Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Experience Sharing on School Pentest Project

35 views

Published on

By Mr. Eric Fan & Mr. Chris Chan
UDomain

Published in: Education
  • Be the first to comment

  • Be the first to like this

Experience Sharing on School Pentest Project

  1. 1. Experience Sharing on School Pentest Project Eric Fan & Chris Chan UDomain
  2. 2. Agenda • Our objective & how we did • Our findings & suggestions • Demonstration • About UDomain • Q & A
  3. 3. Our Objective As an independent consultant in providing a series of vulnerabilities scanning, penetration tests and reviews for ten K12 school’s website security. Identifying potential areas for further improvement to protect school’s sensitive data and good will.
  4. 4. What we do? Automated Scan Manuel Review Debriefing Meeting Verify the can result, eliminate false- positives and then execute manual business logic test. Application walkthrough and threat analysis will also be conducted during this stage. Report and analysis for the automated scan and manual scanning result with recommendations. Step 3Step 2Step 1 Configure and execute automated scan, followed by test plan development. Risk assessment will take place during the test plan development.
  5. 5. Seven phrases to perform testing Penetration Test Methodologies Information Gathering Threat Modeling Vulnerability Analysis Exploitation Post Exploitation Reporting Rescan Support Reference: OWASP TOP 10 The Penetration Testing Execution Standard Common Vulnerability Scoring System (CVSS)
  6. 6. Main Testing Tools *More testing tools may be used depending on the scope of work OWASP-ZAP Nikto Dirsearch
  7. 7. Tester Qualification Certified Ethical Hacker Offensive Security Certified Expert GIAC Web Application Penetration Tester Certified Information Systems Security Professional Offensive Security Certified Professional
  8. 8. Our Findings 20,000+PERSONAL DATA RECORD Including public, intranet, internal applications of ten schools 29WEBSITES By using more than one scanning tools and manual penetration test 99HOURS OF SCANNING 170+CRITICAL VULNERABILITIES Including email, name, HKID etc
  9. 9. Critical 8% High 16% Medium 35% Low 41% 1,700+ Vulnerabilities Vulnerability
  10. 10. Overall Findings 0 100 200 300 400 500 600 700 A B C D E F G H J K No.ofVulnerability School Low Medium High Critical
  11. 11. Critical Vulnerabilities 16 Password in plaintext 65 XSS 105 SQL Injection 13 sslv2 &v3
  12. 12. Top Security Impact Vulnerabilities We found plain text database login credential in the back up file that may lead to unauthorize login. Back Up File Impact Allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. SQL Injection These outdated software or operation systems cannot no longer update to the latest patch that is vulnerable to exploit Unsupported Software / OS Version Allows anyone who can read the file access to the password- protected resource. Password In Plaintext
  13. 13. SQL Injection 9* Vendor Solutions 12 School’s Own Applications 7 Unsupported Operation Systems * Same SQL Injection vulnerability appears in all 8 school from one vendor solution. * 5 Schools using on premises/3 Schools on Cloud
  14. 14. SSL Cert Website with SSL Cert 21% Website without SSL Cert 79%
  15. 15. Our Suggestions Reliable Vendor Solutions Software and application vendors should offer OS or patch update for use to fix their software and application vulnerabilities. Regular Scanning Yearly or half-year vulnerability scanning and penetration test is recommended Regular Patch Operation Systems Regular review and update the hardware and application operation systems to the latest patch, in order to avoid vulnerable malware and exploits. More info: Information Security in Schools - Recommended Practice (Jan 2019) https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/Information-Security/information-security-in-school.html
  16. 16. Demonstrations
  17. 17. Live Demo – Sql Injection
  18. 18. Type of Sql Injection • UNION(ex:join other result in current result) • Time-Based(ex:wait 5 second if the result is correct) • Error-Based(ex:display error page When the result is not correct) • Boolean-Based(ex:print 1 if the result is correct)
  19. 19. What is CloudFlare • A commercial content delivery network with integrated distributed denial of service (DDoS) defence • Web Application Firewall with signature Based rules – “Union ALL select …” – “DATABASE()”
  20. 20. Is it Enough? And 3732=IF(ORD(MID(IFNULL(CAST(DATABASE () AS CHAR),0x20)),1,1))<60 Show result If the 1st character of current database name ascii code smaller than 11 If false And 3732=IF(ORD(MID(IFNULL(CAST(DATABASE () AS CHAR),0x20)),1,1))>60 Show result If the 1st character of current database name ascii code greater than 60 3732=IF(ORD(MID(IFNULL(CAST(DATABASE () AS CHAR),0x20)),1,1))>90 Show result If the 1st character of current database name ascii code greater than 90
  21. 21. Example • Database name:udcms • The 1st character of udcms is u,ord() result, 75 • If 75<60?no • If 75>60?yes • if 75<90?yes • if 75<75?No • if 75>75?No • If 75=75?yes
  22. 22. Live Demo
  23. 23. About UDomain
  24. 24. UDomain Group UDomain Founded in 1998 UDomain.hk Web Host Founded in 1998 Webhost.hk New Sky Founded in 1997 Newsky.net
  25. 25. Our Services Cybersecurity Internet Service Hosting Domain DDoS protection Penetration test Firewall SSL-Certificate CDN VPN Live-streaming Email marketing Web, email and app Cloud server Dedicated server Colocation Hosting 40,000 webs .hk registrar Domain advisor Brand alert 1000+ domain types DNS Panel
  26. 26. Our Qualification Registrar of .hk Domain One of the first HKIRC-recognized Registrars HK Government Public Cloud Services Provider First HK web hosting company recognized by the Office of the Government Chief Information Officer (OGCIO) OFCA Services-based Operator Licensee Permitted to provide Authorized International Value- Added Network Services (IVANS)
  27. 27. Awards
  28. 28. Events Corporate Cyber Security Conference HK Cyber Security Drill
  29. 29. Summary People ProcessTechnology • Multiple machine scanning tools • Over 20 years Domain and Web Knowledge • Project Experience in Different Sectors • Training and Certification • OWASP TOP 10 • The Penetration Testing Execution Standard • AgilePM
  30. 30. Your Managed Security Service Partner Penetration Test Firewall & DDoS Protection 7x24 Technical Support Dedicated Security Specialists High Availability Ring Network
  31. 31. Thank you!
  32. 32. Appendix
  33. 33. Proposed Assessment Plan
  34. 34. Proposed Project Plan Week 1 Automated Scan • We will configure and execute automated scan, followed by test plan development. Risk assessment will take place during the test plan development. Week 2-3 Manual Review • We will verify the can result, eliminate false-positives and then execute manual business logic test. Application walkthrough and threat analysis will also be conducted during this stage. • Search for potential sensitive information related to you through various search engines
  35. 35. Machine Scanning Manual Penetration Test Review and Recommendat ion Hybrid Testing (Machine & Manual)
  36. 36. Security Assessment Lifecycle Automated Scan
  37. 37. Automated Scan • Tools scanning for potential security issue • Combine multiple tools to gather more information • Include fuzzing in scanning
  38. 38. Security Assessment Lifecycle Automated Scan Manual Review
  39. 39. Manual Review (Penetration Test) • Enrich the information in machine scanning • Verify the findings in machine scanning • Look through each page to find security issue • Look for logical flaws
  40. 40. Security Assessment Lifecycle Automated Scan Manual Review Report and Recommendations
  41. 41. Report & Recommendations Executive Summary Testing Methodologies Proof of Concept Impact and Severity Findings Details Recommendations Debriefing meeting
  42. 42. Sample Report
  43. 43. Retest Compiling a Retest checklist Scanning for previously found vulnerabilities after fixing Producing final retest report
  44. 44. Case References
  45. 45. Case Reference I • An NGO partnering with the Hong Kong Government, provides quality social welfare service through their 3,000 operating units in Hong Kong. • Engagement in Penetration Test:  a Website before launch in Hong Kong  Re-tested several times
  46. 46. Case Reference II • A 20-year-old Secondary School in Hong Kong • Engagement in Penetration Test:  an Internal CMS system with email function  a public-facing website

×