(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

Clinton Ingrams

Dutch PHP Conference2014

https://joind.in/10948

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

Working at ...

Cyber Security CentreDe Montfort University

Teaching …

MSc Cyber Security, Forensic Practioners(plus lots of Secure Web App Development,

PHP, etc)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

Web Application Pen TestingWeb Application Pen Testing

(Ethical Hacking)(Ethical Hacking)

((HTTP ­> UFBP)HTTP ­> UFBP)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Questions to be answered:

Why?

What?

How?

When?

Who?

With?

How much?

(and don't forget rule 1)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

Context

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Application Security is:

Boring

Tedious

Unnecessary

Client-losing

Expensive

.

.

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

Need to know more

vulnerabilities than the OWASPTop 10

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng UK MoD VAs

Vulnerability Assessment levels

Scanning

Automated probes

Penetration Test

Physical Test

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Rule 1

Always make sure you have a

signed scoping document

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng What is a hacker?

Hacker ... is a term used in computing that can describe several types of persons

– Hacker (computer security) someone who seeks and exploits weaknesses in a computer system or computer network

– Hacker (hobbyist), who makes innovative customizations or combinations of retail electronic and computer equipment

– Hacker (programmer subculture), who combines excellence, playfulness, cleverness and exploration in performed activities

(http://en.wikipedia.org/wiki/Hacker)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Why:-

From NIST SP800-53A– To “enhance the organisation’s understanding

of the system”

– To “uncover weaknesses of deficiencies in the system”

– To “indicate the level of effort required on the part of adversaries to breach the system safeguards”

● Read ZF05

https://securitythoughts.wordpress.com/2009/08/11/zero-for-0wned-zine-zf05/

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng When:-

“Why is there never time to consider

security before an app goes live,

but plenty of time and money

after the first hack”

(Thought: when to pentest if following Agile techniques???)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng How:- Methodologies

Frameworks:– National Institute of Standards and Technology

● NIST SPECIAL REPORT 800-115

– Open Web Application Security Project● OWASP

– SANS ● Securing Web Applications Technologies

– Open Source Security Testing Methodology Manual

● OSSTMM

– Ad hoc

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng NIST

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng OWASP

The following sections describe the 12 subcategories of the Web Application Penetration Testing Methodology:

4.1 Introduction and Objectives

4.2 Information Gathering

4.3 Configuration and Deploy Management Testing

4.4 Identity Management Testing

4.5 Authentication Testing

4.6 Authorization Testing

4.7 Session Management Testing

4.8 Data Validation Testing

4.9 Error Handling

4.10 Cryptography

4.11 Business Logic Testing

4.12 Client Side Testing

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Ad-hoc

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Who:-

● Large organisations (UK) may be required to employ a cyber/digital security specialist– cf health & safety specialists

● However, every web development company should (probably) have such a cyber security “specialist”– qualified

– experienced

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng How much:-

“All the market will bear ...”

(Poul Anderson)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng With:-

● Samurai Web Testing Framework– http://samurai.inguardians.com/

(other tool kits are available …)

● Containing toolkits– Eg BurpSuite, ZAP, w3fa, etc

● Deliberately vulnerable web applications– Mutillidae, DVWA, Badstore, Flowershop, …

(victim machines)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Planning:-

● Remember Rule 1?● Safety Clause● Profiling● Risk Assessment

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Profiling

● Google● Whois● DNS● Social Engineering● Dumpster diving

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng samurai

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng zenmap

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng dvwa

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng zap

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Demo:-

● (Ze)nmap● Wireshark● ZAP● Burpsuite● w3af

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng Books

● The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy

– Patrick Engebretson● Ninja Hacking: Unconventional Penetration Testing

Tactics and Techniques

– Thomas Wilhelm & Jason Andress● Seven Deadliest Web Application Attacks (Seven

Deadliest Attacks)

– Mike Shema

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng References

● https://securitythoughts.wordpress.com/2009/08/11/zero-for-0wned-zine-zf05/

● https://cyberarms.wordpress.com/2010/06/12/tiger-team-penetration-testing-on-tv/

● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

● http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

● https://www.owasp.org/index.php/Web_Application_Penetration_Testing

● http://www.isecom.org/

● http://samurai.inguardians.com/

● https://www.youtube.com/watch?v=6gH4A49sPdc

● http://armoredcode.com/images/keep-calm-and-write-safe-code-small.png

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

Thanks for staying to the end...

@cfing99

cfi@dmu.ac.uk

a bar …

(https://joind.in/10948)

(fo

r fu

n &

pro

fit)

PenTesti

ng

PenTesti

ng

Any Questions?