The document summarizes a school penetration testing project conducted by UDomain. They identified over 1,700 vulnerabilities across 10 school websites, including 20,000+ records of personal data. Critical vulnerabilities included SQL injection, XSS, and passwords in plaintext. Recommendations included more regular scanning, patching of outdated systems, and reliance on secure vendor solutions. UDomain demonstrated SQL injection techniques and explained their security services and qualifications.

1. Experience Sharing on
School Pentest Project
Eric Fan & Chris Chan
UDomain

2. Agenda
• Our objective & how we did
• Our findings & suggestions
• Demonstration
• About UDomain
• Q & A

3. Our Objective
As an independent consultant in
providing a series of vulnerabilities
scanning, penetration tests and
reviews for ten K12 school’s
website security.
Identifying potential areas
for further improvement
to protect school’s
sensitive data and good
will.

4. What we do?
Automated Scan Manuel Review Debriefing Meeting
Verify the can result,
eliminate false-
positives and then
execute manual
business logic test.
Application
walkthrough and
threat analysis will
also be conducted
during this stage.
Report and analysis for
the automated scan
and manual scanning
result with
recommendations.
Step 3Step 2Step 1
Configure and execute
automated scan,
followed by test plan
development. Risk
assessment will take
place during the test
plan development.

5. Seven phrases to perform testing
Penetration Test Methodologies
Information
Gathering
Threat
Modeling
Vulnerability
Analysis
Exploitation
Post
Exploitation
Reporting
Rescan
Support Reference:
OWASP TOP 10
The Penetration Testing Execution Standard
Common Vulnerability Scoring System (CVSS)

6. Main Testing Tools
*More testing tools may be
used depending on the
scope of work
OWASP-ZAP
Nikto
Dirsearch

7. Tester Qualification
Certified Ethical Hacker Offensive Security
Certified Expert
GIAC Web Application
Penetration Tester
Certified Information Systems
Security Professional
Offensive Security
Certified Professional

8. Our Findings
20,000+PERSONAL
DATA RECORD
Including public, intranet, internal
applications of ten schools
29WEBSITES
By using more than one
scanning tools and
manual penetration test
99HOURS OF SCANNING
170+CRITICAL
VULNERABILITIES
Including email, name, HKID etc

9. Critical
8%
High
16%
Medium
35%
Low
41%
1,700+
Vulnerabilities
Vulnerability

10. Overall Findings
0
100
200
300
400
500
600
700
A B C D E F G H J K
No.ofVulnerability
School
Low
Medium
High
Critical

11. Critical Vulnerabilities
16
Password in
plaintext
65
XSS
105
SQL Injection
13
sslv2 ＆v3

12. Top Security Impact Vulnerabilities
We found plain text database
login credential in the back up
file that may lead to unauthorize
login.
Back Up File Impact
Allow an attacker to compromise
the application, access or modify
data, or exploit latent vulnerabilities
in the underlying database.
SQL Injection
These outdated software or
operation systems cannot no longer
update to the latest patch that is
vulnerable to exploit
Unsupported Software / OS Version
Allows anyone who can read the
file access to the password-
protected resource.
Password In Plaintext

13. SQL Injection
9*
Vendor
Solutions
12
School’s Own
Applications
7
Unsupported
Operation
Systems
* Same SQL Injection vulnerability
appears
in all 8 school from one vendor
solution.
* 5 Schools using on premises/3
Schools on Cloud

14. SSL Cert
Website with
SSL Cert
21%
Website without SSL Cert
79%

15. Our Suggestions
Reliable Vendor Solutions
Software and application vendors should
offer OS or patch update for use to fix
their software and application
vulnerabilities.
Regular Scanning
Yearly or half-year vulnerability
scanning and penetration test is
recommended
Regular Patch Operation Systems
Regular review and update the
hardware and application operation
systems to the latest patch, in order to
avoid vulnerable malware and exploits.
More info: Information Security in Schools - Recommended Practice (Jan 2019)
https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/Information-Security/information-security-in-school.html

16. Demonstrations

17. Live Demo – Sql Injection

18. Type of Sql Injection
• UNION(ex:join other result in current result)
• Time-Based(ex:wait 5 second if the result is correct)
• Error-Based(ex:display error page When the result is
not correct)
• Boolean-Based(ex:print 1 if the result is correct)

19. What is CloudFlare
• A commercial content delivery network with
integrated distributed denial of service (DDoS)
defence
• Web Application Firewall with signature Based rules
– “Union ALL select …”
– “DATABASE()”

20. Is it Enough?
And
3732=IF(ORD(MID(IFNULL(CAST(DATABASE
() AS CHAR),0x20)),1,1))<60
Show result If the 1st character of current
database name ascii code smaller than 11
If false
And
3732=IF(ORD(MID(IFNULL(CAST(DATABASE
() AS CHAR),0x20)),1,1))>60
Show result If the 1st character of current
database name ascii code greater than 60
3732=IF(ORD(MID(IFNULL(CAST(DATABASE
() AS CHAR),0x20)),1,1))>90
Show result If the 1st character of current
database name ascii code greater than 90

21. Example
• Database name:udcms
• The 1st character of udcms is u,ord() result, 75
• If 75<60?no
• If 75>60?yes
• if 75<90?yes
• if 75<75?No
• if 75>75?No
• If 75=75?yes

22. Live Demo

23. About UDomain

24. UDomain Group
UDomain
Founded in 1998
UDomain.hk
Web Host
Founded in 1998
Webhost.hk
New Sky
Founded in 1997
Newsky.net

25. Our Services
Cybersecurity Internet Service Hosting Domain
DDoS protection
Penetration test
Firewall
SSL-Certificate
CDN
VPN
Live-streaming
Email marketing
Web, email and app
Cloud server
Dedicated server
Colocation
Hosting 40,000 webs
.hk registrar
Domain advisor
Brand alert
1000+ domain types
DNS Panel

26. Our Qualification
Registrar of .hk Domain
One of the first HKIRC-recognized Registrars
HK Government Public Cloud Services Provider
First HK web hosting company recognized by the Office
of the Government Chief Information Officer (OGCIO)
OFCA Services-based Operator Licensee
Permitted to provide Authorized International Value-
Added Network Services (IVANS)

27. Awards

28. Events
Corporate Cyber Security Conference HK Cyber Security Drill

29. Summary
People ProcessTechnology
• Multiple machine
scanning tools
• Over 20 years Domain
and Web Knowledge
• Project Experience in
Different Sectors
• Training and
Certification
• OWASP TOP 10
• The Penetration Testing
Execution Standard
• AgilePM

30. Your Managed Security Service Partner
Penetration
Test
Firewall & DDoS
Protection
7x24 Technical
Support
Dedicated Security
Specialists
High Availability
Ring Network

31. Thank you!

32. Appendix

33. Proposed Assessment Plan

34. Proposed Project Plan
Week 1 Automated
Scan
• We will configure and execute automated scan, followed by test plan development. Risk assessment will
take place during the test plan development.
Week 2-3 Manual
Review
• We will verify the can result, eliminate false-positives and then execute manual business logic test.
Application walkthrough and threat analysis will also be conducted during this stage.
• Search for potential sensitive information related to you through various search engines

35. Machine Scanning
Manual
Penetration
Test
Review and
Recommendat
ion
Hybrid Testing (Machine & Manual)

36. Security Assessment Lifecycle
Automated Scan

37. Automated Scan
• Tools scanning for potential security issue
• Combine multiple tools to gather more information
• Include fuzzing in scanning

38. Security Assessment Lifecycle
Automated Scan
Manual Review

39. Manual Review (Penetration Test)
• Enrich the information in machine scanning
• Verify the findings in machine scanning
• Look through each page to find security issue
• Look for logical flaws

40. Security Assessment Lifecycle
Automated Scan
Manual Review
Report and
Recommendations

41. Report & Recommendations
Executive Summary
Testing Methodologies
Proof of Concept
Impact and Severity
Findings Details
Recommendations
Debriefing meeting

42. Sample Report

43. Retest
Compiling a Retest
checklist
Scanning for previously
found vulnerabilities after
fixing
Producing final retest
report

44. Case References

45. Case Reference I
• An NGO partnering with the Hong Kong Government, provides quality
social welfare service through their 3,000 operating units in Hong Kong.
• Engagement in Penetration Test:
 a Website before launch in Hong Kong
 Re-tested several times

46. Case Reference II
• A 20-year-old Secondary School in Hong Kong
• Engagement in Penetration Test:
 an Internal CMS system with email function
 a public-facing website