Dpc june-2014 pentesting-for-fun-and-profit
Post on 25-May-2015
153 Views
Preview:
DESCRIPTION
Transcript
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Clinton Ingrams
Dutch PHP Conference2014
https://joind.in/10948
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Working at ...
Cyber Security CentreDe Montfort University
Teaching …
MSc Cyber Security, Forensic Practioners(plus lots of Secure Web App Development,
PHP, etc)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Web Application Pen TestingWeb Application Pen Testing
(Ethical Hacking)(Ethical Hacking)
((HTTP > UFBP)HTTP > UFBP)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Questions to be answered:
Why?
What?
How?
When?
Who?
With?
How much?
(and don't forget rule 1)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Context
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Application Security is:
Boring
Tedious
Unnecessary
Client-losing
Expensive
.
.
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Need to know more
vulnerabilities than the OWASPTop 10
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng UK MoD VAs
Vulnerability Assessment levels
Scanning
Automated probes
Penetration Test
Physical Test
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Rule 1
Always make sure you have a
signed scoping document
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng What is a hacker?
Hacker ... is a term used in computing that can describe several types of persons
– Hacker (computer security) someone who seeks and exploits weaknesses in a computer system or computer network
– Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment
– Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities
(http://en.wikipedia.org/wiki/Hacker)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Why:-
From NIST SP800-53A– To “enhance the organisation’s understanding
of the system”
– To “uncover weaknesses of deficiencies in the system”
– To “indicate the level of effort required on the part of adversaries to breach the system safeguards”
● Read ZF05
https://securitythoughts.wordpress.com/2009/08/11/zero-for-0wned-zine-zf05/
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng When:-
“Why is there never time to consider
security before an app goes live,
but plenty of time and money
after the first hack”
(Thought: when to pentest if following Agile techniques???)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng How:- Methodologies
Frameworks:– National Institute of Standards and Technology
● NIST SPECIAL REPORT 800-115
– Open Web Application Security Project● OWASP
– SANS ● Securing Web Applications Technologies
– Open Source Security Testing Methodology Manual
● OSSTMM
– Ad hoc
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng NIST
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng OWASP
The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology:
4.1 Introduction and Objectives
4.2 Information Gathering
4.3 Configuration and Deploy Management Testing
4.4 Identity Management Testing
4.5 Authentication Testing
4.6 Authorization Testing
4.7 Session Management Testing
4.8 Data Validation Testing
4.9 Error Handling
4.10 Cryptography
4.11 Business Logic Testing
4.12 Client Side Testing
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Ad-hoc
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Who:-
● Large organisations (UK) may be required to employ a cyber/digital security specialist– cf health & safety specialists
● However, every web development company should (probably) have such a cyber security “specialist”– qualified
– experienced
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng How much:-
“All the market will bear ...”
(Poul Anderson)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng With:-
● Samurai Web Testing Framework– http://samurai.inguardians.com/
(other tool kits are available …)
● Containing toolkits– Eg BurpSuite, ZAP, w3fa, etc
● Deliberately vulnerable web applications– Mutillidae, DVWA, Badstore, Flowershop, …
(victim machines)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Planning:-
● Remember Rule 1?● Safety Clause● Profiling● Risk Assessment
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Profiling
● Google● Whois● DNS● Social Engineering● Dumpster diving
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng samurai
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng zenmap
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng dvwa
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng zap
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Demo:-
● (Ze)nmap● Wireshark● ZAP● Burpsuite● w3af
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng Books
● The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy
– Patrick Engebretson● Ninja Hacking: Unconventional Penetration Testing
Tactics and Techniques
– Thomas Wilhelm & Jason Andress● Seven Deadliest Web Application Attacks (Seven
Deadliest Attacks)
– Mike Shema
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng References
● https://securitythoughts.wordpress.com/2009/08/11/zero-for-0wned-zine-zf05/
● https://cyberarms.wordpress.com/2010/06/12/tiger-team-penetration-testing-on-tv/
● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
● http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
● https://www.owasp.org/index.php/Web_Application_Penetration_Testing
● http://www.isecom.org/
● http://samurai.inguardians.com/
● https://www.youtube.com/watch?v=6gH4A49sPdc
● http://armoredcode.com/images/keep-calm-and-write-safe-code-small.png
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Thanks for staying to the end...
@cfing99
cfi@dmu.ac.uk
a bar …
(https://joind.in/10948)
(fo
r fu
n &
pro
fit)
PenTesti
ng
PenTesti
ng
Any Questions?
top related