This document discusses web application penetration testing. It begins by introducing the speaker and providing context on working in cyber security and teaching related topics. It then covers why penetration testing is performed, common methodologies and frameworks for testing including NIST and OWASP, as well as tools used like nmap, ZAP and Burp Suite. The document provides guidance on planning a penetration test including profiling the target and creating a risk assessment. It concludes by recommending books and references on penetration testing and ethical hacking.

1. (forfun&profit)
PenTestingPenTesting

2. (forfun&profit)
PenTestingPenTesting
Clinton Ingrams
Dutch PHP Conference
2014
https://joind.in/10948

3. (forfun&profit)
PenTestingPenTesting
Working at ...
Cyber Security Centre
De Montfort University
Teaching …
MSc Cyber Security, Forensic Practioners
(plus lots of Secure Web App Development,
PHP, etc)

4. (forfun&profit)
PenTestingPenTesting
Web Application Pen TestingWeb Application Pen Testing
(Ethical Hacking)(Ethical Hacking)
((HTTP ­> UFBP)HTTP ­> UFBP)

5. (forfun&profit)
PenTestingPenTesting
Questions to be answered:
Why?
What?
How?
When?
Who?
With?
How much?
(and don't forget rule 1)

6. (forfun&profit)
PenTestingPenTesting
Context

7. (forfun&profit)
PenTestingPenTesting Application Security is:
Boring
Tedious
Unnecessary
Client-losing
Expensive
.
.

8. (forfun&profit)
PenTestingPenTesting
Need to know
more
vulnerabilities
than the
OWASP
Top 10

9. (forfun&profit)
PenTestingPenTesting
UK MoD VAs
Vulnerability Assessment levels
Scanning
Automated probes
Penetration Test
Physical Test

10. (forfun&profit)
PenTestingPenTesting
Rule 1
Always make sure you have a
signed scoping document

11. (forfun&profit)
PenTestingPenTesting
What is a hacker?
Hacker ... is a term used in computing that can
describe several types of persons
– Hacker (computer security) someone who seeks
and exploits weaknesses in a computer system or
computer network
– Hacker (hobbyist), who makes innovative
customizations or combinations of retail electronic
and computer equipment
– Hacker (programmer subculture), who combines
excellence, playfulness, cleverness and exploration
in performed activities
(http://en.wikipedia.org/wiki/Hacker)

12. (forfun&profit)
PenTestingPenTesting
Why:-
From NIST SP800-53A
– To “enhance the organisation’s understanding
of the system”
– To “uncover weaknesses of deficiencies in the
system”
– To “indicate the level of effort required on the
part of adversaries to breach the system
safeguards”
● Read ZF05
https://securitythoughts.wordpress.com/2009/08/1
1/zero-for-0wned-zine-zf05/

13. (forfun&profit)
PenTestingPenTesting
When:-
“Why is there never time to consider
security before an app goes live,
but plenty of time and money
after the first hack”
(Thought: when to pentest if following Agile techniques???)

14. (forfun&profit)
PenTestingPenTesting
How:- Methodologies
Frameworks:
– National Institute of Standards and Technology
● NIST SPECIAL REPORT 800-115
– Open Web Application Security Project
● OWASP
– SANS
● Securing Web Applications Technologies
– Open Source Security Testing Methodology
Manual
● OSSTMM
– Ad hoc

15. (forfun&profit)
PenTestingPenTesting
NIST

16. (forfun&profit)
PenTestingPenTesting
OWASP
The following sections describe the 12 subcategories
of the Web Application Penetration Testing
Methodology:
4.1 Introduction and Objectives
4.2 Information Gathering
4.3 Configuration and Deploy Management Testing
4.4 Identity Management Testing
4.5 Authentication Testing
4.6 Authorization Testing
4.7 Session Management Testing
4.8 Data Validation Testing
4.9 Error Handling
4.10 Cryptography
4.11 Business Logic Testing
4.12 Client Side Testing

17. (forfun&profit)
PenTestingPenTesting Ad-hoc

18. (forfun&profit)
PenTestingPenTesting
Who:-
● Large organisations (UK) may be required
to employ a cyber/digital security specialist
– cf health & safety specialists
● However, every web development
company should (probably) have such a
cyber security “specialist”
– qualified
– experienced

19. (forfun&profit)
PenTestingPenTesting
How much:-
“All the market will bear ...”
(Poul Anderson)

20. (forfun&profit)
PenTestingPenTesting
With:-
● Samurai Web Testing Framework
– http://samurai.inguardians.com/
(other tool kits are available …)
● Containing toolkits
– Eg BurpSuite, ZAP, w3fa, etc
● Deliberately vulnerable web applications
– Mutillidae, DVWA, Badstore, Flowershop, …
(victim machines)

21. (forfun&profit)
PenTestingPenTesting
Planning:-
● Remember Rule 1?
● Safety Clause
● Profiling
● Risk Assessment

22. (forfun&profit)
PenTestingPenTesting
Profiling
● Google
● Whois
● DNS
● Social Engineering
● Dumpster diving

23. (forfun&profit)
PenTestingPenTesting samurai

24. (forfun&profit)
PenTestingPenTesting zenmap

25. (forfun&profit)
PenTestingPenTesting dvwa

26. (forfun&profit)
PenTestingPenTesting

27. (forfun&profit)
PenTestingPenTesting zap

28. (forfun&profit)
PenTestingPenTesting
Demo:-
● (Ze)nmap
● Wireshark
● ZAP
● Burpsuite
● w3af

29. (forfun&profit)
PenTestingPenTesting
Books
● The Basics of Hacking and Penetration Testing: Ethical
Hacking and Penetration Testing Made Easy
– Patrick Engebretson
● Ninja Hacking: Unconventional Penetration Testing
Tactics and Techniques
– Thomas Wilhelm & Jason Andress
● Seven Deadliest Web Application Attacks (Seven
Deadliest Attacks)
– Mike Shema

30. (forfun&profit)
PenTestingPenTesting
References
● https://securitythoughts.wordpress.com/2009/08/11/zero-for-0wned-zine-zf05/
● https://cyberarms.wordpress.com/2010/06/12/tiger-team-penetration-testing-
on-tv/
● https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
● http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
● https://www.owasp.org/index.php/Web_Application_Penetration_Testing
● http://www.isecom.org/
● http://samurai.inguardians.com/
● https://www.youtube.com/watch?v=6gH4A49sPdc
● http://armoredcode.com/images/keep-calm-and-write-safe-code-small.png

31. (forfun&profit)
PenTestingPenTesting
Thanks for staying to the end...
@cfing99
cfi@dmu.ac.uk
a bar …
(https://joind.in/10948)

32. (forfun&profit)
PenTestingPenTesting
Any Questions?