文档章节

应用安全渗透测试指南

Cnlouds
 Cnlouds
发布于 2014/05/04 19:31
字数 1440
阅读 74
收藏 0

Introduction

This document will guide you to penetrate web applications step by step. We have followed OWASP (Open Web Application Security Project) and OSSTM (Open Source Security Testing Methodologies) to construct this article.

Objective

The objective of this article is to help the Security Analyst/Penetration Testers/Developers/Ethical Hackers to follow a step by step penetration testing process, discover the vulnerability, and exploit and mitigate the same.

Web Application Penetration Testing

The penetration test emulates what a malicious attacker with bad intentions would harm while they are penetrating the application. This is a test of people, systems and processes that are in place to detect, prevent, and respond to these kinds of attacks.

A Web Application Penetration Test includes the vulnerabilities that are discovered using the information gathering process, with the exploitation (if applicable), and the level of access and success the penetration tester was able to achieve.

Below are the for steps penetration testing process:

  • Discover vulnerable systems using automated and manual vulnerability discovery.

  • Conduct real world attack simulation.

  • Mitigate threats and secure the platform.

Web Application Vulnerability Assessment

The Web Application Vulnerability Assessment does not include the exploitation phase. It contains the list of vulnerabilities, including the severity and the impact of the vulnerability on the application, along with the recommendations to resolve the same.

Web Application Audit

A Web Application Audit is a more in-depth view at the environment and processes, such as the backend server, database, secure code review, session management, authorization, and DMZ configuration.

It contains all the aspects of web application penetration testing and vulnerability assessment, including the below four phases.

  • Source Audit

  • Data Audit

  • Architecture Audit

  • Performance Audit

Please refer the above diagram for the classification of the four phases.

Steps to start with the Test

To start with the Web Application Audit, we need to follow the below steps:

  • Scoping of the Application

  • Checking for static and dynamic pages

  • Documenting number of logins and role of the users

  • Information Gathering

  • Threat Profiling

  • Make a list of all possible threats.

  • Comprehensive tests according to the created threat profile

  • Report

  • Report Creation

  • Internal Verification

  • Report Submission

The testing will be conducted in two phases.

  • Automated Test

  • Using Commercial tools available on the internet. i.e. Acunetix WVS, Netsparker.

  • Manual Test

  • Using manual testing tools like Burp Suite, OWASP ZAP Proxy

  • Burp Suite – Intruder, repeater, sequencer, spider used in the manual test.

Approach to the Web Application Penetration Test

  • Passive Approach

  • Understand the logic of the application

  • Information Gathering

  • Understand all the access points of the application

  • Active Approach

  • Configuration Management Testing.

  • SSL/TLS Testing

  • Testing for file extensions

  • Old, backup and unreferenced files

  • Testing for HTTP methods

  • Business Logic Testing

  • Testing for the business logic of the application

  • Testing for XSS

  • Testing for SQLi

  • Authentication Testing

  • Credentials transport over an encrypted channel- Check for SSL(https)

  • Testing for Guessable User Account

  • Brute Force Testing

  • Testing for bypassing authentication schema

  • Testing for vulnerable remember password and password reset

  • Testing for Logout and Browser Cache Management

  • Testing for CAPTCHA

  • Testing Multiple Factors Authentication

  • Authorization Testing

  • Authorization Testing

  • Testing for bypassing authorization schema

  • Testing for Privilege Escalation

  • Session Management Testing

  • Testing for Session Management Schema

  • Testing for Cookies attributes- http only, secure and time validity

  • Testing for Session Fixation

  • Testing for CSRF

The Scoping of the Application

Once the penetration tester has the URL/IP address of the application, he will start working on the scoping of the application. It generally includes the following things.

  • Gathering client requirements

  • Preparing a test plan

  • Profiling test boundaries

  • Defining Business objectives

  • Nature and behavior of the application

  • Describe each factor that builds a practical roadmap towards test execution

  • Test constraints

  • Types of testing

  • White Box

  • Provided with the complete knowledge of application/server and database along with the business logic of the application

  • Gray Box

  • Provided with the partial knowledge of the application/server

  • Privilege escalation may come under this

  • Black Box

  • Zero Knowledge Approach

  • An only thing that is provided to penetration tester is IP address/URL of the application

  • Need extra ordinary skills to exploit

  • Project management and scheduling

  • Limitations

  • Need of additional information

Check for the static and dynamic pages

  • Static page- Page created with HTML that remains the same all the time.

  • Dynamic page- It is a functional page that is generally connected with the database. For example, a login page.

Documenting number of logins and role of the users

Once the penetration tester has an idea about the scoping, static and dynamic pages, he will move on to analyze the number of logins and the types of users that can login to the particular application. If he is already provided with the list of usernames and passwords, it is a case of white box testing. If not, it will come under black box testing.

Information Gathering

In this phase, a penetration tester collects as much information as he can about the target.

Below is the check list for information gathering.

  • Spider, Robots and Crawlers

  • Search Engine Discovery

  • Testing Web Application Fingerprint

  • Application Discovery

  • Analysis of Error Codes

Real time example-

Let us assume I am working on a penetration testing project. My boss came to me and handed me a piece of paper saying that I have spoken to the CIO of the client and we have to start the penetration testing for the company Nous Infosystems. The legal department will be sending you all the documents and confirmation of the authorization. It’s a company you’ve never heard of before.

What now?

The information gathering starts from right here.

Threat Profiling

To ensure the comprehensive testing, it is a very good idea to start with a Threat Profile. A threat is simply the goal of your target. A Threat Profile is a comprehensive list of the threats that are relevant to that application.

These are expressed in terms of security threats.

List out all the possible threats that may harm the web application according to the business logic of the application.

A module-based threat profile should be created for the comprehensive penetration test.

For example:

  • Threat profile for public module

  • Threat profile for login module

  • Threat profile for password change module

  • Threat profile for logout module

  • Threat profile for business rule escalation module

Tests according to the threat profile

The threat profile is the key weapon of any attacker. Following the threat profile step by step can lead to discovery of very high and critical vulnerabilities.

Exploitation

Exploitation is the process of gaining control over a system.

End Goal: administrative-level access to the target.

During the penetration testing process, if a pen tester discovers a critical vulnerability that has an exploit or that can be exploited using our own scripts/code, he can use the Metasploit Framework to exploit the target or to develop his own exploit.

Prerequisite:

  • Scanning of the target.

  • Vulnerabilities found in the scanning phase.

Steps involved:

  • Check for the service/version running on the particular port.

  • Search the vulnerability in the service/version.

  • Exploit the target using tools like Metasploit..

Covering tracks and maintaining access:

Once exploitation has been done successfully, there are two ways to maintain the access.

  • Using Backdoors

  • Using Rootkits

  • For Example: Netcat, NetBus

Covering the Tracks

  • Destroying the evidence of presence and activities.

  • Log files contain the information of every activity that has been done on a computer, so it is very important to remove this log file. There are different ways to remove log files on Windows, Linux and MAC

    Reporting

    A penetration testing report should contain

    Below is the elaborated process of writing a penetration testing process.

    • Executive Summary

    • Scope

    • Overall Assessment

    • Key Vulnerabilities Discovered

    • Graphical representation of OWASP top 10

    • Key Findings and Action Items

    • Observations

    • Recommended Action Plan

    • Interpretation of Ratings

    • Threat Profile

    • Tools used (Optional)

    • Result of test cases

    • Guidelines for Developers

    • An executive summary.

    • Detailed description of the vulnerabilities.

    • Raw output.

Conclusion

A successful web application penetration test can be executed by following OWASP and OSSTM. Both are open source security testing methodologies. By reading this article you should have a great idea about how a web application penetrating test actually works. This article does not include the entire process of the WAPT, rather than it can be used as a reference document. For the most common and top vulnerabilities, refer to:

  • OWSAP TOP 10

  • SANS TOP 25

  • OSSTM (Open Source Security Testing Methodology)

References

By Abhishek Dashora|April 24th, 2014

本文转载自:http://resources.infosecinstitute.com/step-step-guide-application-security-penetration-testing/

Cnlouds
粉丝 13
博文 95
码字总数 56136
作品 0
海淀
程序员
私信 提问
2019年测试指南-源码审查&渗透测试&平衡方法的必要性

源代码审查 概述 源代码审查是手动检查Web应用程序源代码以解决安全问题的过程。任何其他形式的分析或测试都无法检测到许多严重的安全漏洞。正如流行的说法“如果你想知道真正发生了什么,请...

猪鼻子插葱
02/28
43
0
【嘶吼送书】从零开始的渗透测试生活 |《Web安全攻防:渗透测试实战指南》

     零基础入门,从渗透测试信息收集到后渗透攻防,安全专家实战讲解,全面介绍Web渗透核心攻击与防御方式!      购买链接:   京东:https://item.jd.com/12401707.html   当...

嘶吼RoarTalk
2018/08/06
0
0
Android 渗透测试学习手册 第九章 编写渗透测试报告

第九章 编写渗透测试报告 作者:Aditya Gupta 译者:飞龙 协议:CC BY-NC-SA 4.0 在本章中,我们将学习渗透测试的最终和最重要的方面,撰写报告。 这是一个简短的章节,指导你在报告中写下你...

apachecn_飞龙
2016/12/08
0
0
高手问答第 211 期 —— Web 安全攻防之渗透测试实战

OSCHINA 本期高手问答(2018 年 9 月 6 日 — 9 月 12 日)我们请来了@shuteer 为大家解答关于 Web 安全攻防方面的问题。 徐焱,北京交通大学长三角研究院安全研究员。2002年接触网络安全,主要...

局长
2018/09/05
4.2K
38
网络安全入坑指南(授课版)

国庆前的周末,我做了一场两天两夜的技术公开课,包括网络安全入坑指南、(入门导论、行业解读、学习指南)网络安全攻击与防御、渗透测试入门、WiFi无线攻防等课题,目前部分授课视频已经上传...

陈鑫杰
2017/10/08
0
0

没有更多内容

加载失败,请刷新页面

加载更多

3_数组

3_数组

行者终成事
38分钟前
7
0
经典系统设计面试题解析:如何设计TinyURL(二)

原文链接:https://www.educative.io/courses/grokking-the-system-design-interview/m2ygV4E81AR 编者注:本文以一道经典的系统设计面试题:《如何设计TinyURL》的参考答案和解析为例,帮助...

APEMESH
今天
7
0
使用logstash同步MySQL数据到ES

概述   在生成业务常有将MySQL数据同步到ES的需求,如果需要很高的定制化,往往需要开发同步程序用于处理数据。但没有特殊业务需求,官方提供的logstash就很有优势了。   在使用logstas...

zxiaofan666
今天
10
0
X-MSG-IM-分布式信令跟踪能力

经过一周多的鏖战, X-MSG-IM的分布式信令跟踪能力已基本具备, 特点是: 实时. 只有要RX/TX就会实时产生信令跟踪事件, 先入kafka, 再入influxdb待查. 同时提供实时sub/pub接口. 完备. 可以完整...

dev5
今天
7
0
OpenJDK之CyclicBarrier

OpenJDK8,本人看的是openJDK。以前就看过,只是经常忘记,所以记录下 图1 CyclicBarrier是Doug Lea在JDK1.5中引入的,作用就不详细描述了,主要有如下俩个方法使用: await()方法,如果当前线...

克虏伯
今天
8
0

没有更多内容

加载失败,请刷新页面

加载更多

返回顶部
顶部