Contenu connexe
Similaire à Web application penetration testing
Similaire à Web application penetration testing (20)
Web application penetration testing
- 1. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Information Security Group (ISG)
Web Application Penetration Testing
reachus@imaginea.com
- 2. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Web Application Penetration Testing
Overview
Web Application Penetration Assessment looks from the perspective of a malicious
hacker and finds the holes before they can be exploited.
We rely on a detailed and well-established manual testing methodology for accuracy
and effectiveness. Open source and commercial tools will be used to automate many
routine security testing tasks.
- 3. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Penetration Testing Methodology
Step 1
• Information Gathering
Step 2
• Analysis and Planning
Step 3
• Vulnerability Identification
Step 4
• Exploitation
Step 5
• Risk Analysis and Remediation Suggestion
Step 6
• Reporting
- 4. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Information Gathering Template
Information Required Data
Application Name (Eg: LeanTaas)
What is the type of the application? (Static / Dynamic / Applets / Web Services)
Provide application URL
What are all the application user roles? (Eg: User, Administrator, Manager)
Is the application used by multiple clients? (Yes/No)
If Yes, provide credentials for at least two clients
Provide at least two sets of credentials for each user role
Specify scope of the test (Internal application functionality and URLs to be tested)
Provide application User Manual/ Help documents
- 5. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Analysis and Planning
Analysis
Verification of gathered template information
Client communication for clarifications
Understanding the application functionality
Identification of critical application components and corresponding vulnerabilities to
be tested
Planning
Test modularization based on functionality or vulnerability focus areas
Plan for automation testing phase
Plan for exploitation phase
Plan for risk analysis and reporting phases
Time estimates for each of the phases
- 6. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Vulnerability Identification
Focus Areas
Authentication: Input Validation:
Authentication Bypass Cross Site Scripting
Poor Password Strength Cross Site Request Forgery
No Account Lockout SQL Injection
No Logout functionality Buffer Overflow
File Upload
Authorization: Code Injection
Privilege Escalation
Forceful Browsing Cryptography:
Weak SSL
Session Management: Weak Encryption Key
Session Fixation Unencrypted Sensitive Data (Eg:
Improper Session Expiration Passwords, Cookies)
Session time out too long
- 7. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Vulnerability Identification
Focus Areas
Information Leakage: System Configuration:
Error Messages Default Passwords
HTML Comments Default Pages
Source Code Disclosure Default Error Messages Enabled
Cross Frame Spoofing Unpatched Software
Server Platform Info Leak HTTP Methods Enabled
Sensitive Data Revealed
Note: This is not exhaustive list of vulnerabilities. More vulnerabilities will be added
to the list based on the technology/requirement/latest threats.
- 8. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Vulnerability Identification
Vulnerability Testing Phases
Exhaustive manual penetration testing on the application and vulnerability focus
areas
Automatic scanning of application using tools and analysis of the results for false
positives
Identification of list of application vulnerabilities from manual and automation
testing results
Tools
HTTP Proxy tool (Eg: Burp Suite tools, HTTPWatch, Tamper IE, Paros, WebScarab
etc)
Web Application Scanner(Eg: Burp Suite Scanner, Appscan, Web Inspect etc)
Web Service Testing tool (SoapUI etc)
SSL version and SSL key strength enumeration tools (Cygwin OpenSSL, Foundstone
SSLDigger etc)
Frameworks for exploitation (Metasploit, Core Impact etc)
Note: More tools will be added to the list based on the technology or
need or latest advancements.
- 9. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Exploitation
Applicable attacks will be performed on the identified application vulnerabilities without
causing much damage to the application resources and infrastructure. This phase helps to
assess RISK of a vulnerability more accurately.
Resources for exploitation
Exploit frameworks (Metasploit, Core Impact etc)
Open source scripts and tools
Custom scripts (using Python, Perl etc)
- 10. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Risk Analysis and Remediation Suggestion
Risk Analysis
Estimation of the Likelihood of attack
Estimation of the Impact of a successful attack
Evaluate overall RISK of the vulnerability
Risk = Likelihood * Impact
OWASP Risk Rating Methodology is used as a guidance.
Ref: https://www.owasp.org/index.php/OWASP_Risk_Rating_Methodology
Remediation Suggestion
Remediation measures will be suggested for each vulnerability identified. Priority for
remediation will be suggested based on the risk rating of the vulnerability
- 11. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Report Template
Brief summary of the Network
Brief description of the application includes name, version, platform details and functionality
etc.
Network Security Summary report
Brief description of the overall security status and the list of major security vulnerabilities
identified.
Vulnerability details for each identified vulnerability:
Vulnerability Classification and Name
Description of the vulnerability
Vulnerability details
Remediation Suggestions
Vulnerability Risk Rating (Likelihood, Impact, Overall Risk)
- 12. © Copyright 2011. Pramati Technologies Private Limited. All trade names and trade marks are owned by their respective owners.
Security as a Service
http://www.imaginea.com
reachus@imaginea.com