Академический Документы
Профессиональный Документы
Культура Документы
Pentests:
Exposing real world attacks
Renaud Dubourguais <Renaud.Dubourguais@hsc.fr>
Jean-Baptiste Aviat <Jean-Baptiste.Aviat@hsc.f>
Consultants certifications :
2/28
CISSP, ISO 20000-1 Lead Auditor, ISO 27001 Lead Auditor, ISO 27001 Lead
Implementor, ISO 27005 Risk Manager, ITIL, ProCSSI, GIAC GCFA
Copyright Herv Schauer Consultants 2000-2010 - Reproduction Interdite
What is a pentest?
Simulation of a real attack on:
Infrastructure by exploiting badly designed firewall rules, exposed
services, ...
Exposed Web applications by testing user inputs, application bugs,
Various purposes:
Security assessment
Decision makers awareness
Technical staff awareness
3/28
4/28
6/28
7/28
8/28
Case study
9/28
At first sight
>
10/28
11/28
12/28
13/28
Demonstration
14/28
15/28
Demonstration
16/28
17/28
18/28
Demonstration
19/28
20/28
21/28
Demonstration
22/28
23/28
24/28
IN
192.168.111.110
Demonstration
25/28
26/28
27/28
Conclusion
Increasing number of attacks against web applications
A vulnerability can be created by mistake very quickly :
Unfiltered user inputs, weak passwords, unpatched software
Exploitation techniques are now mature
Impact can be disastrous :
Leak of confidential data
Servers and applications compromised or vandalized
28/28