and charts. For developers we recommend a tabular list of issues including a title, a description, a list of hosts affected, an estimation of severity and a suggested fix or workaround.

The estimation of severity could be as simple as high/ medium/low, or include more detail such as: ease of exploit, complexity to fix and the extent of resulting compromise. Ease of exploit plays back into the model so that developers can see if they need to worry about the issue, complexity to fix plays into the risk management decision on going live and the extent of

Page 166

http://pentestmag.com



WEB APP PENTESTING

Cloud Computing – Legal Issues Cloud computing involves the sharing or storage by users of their own information on remote servers owned or operated by others and accessed through the Internet or other connections. Cloud computing services exist in many variations, including data storage sites, video sites, tax preparation sites, personal health record websites, photography websites, social networking sites, and many more.

C

loud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. While the storage of user data on remote servers is not new, current emphasis on and expansion of cloud computing warrants a more careful look at its actual and potential privacy and confidentiality consequences. For some information and for some business users, sharing may be illegal, may be limited in some ways, or may affect the status or protections of the information shared. Even when no laws or obligations block the ability of a user to disclose information to a cloud provider, disclosure may still not be free of consequences. When users store their data with programs hosted on someone else’s hardware, they lose a degree of control over their sensitive information. The responsibility for protecting that information from hackers and internal data breaches then falls into the hands of the hosting company rather than the individual user. Government investigators trying to subpoena information could approach that company without informing the data’s owners. Some companies could even willingly share sensitive data with marketing firms. So there is a privacy risk in putting your data in someone else’s hands. Obviously, the safest approach is to maintain your data under your own control. The concept of handing sensitive data to another company worries many people. Is data held somewhere THE BEST OF 01/2012

in the cloud as secure as data protected in usercontrolled computers and networks? Privacy and security can only be as good as its weakest link. Cloud computing increases the risk that a security breach may occur. One of the problems with cloud computing is that technology is frequently light years ahead of the law. There are many questions that need to be answered. Does the user or the hosting company own the data? Can the host deny a user access to their own data? If the host company goes out of business, what happens to the users’ data it holds? And, most importantly from a privacy standpoint, how does the host protect the user’s data? So we carefully analyze the various laws and policies that the host has to abide by and also carefully look to analyze certain aspects of the license and end user agreements that help share liability and empower government agencies to still access certain kind of information without breaking the privacy laws.

Introduction

Cloud computing can be called as a natural evolution of the widespread adoption of virtualization, serviceoriented architecture, autonomic and utility computing. Details are abstracted from end-users, who no longer have need for expertise in, or control over, the technology infrastructure in the cloud that supports them [Wikipedia].

Page 172

http://pentestmag.com



WEB APP PENTESTING

Web Application Security and Penetration Testing

In the recent years, web applications have grown dramatically within many organizations and businesses where such entities became very independent on such technology as part of their businesses’ lifecycle.

D

ynamic web applications usually use technologies such as ASP, ASP.Net, PHP, Ajax, JSP, Perl, Cold Fusion, Flash, and etc. These applications expose financial data, customer information, and other sensitive and confidential data that required authentication and authorization. Ensuring that the web applications are secure is a critical mission that businesses have to go through to achieve the desired security level of such applications. With the accessibility of such critical data to the public domain, web application security testing also becomes paramount process for all the web applications that are exposed to the outside world.

Introduction

Penetration testing (It is also called Pen Testing) is usually conducted by ethical hackers where the security team reviews application security vulnerabilities to discover potential security risks. Such process requires a deep knowledge, experience in a variety of different tools, and a range of exploits that can achieve the required tasks. During the pen testing different web applications’ vulnerabilities are tested (e.g. Input Validation, Buffer Overflow, Cross Site Scripting, URL Manipulation, SQL Injection, Cookie Modification, Bypassing Authentication, and Code Execution). A typical pen testing involves the following procedures: THE BEST OF 01/2012

• • •

Identification of Ports – In this process, ports are scanned, and the associated services running are identified. Software Services Analyzed – In this process, both automated, and manual testing is conducted to discover weaknesses. Verification of Vulnerabilities – This process helps verify that the vulnerabilities are real, where weakness might be exploited to help remediate the issues. Remediation of Vulnerabilities – In this process, the vulnerabilities will be resolved and such vulnerabilities will be re-tested to ensure they have been addressed.

Part of the initiative of securing the web applications is to include the security development lifecycle as part of the software development lifecycle where the number of security-related design and coding defects can be reduced, and also the severity of any defects that do remain undetected can be reduced or eliminated. Despite the fact that the above initiatives solve some of the security problems, some of undiscovered defects will remain even in the most scrutinized web applications. Until scanners can harness true artificial intelligence, and put the anomalies into context or make normative judgments about them, the struggle to find certain vulnerabilities will exist.

Page 180

http://pentestmag.com


ITOnlinelearning offers Network Security courses for the beginner through to the professional. From the CompTIA Security+ through to CISSP, Cer�fied Ethical Hacker (CEH), Cer�fied Hacking Forensic Inves�gator (CHFI) and Security Analyst/Licensed Penetra�on tester (ECSA/LPT).

Tailored Advice and Discounts 0800-160-1161 or Please Call one of our Course Advisors for help and Tailored Advice -during office hours (Mon-Fri 9am-5.30pm)

Telephone: 0800-160-1161 Interna�onal: +44 1795 436969 Email: sales@itonlinelearning.co.uk support@itonlinelearning.co.uk Registered Office: 16 Rose Walk, Si�ngbourne, Kent, ME10 4EW


WEB APP PENTESTING

Open Source Web Application Security Testing Tools

Needless to say that with cybercrime is on the rise and with the immense rise in online security threats no business owner should overlook their website’s security and this is exactly where the concept of web application security testing tools have gained immense significance.

I

n fact more than four out of every five businesses have experienced a data breach still not all business website owners are aware of website security threats or how vulnerable their website is without the necessary protection. And this is where free web application security testing tools comes in. It goes without saying, websites are vulnerable to online security threat and if a website’s server and applications are not protected from security vulnerabilities, identities, credit card information, all billions of dollars are at risk. Quite ideally therefore cost effective security measures needs to be taken, which might entail moving away from proprietary client/server applications to web applications which are not only cheap but at the same time provides an extensive delivery platform. In fact, impact of an attack on websites can actually cause costly and embarrassing disruptions in a company’s services. And without employing the web security testing tools business can incur loss. Attackers are lurking everywhere and they are well aware in fact aware of the Web application vulnerabilities. Also, their attempts to get at it are thoroughly assisted by several important factors. It is the right time to protect your website with website security audit and with thorough website security test. A web security testing service will in fact make sure that the company is fully compliant with rules and regulations, and is able to respond quickly to any attacks. THE BEST OF 01/2012

There are some powerful and free web application security testing tools which can help you to identify any possible holes. In this article we will explore the choice of tools available.

Introduction

One of the prominent Information Security consultant and researcher, Shay Chen has conducted some extensive testing using these tools and has published a benchmarking report in http://sectooladdict.blogspot.c om/2011/08/commercial-web-application-scanner.html using the project WAVSEP. Shay Chen’s Project WAVSEP consists of an evaluation platform which aids in the comparison of 60 Commercial & Open Source Black Box Web Application Vulnerability Scanners. This evaluation platform contains a collection of unique vulnerable web pages that can be used to test the various properties of web application scanners. This research is only valid for estimating the detection accuracy of SQLi & RXSS exposures, and for counting and comparing the various features of the tested tools. Shay Chen did not evaluate every possible feature of each product, only the categories tested within the research. The assessment criterion of detecting the accuracy of SQL Injection is one of the most famous exposures and the most commonly implemented attack vector in web application scanners. This because a scanner that

Page 188

http://pentestmag.com



BOSON INSTRUCTOR'S PERSPECTIVE BETWEEN CPTEngineer & CEH

���������������������� ����������������� ����������������������� ������������� �������������������������� ��������������������� ������������������������� ��������������

������������������������������������������������� ������������������������������������������������ �������������������������������������������������� ������������������������������������������������������� ����������������������������������������������������������� ������������������������������������������������ �������������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������������� �������������������������������������������������������� �������������������������������������������������������� ����������������������������������������������������� ������������������������������������������������� ���������������������������������������������������� �������������������������������������������������� ����������������������������������������������������� �������������������������������������������������� ������������������������������������������������������� ������������������������������������������������������ ������������������������������������������������������ ���������������������������������������������������� �������������������������������������������������� ������������������������� ������������������������������������������������������ ������������������������������������������������������ ������������������������������������������������������ ���������������������������������������������������� ���������������������������������������������������� ������������������������������������������������ ������������������������������������������������������ ������������������������������������������������� ������������������������������� �������������������������������������������������� ���������������������������������������������� ��������������������������������������������������� ������������������������������������������������� ��������������������������������������������������� ������������������������������������������������������ ����������������������������������������������������������

������������ ������������ �������������� �������������

��������������������������������������������������������� ��������������������������������������������������������� ������������������������������������������������������ �������������������������������������������������� ��������������������������������������������������� ������������������������������������������������������ �������������������������������������������������������� ��������������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������� ����������������������������������������������������� ����������������������������������������������������� ����������������������������������������������������� �������������������������������������������������� �������������������������� �������������������������������������������������� ������������������������������������������������� ������������������������������������������������������� ���������������������������������������������������� ������������������������������������������������������ ������������������������������������������������� ������������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������� ������������������������������������������������� �������������������������������������������������� ���������������������������������������������������������� ���������������������������������������������������� ������� ������������������������������������������������������� ������������������������������������������������������ ������������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������� ����������������������������������������������������������� ��������������������������������������������������������

�������������������������������������������������������������������������������������������������������������������������


����������������������������������������������������� ������������������������������������������������������� ����������������������������������������������� ������������������������������������������������ ��������������������������� ������������������������� ����������������������� ����������������������� ��������������������� ����������������������� �������������������� ����������������������� �������������������� ���������������������� �������������������������� �������������������������� ���������������������� ������������������������ ����������������������� ��������������������� ������������������������� ��������������������������

������������������������������������������������������� ����������������������������������������������� ���������������������������������������������������� ����������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������������� �������������������������������������������������� ����������������������������������������������������� ��������������������������������������������������� ��������������������������������������������� ��������������������������������������������������� ��������������������������������������������������������� ��������������������������������������������������������� ������������������������������������������������������ ������������������������������������������������������ ���������

ABOUT BOSON SOFTWARE, LLC

ABOUT MILE2

���������������������������������������������������� �������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������� �������������������������������������������������������

�������������������������������������������������������� ������������������������������������������������ ���������������������������������������������������� ������������������������������������������������������� ������������������������������������������������������� ��������������������������������������������������� ��������������������������������������������������� ����������������������������������������������������� ���������������������������������������

��������������������������������������������������� ��������������������������������������������������������� ������������������������������������������������� ������������������������������������������������ ��������������������������������������������������������� ���������������������������������������������������� �������������������������������������������������� ����������������������������������������������� ������������������������������������������������������� ������������������������������������������������ ������������������������������������������������������

������������ ������������ �������������� �������������

��������������������������������������������������� ������������������������������������������������������ ���������������������������������������������������� ����������������������������������������������������� ���������������������������������������������������

���������������������������������������������������� ���������������������������������������������������� ����������������������������������������������� �������������������������������������������������������� ����������������������������������������������������� ����������������������������������������������������� �������������������������������������������������� �������������������������������������������������� ������������������������������������������������������ ��������������������������������������������������� ��������������������������������������������

�������������������������������������������������������������������������������������������������������������������������


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.