SlideShare a Scribd company logo

Penetration Testing Analysis of The Shop (Test Environment)

G
Gavin Wiener

The Shop (name changed) was a website which had numerous security vulnerabilities, a copy of the original website is used as a security test environment with known security vulnerabilities. Interns were tasked with performing a penetration test ("pen testing") on the environment and writing a brief of their analysis.

Technology
1 of 55
Download to read offline
The Shop PenTest Analysis and Discussion
Structure of a Static Website The user The Shop server Request Response Gavin Wiener @ 2016
Structure of a Dynamic Website Database The user The Shop server Request Response Gavin Wiener @ 2016
Database 1. Pros a. User account b. Products c. Suppliers 2. Cons a. Centralized location of private information Gavin Wiener @ 2016
Vulnerabilities A vulnerability is a weakness in a system which reduces the intended access to or modification of information. Requirements: 1. Vulnerability must exist 2. Access to the vulnerability 3. Knowledge to exploit the vulnerability Gavin Wiener @ 2016
Vulnerabilities 1. Hisk Risk a. An attacker can control and modify company assets 2. Medium Risk a. An attacker can control and modify company assets but relies on another or future vulnerability 3. Low Risk a. No control but information is unnecessarily leaked which helps the attacker Gavin Wiener @ 2016
High Risk - Control and Modification 1. SQL Injection 2. Execute System Commands 3. Concurrent Sessions Gavin Wiener @ 2016
SQL Injection SELECT * FROM UserAccounts WHERE username=’<input>’; SQL injection leverages user input used in a SQL query to manipulate the structure of the query and construct queries which were not intended. Gavin Wiener @ 2016
SQL Injection Inputs ● Login ● Registration ● Product search ● Comments Gavin Wiener @ 2016
SQL Injection Vulnerable Gavin Wiener @ 2016
SQL Injection Gain Information Gavin Wiener @ 2016
SQL Injection Acquire usernames and passwords Gavin Wiener @ 2016
SQL Injection Solution ● Do not trust user input ● User input must always be sanitized ● Parameterized queries SELECT * FROM UserAccounts WHERE username=? and password=?; Gavin Wiener @ 2016
Execute System Commands Executing instructions directly on the server. An attacker can modify system information, affect the operation of system services, add a user. Vulnerabilities: 1. XP_CMDSHELL 2. Command Line Injection Gavin Wiener @ 2016
Execute System Commands XP_CMDSHELL Feature included in Microsoft Server 2008 Executes Windows command line instructions Gavin Wiener @ 2016
Execute System Commands XP_CMDSHELL Leverages SQL injection Gavin Wiener @ 2016
Execute System Commands Command Line Injection Requires acquiring admin account information - SQL injection or session hijacking Gavin Wiener @ 2016
Execute System Commands Command Line Injection Gavin Wiener @ 2016
Execute System Commands Command Line Injection Gavin Wiener @ 2016
Concurrent Sessions A user can have multiple active sessions. Vulnerable because the authentic user doesn’t know. Requires access to user’s account: ● Session hijacking ● Acquired account information using SQL injection Gavin Wiener @ 2016
Concurrent Sessions David is logged in twice The items do not show Solution Do not allow concurrent sessions Solve session hijacking vulnerabilities Gavin Wiener @ 2016
Medium Risk ● Local file access ● Password, login, and registration policy ● Stored cross-site scripting (XSS) ● Logic flaws ● Session management Gavin Wiener @ 2016
Local File Access Vulnerabilities 1. Local file inclusion 2. Local file retrieval Gavin Wiener @ 2016
Local File Access Local File Inclusion The Careers page includes a CV upload. Attacker can upload any file Validation is only done client-side using JavaScript Gavin Wiener @ 2016
Local File Access Local File Inclusion Do not trust user input, always validate server-side Gavin Wiener @ 2016
Local File Access Local File Retrieval Product pages provide download links for manuals Manuals are stored locally Gavin Wiener @ 2016
Local File Access Local File Retrieval Gavin Wiener @ 2016
Local File Access Local File Retrieval Gavin Wiener @ 2016
Local File Access Local File Retrieval An uploaded manuals index could be maintained Amazon S3 - dedicated storage Gavin Wiener @ 2016
Password, Login, and Registration Policy 1. Account lockout 2. Non minimum requirements 3. Username enumeration Gavin Wiener @ 2016
Password and Login Policy Account Lockout Most websites will lock a user’s after predetermined failed logins Prevent brute-force attacks Gavin Wiener @ 2016
Password and Login Policy Account Lockout Brute-force attack could lock all user accounts Gavin Wiener @ 2016
Password and Login Policy No Minimum Requirements There is no password policy ● Minimum length ● Do not use personal details ● Do not lowercase passwords Gavin Wiener @ 2016
Password and Login Policy Username Enumeration Building a list of usernames Registration indicates if a username exists without completing the form Gavin Wiener @ 2016
Password and Login Policy Username Enumeration Password recovery displays a user’s email if the username exists Gavin Wiener @ 2016
Password and Login Policy Username Enumeration Enables phishing attacks - attacker knows the username Attacker can attack other websites with the same username and password Gavin Wiener @ 2016
Cross-Site Scripting Reflective User input is ‘reflected’/returned and displayed. JavaScript could be input Cookie stealing - requires phishing attack Gavin Wiener @ 2016
Cross-Site Scripting Stored Requires SQL injection. JavaScript is inserted into the database Multiple users will view the content Gavin Wiener @ 2016
Cross-Site Scripting Stored Leveraging SQL injection - Product details can be updated with JavaScript Gavin Wiener @ 2016
Cross-Site Scripting Stored Gavin Wiener @ 2016
Cross-Site Scripting Stored Flaw that failed logins are logged in admin panel, and displayed without modification Gavin Wiener @ 2016
Cross-Site Scripting Stored Gavin Wiener @ 2016
Cross-Site Scripting Solution Do not display user input in the browser is not necessary HTML encode all user input, the characters should not be interpreted and a functioning syntax will not form Gavin Wiener @ 2016
Logic Flaw in Purchasing Processes which have expected progression. Logic flaw bypasses this progression and it is not recognized Gavin Wiener @ 2016
Logic Flaw in Purchasing Purchase a product progression: 1. Choose product 2. Checkout 3. Confirm delivery address 4. Confirm payment 5. Complete Gavin Wiener @ 2016
Logic Flaw in Purchasing Flawed purchase progression: 1. Choose product 2. Checkout 3. Confirm delivery address 5. Complete Gavin Wiener @ 2016
Logic Flaw in Purchasing Admin and User acknowledge the purchase Gavin Wiener @ 2016
Logic Flaw in Purchasing Solution Server-side tracking the progression for each order process If step is skipped, use is redirected, or sent to home page. Gavin Wiener @ 2016
Session Management Sessions and cookies enable smoother user experience Poor management of sessions and cookies enables: ● Session hijacking ● Accessing a user’s account ● Session fixation Gavin Wiener @ 2016
Session Management Vulnerability Session IDs are not discarded and new ones created after login and logout Session IDs have a long expiration time Gavin Wiener @ 2016
Session Management Session Hijacking Acquiring a session ID via cross-site scripting, networking monitoring, or another means enables the attacker set their session ID and access whatever the user was doing Gavin Wiener @ 2016
Session Management Session Fixation Induce a user to use an attacker’s session ID, they attacker can access the user’s account. Requires cross-site scripting as session ID is not passed as a parameter in the URL. Gavin Wiener @ 2016
Session Management Solution Must prevent cross-site scripting - encoding any user input which is displayed on the page Acquiring SSL certificates will prevent network monitoring Gavin Wiener @ 2016
Conclusion Goal Protect user information and access Gavin Wiener @ 2016
Conclusion Concepts ● Never trust user input - this can prevent many SQL injections and cross-site scripting attacks which enable the other vulnerabilities ● Do not include unnecessary services which escalate privileges ● Services to directly execute Operating System commands are often not needed. Gavin Wiener @ 2016

Recommended

Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
Secure Code Warrior
 
SiteMinder
SiteMinderSiteMinder
SiteMinder
Information Technology
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
Secure Code Warrior
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Srivigneshwar R Prasad
 
Using the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceUsing the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & Finance
Hitesh Sahu
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
DevOps Indonesia
 
OAuth
OAuthOAuth
OAuth
Anand Rai
 

Recommended

Secure Code Warrior - Fail securely
Secure Code Warrior - Fail securelySecure Code Warrior - Fail securely
Secure Code Warrior - Fail securely
Secure Code Warrior
 
SiteMinder
SiteMinderSiteMinder
SiteMinder
Information Technology
 
Secure Code Warrior - Secure by default
Secure Code Warrior - Secure by defaultSecure Code Warrior - Secure by default
Secure Code Warrior - Secure by default
Secure Code Warrior
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Srivigneshwar R Prasad
 
Using the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & FinanceUsing the Google SafetyNet API for Banking & Finance
Using the Google SafetyNet API for Banking & Finance
Hitesh Sahu
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
stevil1224
 
API Security Webinar : Credential Stuffing
API Security Webinar : Credential StuffingAPI Security Webinar : Credential Stuffing
API Security Webinar : Credential Stuffing
DevOps Indonesia
 
OAuth
OAuthOAuth
OAuth
Anand Rai
 
Web Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - ZurichWeb Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - Zurich
javagroup2006
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
Mallikarjun Reddy
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
jbsysatm
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Ory Segal
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APT
Douglas Bienstock
 
Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication
banerjeea
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testing
Paúl Sn
 
XSS and Broken authentication
XSS and Broken authenticationXSS and Broken authentication
XSS and Broken authentication
AgalyaD
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developers
Jaap Karan Singh
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
Howard Greenberg
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
WSO2
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
AshKhan85
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
Sagara Gunathunga
 
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session ManagementTech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
CA Technologies
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
software-engineering-book
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Amazon Web Services
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...06 application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...
appsec
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
WSO2
 
Hacking_Environment_Web_Application_updated.pptx
Hacking_Environment_Web_Application_updated.pptxHacking_Environment_Web_Application_updated.pptx
Hacking_Environment_Web_Application_updated.pptx
shibabrataghosh1
 
Securing your WooCommerce Site
Securing your WooCommerce SiteSecuring your WooCommerce Site
Securing your WooCommerce Site
Jamie Schmid
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
DevOps Indonesia
 

More Related Content

What's hot

Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication
banerjeea
 

What's hot (6)

Web Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - ZurichWeb Security Patterns - Jazoon 2010 - Zurich
Web Security Patterns - Jazoon 2010 - Zurich
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Spring security jwt tutorial toptal
Spring security jwt tutorial toptalSpring security jwt tutorial toptal
Spring security jwt tutorial toptal
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
BHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APTBHUSA 2021 - Cloud with a Chance of APT
BHUSA 2021 - Cloud with a Chance of APT
 
Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication Jun 29 - 2016-MultiFactorAuthentication
Jun 29 - 2016-MultiFactorAuthentication
 

Similar to Penetration Testing Analysis of The Shop (Test Environment)

How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
AshKhan85
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
DevOps Indonesia
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 

Similar to Penetration Testing Analysis of The Shop (Test Environment) (20)

Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testing
 
XSS and Broken authentication
XSS and Broken authenticationXSS and Broken authentication
XSS and Broken authentication
 
Tales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developersTales of modern day data breaches - a web security guide for developers
Tales of modern day data breaches - a web security guide for developers
 
Bp101-Can Domino Be Hacked
Bp101-Can Domino Be HackedBp101-Can Domino Be Hacked
Bp101-Can Domino Be Hacked
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
 
How to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication VulnerabilityHow to Find and Fix Broken Authentication Vulnerability
How to Find and Fix Broken Authentication Vulnerability
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session ManagementTech Talk: Preventing Data Breaches with Risk-Aware Session Management
Tech Talk: Preventing Data Breaches with Risk-Aware Session Management
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
Identity Management for Your Users and Apps: A Deep Dive on Amazon Cognito - ...
 
06 application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...06 application security fundamentals - part 2 - security mechanisms - sessi...
06 application security fundamentals - part 2 - security mechanisms - sessi...
 
Navigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern EnterpriseNavigating Identity and Access Management in the Modern Enterprise
Navigating Identity and Access Management in the Modern Enterprise
 
Hacking_Environment_Web_Application_updated.pptx
Hacking_Environment_Web_Application_updated.pptxHacking_Environment_Web_Application_updated.pptx
Hacking_Environment_Web_Application_updated.pptx
 
Securing your WooCommerce Site
Securing your WooCommerce SiteSecuring your WooCommerce Site
Securing your WooCommerce Site
 
API Security Webinar - Credential Stuffing
API Security Webinar - Credential StuffingAPI Security Webinar - Credential Stuffing
API Security Webinar - Credential Stuffing
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud JumeletFIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
FIDO2 : vers la fin des mots de passe ? - Par Arnaud Jumelet
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to goPasswords are passé. WebAuthn is simpler, stronger and ready to go
Passwords are passé. WebAuthn is simpler, stronger and ready to go
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
 

Recently uploaded

Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
David Michel
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 

Recently uploaded (20)

Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptxIOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
IOS-PENTESTING-BEGINNERS-PRACTICAL-GUIDE-.pptx
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
НАДІЯ ФЕДЮШКО БАЦ «Професійне зростання QA спеціаліста»
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 

Penetration Testing Analysis of The Shop (Test Environment)

  • 1. The Shop PenTest Analysis and Discussion
  • 2. Structure of a Static Website The user The Shop server Request Response Gavin Wiener @ 2016
  • 3. Structure of a Dynamic Website Database The user The Shop server Request Response Gavin Wiener @ 2016
  • 4. Database 1. Pros a. User account b. Products c. Suppliers 2. Cons a. Centralized location of private information Gavin Wiener @ 2016
  • 5. Vulnerabilities A vulnerability is a weakness in a system which reduces the intended access to or modification of information. Requirements: 1. Vulnerability must exist 2. Access to the vulnerability 3. Knowledge to exploit the vulnerability Gavin Wiener @ 2016
  • 6. Vulnerabilities 1. Hisk Risk a. An attacker can control and modify company assets 2. Medium Risk a. An attacker can control and modify company assets but relies on another or future vulnerability 3. Low Risk a. No control but information is unnecessarily leaked which helps the attacker Gavin Wiener @ 2016
  • 7. High Risk - Control and Modification 1. SQL Injection 2. Execute System Commands 3. Concurrent Sessions Gavin Wiener @ 2016
  • 8. SQL Injection SELECT * FROM UserAccounts WHERE username=’<input>’; SQL injection leverages user input used in a SQL query to manipulate the structure of the query and construct queries which were not intended. Gavin Wiener @ 2016
  • 9. SQL Injection Inputs ● Login ● Registration ● Product search ● Comments Gavin Wiener @ 2016
  • 12. SQL Injection Acquire usernames and passwords Gavin Wiener @ 2016
  • 13. SQL Injection Solution ● Do not trust user input ● User input must always be sanitized ● Parameterized queries SELECT * FROM UserAccounts WHERE username=? and password=?; Gavin Wiener @ 2016
  • 14. Execute System Commands Executing instructions directly on the server. An attacker can modify system information, affect the operation of system services, add a user. Vulnerabilities: 1. XP_CMDSHELL 2. Command Line Injection Gavin Wiener @ 2016
  • 15. Execute System Commands XP_CMDSHELL Feature included in Microsoft Server 2008 Executes Windows command line instructions Gavin Wiener @ 2016
  • 16. Execute System Commands XP_CMDSHELL Leverages SQL injection Gavin Wiener @ 2016
  • 17. Execute System Commands Command Line Injection Requires acquiring admin account information - SQL injection or session hijacking Gavin Wiener @ 2016
  • 18. Execute System Commands Command Line Injection Gavin Wiener @ 2016
  • 19. Execute System Commands Command Line Injection Gavin Wiener @ 2016
  • 20. Concurrent Sessions A user can have multiple active sessions. Vulnerable because the authentic user doesn’t know. Requires access to user’s account: ● Session hijacking ● Acquired account information using SQL injection Gavin Wiener @ 2016
  • 21. Concurrent Sessions David is logged in twice The items do not show Solution Do not allow concurrent sessions Solve session hijacking vulnerabilities Gavin Wiener @ 2016
  • 22. Medium Risk ● Local file access ● Password, login, and registration policy ● Stored cross-site scripting (XSS) ● Logic flaws ● Session management Gavin Wiener @ 2016
  • 23. Local File Access Vulnerabilities 1. Local file inclusion 2. Local file retrieval Gavin Wiener @ 2016
  • 24. Local File Access Local File Inclusion The Careers page includes a CV upload. Attacker can upload any file Validation is only done client-side using JavaScript Gavin Wiener @ 2016
  • 25. Local File Access Local File Inclusion Do not trust user input, always validate server-side Gavin Wiener @ 2016
  • 26. Local File Access Local File Retrieval Product pages provide download links for manuals Manuals are stored locally Gavin Wiener @ 2016
  • 27. Local File Access Local File Retrieval Gavin Wiener @ 2016
  • 28. Local File Access Local File Retrieval Gavin Wiener @ 2016
  • 29. Local File Access Local File Retrieval An uploaded manuals index could be maintained Amazon S3 - dedicated storage Gavin Wiener @ 2016
  • 30. Password, Login, and Registration Policy 1. Account lockout 2. Non minimum requirements 3. Username enumeration Gavin Wiener @ 2016
  • 31. Password and Login Policy Account Lockout Most websites will lock a user’s after predetermined failed logins Prevent brute-force attacks Gavin Wiener @ 2016
  • 32. Password and Login Policy Account Lockout Brute-force attack could lock all user accounts Gavin Wiener @ 2016
  • 33. Password and Login Policy No Minimum Requirements There is no password policy ● Minimum length ● Do not use personal details ● Do not lowercase passwords Gavin Wiener @ 2016
  • 34. Password and Login Policy Username Enumeration Building a list of usernames Registration indicates if a username exists without completing the form Gavin Wiener @ 2016
  • 35. Password and Login Policy Username Enumeration Password recovery displays a user’s email if the username exists Gavin Wiener @ 2016
  • 36. Password and Login Policy Username Enumeration Enables phishing attacks - attacker knows the username Attacker can attack other websites with the same username and password Gavin Wiener @ 2016
  • 37. Cross-Site Scripting Reflective User input is ‘reflected’/returned and displayed. JavaScript could be input Cookie stealing - requires phishing attack Gavin Wiener @ 2016
  • 38. Cross-Site Scripting Stored Requires SQL injection. JavaScript is inserted into the database Multiple users will view the content Gavin Wiener @ 2016
  • 39. Cross-Site Scripting Stored Leveraging SQL injection - Product details can be updated with JavaScript Gavin Wiener @ 2016
  • 41. Cross-Site Scripting Stored Flaw that failed logins are logged in admin panel, and displayed without modification Gavin Wiener @ 2016
  • 43. Cross-Site Scripting Solution Do not display user input in the browser is not necessary HTML encode all user input, the characters should not be interpreted and a functioning syntax will not form Gavin Wiener @ 2016
  • 44. Logic Flaw in Purchasing Processes which have expected progression. Logic flaw bypasses this progression and it is not recognized Gavin Wiener @ 2016
  • 45. Logic Flaw in Purchasing Purchase a product progression: 1. Choose product 2. Checkout 3. Confirm delivery address 4. Confirm payment 5. Complete Gavin Wiener @ 2016
  • 46. Logic Flaw in Purchasing Flawed purchase progression: 1. Choose product 2. Checkout 3. Confirm delivery address 5. Complete Gavin Wiener @ 2016
  • 47. Logic Flaw in Purchasing Admin and User acknowledge the purchase Gavin Wiener @ 2016
  • 48. Logic Flaw in Purchasing Solution Server-side tracking the progression for each order process If step is skipped, use is redirected, or sent to home page. Gavin Wiener @ 2016
  • 49. Session Management Sessions and cookies enable smoother user experience Poor management of sessions and cookies enables: ● Session hijacking ● Accessing a user’s account ● Session fixation Gavin Wiener @ 2016
  • 50. Session Management Vulnerability Session IDs are not discarded and new ones created after login and logout Session IDs have a long expiration time Gavin Wiener @ 2016
  • 51. Session Management Session Hijacking Acquiring a session ID via cross-site scripting, networking monitoring, or another means enables the attacker set their session ID and access whatever the user was doing Gavin Wiener @ 2016
  • 52. Session Management Session Fixation Induce a user to use an attacker’s session ID, they attacker can access the user’s account. Requires cross-site scripting as session ID is not passed as a parameter in the URL. Gavin Wiener @ 2016
  • 53. Session Management Solution Must prevent cross-site scripting - encoding any user input which is displayed on the page Acquiring SSL certificates will prevent network monitoring Gavin Wiener @ 2016
  • 54. Conclusion Goal Protect user information and access Gavin Wiener @ 2016
  • 55. Conclusion Concepts ● Never trust user input - this can prevent many SQL injections and cross-site scripting attacks which enable the other vulnerabilities ● Do not include unnecessary services which escalate privileges ● Services to directly execute Operating System commands are often not needed. Gavin Wiener @ 2016