Analysis of web application penetration testing

Analysis of Web Application Penetration Testing

1


Presented byMd. Yusuf Miah

Project Supervisor:Jesmin Akhter

Associate ProfessorIIT, Jahangirnagar University

2

Analysis of Web Application Penetration Testing..Overview

The primary objective for a analysis of web application penetration test is to identify exploitable vulnerabilities in applications before hackers are able to discover and exploit them. Web application penetration testing will reveal real-world opportunities for hackers to be able to compromise applications in such a way that allows for unauthorized access to sensitive data or even take-over systems for malicious/non-business purposes.


3

What is a penetration test? A penetration test is an

attack on a computer system, network or Web application to find vulnerabilities that an attacker could exploit with the intention of finding security weaknesses, potentially gaining access to it, its functionality and data.


4

Why do we need penetration testing? Website Penetration

testing basically describes the technical process of attempting to gain access to IT resources without knowing usernames and passwords, or other access routes, it covers testing of all these gateways to your precious data!


5

Vulnerabilities By Type & Year

Source by Common Vulnerabilities and Exposures(1999-2017)

Denial

of Se

rvice

Execut

e Code

Overflo

wXS

S

Directo

ry Tra

versa

l

Bypa

ss So

mething

Gain In

formati

on

Gain Pr

ivileg

e

Sql In

jectio

n

File In

clusio

n

Memory

Corrup

tion

CSRF

Http Re

sponse

Splitt

ing0

5000

10000

15000

20000

25000

30000

18119

24863

1231310307

30704632

72604230

6457

21484008

1367 141

Series1


6

Testing Phases Passive Phase

Information gathering Understanding the logic Observing normal behavior

Active Phase Targeted testing Applying methodologies


7

Top Web Application Vulnerability Scanners

Metasploit Wireshark w3af Nmap kali linux Back Track BeEF CORE Impact Netsparker Nessus

Burpsuite Cain & Abel Zed Attack Proxy (ZAP) Acunetix John The Ripper Retina Sqlmap Canvas Social Engineer Toolkit Sqlninja


8

Information Gathering


9

Google Hacking site:juniv.edu login | logon


10

Google Hacking filetype:csv password Reference: https://www.ethicalhacker.net/features/book-reviews/google-hacking-ten-simple-security-searches-that-work


https://www.ethicalhacker.net/features/book-reviews/google-hacking-ten-simple-security-searches-that-work

https://www.ethicalhacker.net/features/book-reviews/google-hacking-ten-simple-security-searches-that-work

11

OWASP Top 10 Vulnerabilities 2013


12

SQL InjectionFuzzing aimed at the database layer of an applicationImproper user input filtering is the root cause‘1 or 1=1 classic test stringMany variations, automated fuzzing helpfulhttp://sqlzoo.net/hack/


http://sqlzoo.net/hack/

13

Broken Authentication and Session Management


14

Man in the Middle Attack


Analysis of Web Application Penetration Testing 15

ADVANTAGES OF PENETRATION TESTING

Protect Your Company Image & Maintain Customer Loyalty

Avoid Fines While Meeting Regulatory Requirements

Avoid Costly Network Downtime. Justify Your Security Spend


WAS THIS PROJECT BENEFICIAL TO YOUR STUDY OF APPLICATION SOFTWARE SECURITY?

Yes. The OWASP project was very beneficial to my

study of Application Software Security. In specific, this project provided the ability to modify requests on the fly in order to escalate privileges and leverage numerous attacks.

This project was very beneficial because it provided hands-on experience. It was much easier to understand the topical information.

Not only was this beneficial, but it was the most useful thing that we have done.

17

Conclusion• Keep server and third-party applications and

library up-to-date.• Do not trust user input.• Review code & design and identify possible

weaknesses.• Monitor run-time activity to detect ongoing

attacks/probes.



THANKS

Technology

Analysis of web application penetration testing