23 penetration testing.pptx
DESCRIPTION
Part of the Web Application Security CourseTRANSCRIPT
![Page 1: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/1.jpg)
Vulnerability Scanning and Penetration Testing
Automated security testing
![Page 2: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/2.jpg)
Security Testing can be static or dynamic
Static tools o Scan source code o Before deployment o Find potential
holes from a list of known vectors
o Called static code analysis
o Negative testing
Dynamic tools o Scan site o After deployment o Find actual holes
from previously unknown vectors
o Called security scanning
o Positive testing
![Page 3: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/3.jpg)
There are many penetration testers
o Burp Suite o Metasploit o OWASP ZAP o WebScarab o Paros o W3af o Peach Fuzzer o Nikto
o Watipi o CANVAS o CORE Impact o White Phosphorous o Agora o VulnDisco o Nessus
![Page 4: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/4.jpg)
How we protect ourselves
o Choose good scanning tools o Run a vulnerability scan o Run a penetration test o Fix the holes found
![Page 5: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/5.jpg)
Let’s look at what they do and how they work.
![Page 6: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/6.jpg)
Nikto is a good vulnerability scanner
![Page 7: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/7.jpg)
Many of these tools run as a proxy.
1. Run the pen tester 2. Open your browser 3. Set the browser’s proxy:
4. Browse to a site you want to test.
![Page 8: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/8.jpg)
You can spider a site
o Allows the tool to auto-discover all pages so it can run scans on any or all.
![Page 9: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/9.jpg)
You can examine and edit requests
![Page 10: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/10.jpg)
You can examine responses
![Page 11: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/11.jpg)
You can intercept requests
![Page 12: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/12.jpg)
You can crawl an entire site.
![Page 13: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/13.jpg)
You can run an automated scan. o Tell it which pages and it surfs to those
pages.
![Page 14: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/14.jpg)
You can fuzz a site
Running a site and putting all kinds of nonsense in fields.
![Page 15: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/15.jpg)
You can record and re-play sessions
![Page 16: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/16.jpg)
Intercepting Proxy
![Page 17: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/17.jpg)
ZAP has an active and a passive scanner
o Passive mode can be used against any site because it doesn't do any penetration.
o Active mode should only be used against sites you own (or have permission to)
![Page 18: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/18.jpg)
Spider
![Page 19: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/19.jpg)
Brute
o Based on OWASP
![Page 20: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/20.jpg)
Fuzz testing
o Uses fuzzdb and JBroFuzz
![Page 21: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/21.jpg)
Session comparison
o Allows you to
![Page 22: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/22.jpg)
Synchronizer tokens
![Page 23: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/23.jpg)
How to run a test
o Point your browser's proxy at ZAP o Surf the application manually o Let ZAP crawl the site with its spider o Examine the problems found in passive
mode o Turn on active scanning
![Page 24: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/24.jpg)
Summary
o Protecting sites shouldn’t be left to common sense alone.
o Static tools scan the source code. o Dynamic tools scan the deployed site. o Penetration tests allow you to …
• Run as a proxy • Spider a site • Run automated scans • Fuzz test • Get reports of the vulnerabilities
![Page 25: 23 penetration testing.pptx](https://reader034.vdocument.in/reader034/viewer/2022042713/547b62cc5906b56d798b45f0/html5/thumbnails/25.jpg)
Further study
o Fuzz testing tools: • http://bit.ly/FuzzTestingTools
o Pen testing vs. Vulnerability scanning: o http://www.tns.com/PenTestvsVScan.asp
o Burp suite repeater and intruder tutorial: o http://bit.ly/BurpRepeaterTutorial