Upload
engr-md-yusuf-miah
View
74
Download
1
Embed Size (px)
Citation preview
Analysis of Web Application Penetration Testing
1
Analysis of Web Application Penetration Testing
Presented byMd. Yusuf Miah
Project Supervisor:Jesmin Akhter
Associate ProfessorIIT, Jahangirnagar University
2
Analysis of Web Application Penetration Testing..Overview
The primary objective for a analysis of web application penetration test is to identify exploitable vulnerabilities in applications before hackers are able to discover and exploit them. Web application penetration testing will reveal real-world opportunities for hackers to be able to compromise applications in such a way that allows for unauthorized access to sensitive data or even take-over systems for malicious/non-business purposes.
Analysis of Web Application Penetration Testing
3
What is a penetration test? A penetration test is an
attack on a computer system, network or Web application to find vulnerabilities that an attacker could exploit with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.
Analysis of Web Application Penetration Testing
4
Why do we need penetration testing? Website Penetration
testing basically describes the technical process of attempting to gain access to IT resources without knowing usernames and passwords, or other access routes, it covers testing of all these gateways to your precious data!
Analysis of Web Application Penetration Testing
5
Vulnerabilities By Type & Year
Source by Common Vulnerabilities and Exposures(1999-2017)
Denial
of Se
rvice
Execut
e Code
Overflo
wXS
S
Directo
ry Tra
versa
l
Bypa
ss So
mething
Gain In
formati
on
Gain Pr
ivileg
e
Sql In
jectio
n
File In
clusio
n
Memory
Corrup
tion
CSRF
Http Re
sponse
Splitt
ing0
5000
10000
15000
20000
25000
30000
18119
24863
1231310307
30704632
72604230
6457
21484008
1367 141
Series1
Analysis of Web Application Penetration Testing
6
Testing Phases Passive Phase
Information gathering Understanding the logic Observing normal behavior
Active Phase Targeted testing Applying methodologies
Analysis of Web Application Penetration Testing
7
Top Web Application Vulnerability Scanners
Metasploit Wireshark w3af Nmap kali linux Back Track BeEF CORE Impact Netsparker Nessus
Burpsuite Cain & Abel Zed Attack Proxy (ZAP) Acunetix John The Ripper Retina Sqlmap Canvas Social Engineer Toolkit Sqlninja
Analysis of Web Application Penetration Testing
8
Information Gathering
Analysis of Web Application Penetration Testing
9
Google Hacking site:juniv.edu login | logon
Analysis of Web Application Penetration Testing
10
Google Hacking filetype:csv password Reference: https://www.ethicalhacker.net/features/book-reviews/google-hacking-ten-simple-security-searches-that-work
Analysis of Web Application Penetration Testing
11
OWASP Top 10 Vulnerabilities 2013
Analysis of Web Application Penetration Testing
12
SQL InjectionFuzzing aimed at the database layer of an applicationImproper user input filtering is the root cause‘1 or 1=1 classic test stringMany variations, automated fuzzing helpfulhttp://sqlzoo.net/hack/
Analysis of Web Application Penetration Testing
13
Broken Authentication and Session Management
Analysis of Web Application Penetration Testing
14
Man in the Middle Attack
Analysis of Web Application Penetration Testing
Analysis of Web Application Penetration Testing 15
ADVANTAGES OF PENETRATION TESTING
Protect Your Company Image & Maintain Customer Loyalty
Avoid Fines While Meeting Regulatory Requirements
Avoid Costly Network Downtime. Justify Your Security Spend
Analysis of Web Application Penetration Testing 16
WAS THIS PROJECT BENEFICIAL TO YOUR STUDY OF APPLICATION SOFTWARE SECURITY?
Yes. The OWASP project was very beneficial to my
study of Application Software Security. In specific, this project provided the ability to modify requests on the fly in order to escalate privileges and leverage numerous attacks.
This project was very beneficial because it provided hands-on experience. It was much easier to understand the topical information.
Not only was this beneficial, but it was the most useful thing that we have done.
17
Conclusion• Keep server and third-party applications and
library up-to-date.• Do not trust user input.• Review code & design and identify possible
weaknesses.• Monitor run-time activity to detect ongoing
attacks/probes.
Analysis of Web Application Penetration Testing
Analysis of Web Application Penetration Testing 18
THANKS