Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Test Debrief

Published byMerry Barton Modified over 5 years ago

Similar presentations

Presentation on theme: "Penetration Test Debrief"— Presentation transcript:

1 Penetration Test Debrief
Ted Vera & Mark Trynor September 2, 2010

2 Agenda Pen Test Review Recommendations Deliverables Overview
NOTE: All trademarks referenced in this presentation are property of their respective owners.

3 Pen Test Review: Day 1 Badging / Training Reviewed customer ROE
Installed pen test tools on attack laptop Performed automated port and vulnerability scans against target systems Identified listeners on ports 80 & 443 NOTE: All trademarks referenced in this presentation are property of their respective owners.

4 Pen Test Review: Day 2 Performed packet captures
Performed automated scans and attacks using Metasploit Started comprehensive Nessus vulnerability scan Attempted manual XSS / SQL injection attacks NOTE: All trademarks referenced in this presentation are property of their respective owners.

5 Pen Test Review: Day 3 Validated false positives from automated scans (there were many) XSSer – automated scans/attacks Manual and custom automated XSS/SQL injection attacks Performed malformed packet / HTTP header attacks NOTE: All trademarks referenced in this presentation are property of their respective owners.

6 Pen Test Review: Day 4 Manually validated Nessus false positives
Nikto web application vulnerability scanner Nikto false positives BigIP & Oracle buffer overflow attempts Caused ESX Server to migrate .116, and due to the config, the failover VM lacked network connectivity NOTE: All trademarks referenced in this presentation are property of their respective owners.

7 Pen Test Review: Day 5 Customer disabled one BIGIP ASM
Two successful proof-of-concept exploits against known Oracle vulnerabilities (patched in July) Validates effectiveness of ASM positive security model NOTE: All trademarks referenced in this presentation are property of their respective owners.

8 Recommendations: General
Enforce strong user passwords Ensure passwords at least 8 characters in length, use a combination of uppercase and lowercase letters (Aa–Zz), numbers (0–9), and symbols # $ % ^ & * ( ) _ + | ~ - = { } [ ] : ; < > ? , . /). To prevent injection attacks, do not allow passwords to use symbols \ (back slash) or ' ” (quotes). Patch Management  Install operating system and application patches in a timely manner. NOTE: All trademarks referenced in this presentation are property of their respective owners.

9 Recommendations: F5 Create a well defined list of white-listed characters for positive security model. Disallow use of symbols \ (backslash) or ‘ “ (quotes) when possible. Utilize an automated web application test suite, such as Selenium ( to produce consistent white-listing when training the system and limit human input errors that could create XSS attack possibilities. Ensure F5 administrative panels are only accessible from the internal network as they were susceptible to XSS attacks in previous patch levels. NOTE: All trademarks referenced in this presentation are property of their respective owners.

10 Recommendations: Oracle
Remove access to the Oracle Diagnostics pages. Remove the ability to input SQL syntax directly into forms and replace with radio buttons / check boxes for “like”, “and/or”, “between”, “%”, etc. to limit the possibility of SQL injection. Verify all SQL queries, on code changes, have escape characters for all special SQL characters before executing queries to prevent injections or use parameterized statements
 NOTE: All trademarks referenced in this presentation are property of their respective owners.

11 Deliverables Overview
Deliverable # / Title Description Deliverable 1: Review with Suggested Improvements Review of vulnerabilities and suggested improvements (4pgs). Deliverable 2: Red Team Review Detailed description of Penetration Test activities, findings, and recommendations (15 pgs) Deliverable 3: Final Report Executive overview of Penetration Test, findings, and recommendations (5 pgs) NOTE: All trademarks referenced in this presentation are property of their respective owners.

Download ppt "Penetration Test Debrief"

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts

Understand Database Security Concepts
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.

Case Studies for Projects. Network Audit A brief description of the systems (via fingerprinting, if black box is used) Network perimeter should be described.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Sam Cook April 18, 2013. Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.

Sam Cook April 18, Overview What is penetration testing? Performing a penetration test Styles of penetration testing Tools of the trade.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Approaches to Application Security – DSM

Approaches to Application Security – DSM
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
A Security Review Process for Existing Software Applications

A Security Review Process for Existing Software Applications
Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007.

Web Application Security Implementation - © 2007 GIAC Web Application Security Implementation SANS MSISE GDWP Kevin Bong John Brozycki July 26, 2007.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Similar presentations

Ads by Google