Penetration TestingRoman Denisenko,20 February 2013
Agenda• Theoretical part:   –   What is Security Testing? Classification.   –   When? Who? For what purposes?   –   Workfl...
Security testing(by final goal): •   Vulnerability Assessment. •   Penetration testing. •   Code Review. •   Vulnerability...
Security testing(by impact level): • Application level. • Network level. • Physical level.
When should we perform ST?1. Within development cycle.2. As additional service after deployment.
Who should perform?1. Ordinary testers.2. Specialist of Security expertise.3. Developers.
Algorithm of penetration testing:• Information gathering.• Mapping.• Vulnerability Assessment.  • Automation testing.  • M...
Information gathering.www.target.es
Mapping.
Run automation vulnerability scanners.
Manual testing.
Creation of report.
Common vulnerabilities.
SQL injection
SQL injection
Stored XSS
Stored XSS
Privilege escalation.
Insecure Direct Object References.
CSRF.
CSRF.
Necessary toolkit.• Gathering tools.    – nmap.    – nikto• Automation vulnerabilities scanners.    –   Acunetix    –   Ne...
Penetration testing of the test site...
Contacts:: Roman.Denisenko@dataart.com: roman__denisenko
Security testing. VRN. 20.02.2013
Security testing. VRN. 20.02.2013
Upcoming SlideShare
Loading in …5
×

Security testing. VRN. 20.02.2013

365 views
225 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
365
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Security testing. VRN. 20.02.2013

  1. 1. Penetration TestingRoman Denisenko,20 February 2013
  2. 2. Agenda• Theoretical part: – What is Security Testing? Classification. – When? Who? For what purposes? – Workflow of penetration testing of web application. – Common vulnerabilities.• Toolkit of penetration testers: – Review and classification of necessary tools.• Practical part.
  3. 3. Security testing(by final goal): • Vulnerability Assessment. • Penetration testing. • Code Review. • Vulnerability Scan. • Security review.
  4. 4. Security testing(by impact level): • Application level. • Network level. • Physical level.
  5. 5. When should we perform ST?1. Within development cycle.2. As additional service after deployment.
  6. 6. Who should perform?1. Ordinary testers.2. Specialist of Security expertise.3. Developers.
  7. 7. Algorithm of penetration testing:• Information gathering.• Mapping.• Vulnerability Assessment. • Automation testing. • Manual testing.• Creation of report.
  8. 8. Information gathering.www.target.es
  9. 9. Mapping.
  10. 10. Run automation vulnerability scanners.
  11. 11. Manual testing.
  12. 12. Creation of report.
  13. 13. Common vulnerabilities.
  14. 14. SQL injection
  15. 15. SQL injection
  16. 16. Stored XSS
  17. 17. Stored XSS
  18. 18. Privilege escalation.
  19. 19. Insecure Direct Object References.
  20. 20. CSRF.
  21. 21. CSRF.
  22. 22. Necessary toolkit.• Gathering tools. – nmap. – nikto• Automation vulnerabilities scanners. – Acunetix – Nexuss – WebInspect – w3af• Sniffing tools. – Wireshark – Fiddler.• Manual testing tools. – BurpSuite – Sqlmap
  23. 23. Penetration testing of the test site...
  24. 24. Contacts:: Roman.Denisenko@dataart.com: roman__denisenko

×