Академический Документы
Профессиональный Документы
Культура Документы
Abstract
This white paper is an incorporation of inputs from Cigniti’s
Security Testing team and is designed to help you understand
the types of Security Testing, their requirement and the tools
that enable testing. In addition, the white paper explains
scenarios which affect the security of an IT system. The white
paper aims to predict, prevent and address the security issues
with testing approaches that improve overall resilience.
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
The Need for Security Testing
55%
OF IT PRACTITIONERS LACK A FORMAL
STRATEGY TO GOVERN MOVING DATA
61%
OF ORGANIZATIONS SAY DATA THEFT
AND CYBERCRIME ARE THE GREATEST
THREATS TO THEIR REPUTATION
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
Configuration Management Security Testing
Often analysis of the network infrastructure and web application architecture can
reveal a good amount of information such as source code, HTTP methods permitted,
administrative functionality, authentication methods, infrastructural configurations
etc. In the present scenario, the complex interconnected and heterogeneous web
server infrastructure - which can count hundreds of servers - makes configuration
management review and validation a fundamental step in testing. The application
penetration test should include the checking of how infrastructure was deployed and
secured. While the application may be secure, a small aspect of the configuration
could still be at a default install stage and vulnerable to exploitation.
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
Authentication Security Testing
Authentication is the process of attempting to verify the digital identity of the sender
of a communication. The sender could be a user, process or device. A common
example of such a process is the logon process but authentication happens every time
when we use our computers. Much of the authentication that happens is transparent
to the user and handled via computer. Testing the authentication schema means
understanding how the authentication process works and use that information to
circumvent the authentication mechanism. As a Penetration Tester, it is valuable to
be able to gain the trust of a system and bypass security as an authorized entity.
The most common method by which people confirm their identity is something they
know such as a password.
10.9%
Trying the default username
and password of the deployed
application/server
Retrieving a valid user account and INTO 2014 AS COMPANIES CONTINUE
password TO EXPAND THE
TECHNOLOGIES THEY USE TO
Bypassing the authentication IMPROVE THEIR OVERALL
schema by tampering with requests SECURITY.
and tricking the application
Testing the “Remember Password”
and “Password Reset” functions
Testing the logout and caching
functions
CAPTCHA validation
Evaluating the strength of a “Multiple Factors Authentication System” like OTP
(One Time Password)
Testing for race condition, a situation difficult to test for
Sample Scanning Tools
A list of scanning tools that can identify vulnerabilities related to authentication are
as follows:
Vulnerability Open Source /
Commercial Tools
Type Free Tools
Bypassing
Nessus, WebScarab, IBM AppScan, WebInspect, Cenzic Hailstorm,
Authentication
WebGoat NTOSpider, Grendel Scan
Schema
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
Session Management Security Testing
Authentication and Session Management takes care of all aspects of handling user
authentication and managing active sessions. HTTP is a stateless protocol and hence
even simple logic requires a user’s multiple requests to be associated with each
other across a ‘session’. With regards to web applications, a session is the length of
time users spend on a website. It is always advisable to manage authorized sessions
duration prudently. The goal of a penetration tester is to identify accounts that are
permitted access to sessions with high-level privileges and unlimited time to access
the web application.
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
Testing for Authorization usually includes
Executing a path traversal attack and access reserved information
Bypassing the authorization schema
Escalation of privileges within the application by users
Sample Scanning Tools
A list of scanning tools that can identify vulnerabilities related to authorization are
as follows:
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
Manipulating input parameters and pass it to internal search, add and modify
functions (LDAP Injection)
Injecting a particular XML document into the application (XML Injection)
Injecting code into HTML pages (SSI Injection)
Injecting data into the application so that it executes user-controlled
XPath queries (XPath Injection)
Injecting arbitrary IMAP/SMTP commands into the mail servers (IMAP / SMTP
Injection)
Injecting data into the application that will be later executed by the web server
(Code Injection)
Injecting an OS command through an HTTP request (OS Commanding)
Understanding different types of buffer overflow vulnerabilities (HTTP splitting
and HTTP smuggling)
Sample Scanning Tools
A list of scanning tools that can identify vulnerabilities related to data input from
external entities are as follows:
IMAP/SMTP
W3AF, Sandcat CS IBM AppScan, Acunetix, Sandcat
Injection
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
IBM AppScan, WebInspect, Cenzic
W3AF, Nessus, Sandcat, arachni, Hailstorm, Acunetix, NTO Spider,
OS Commanding
Wapiti, PowerFuzzer, Oedipus Sandcat, SkipFish, Jsky, Netsparker,
Burpsuite, Vega
W3AF, IronWASP, ZAP, arachni,
Syhunt Mini (Sandcat Mini),
SkipFish, Wapiti, Sandcat,
Vega, Grendel Scan, WATOBO, IBM AppScan, WebInspect,
Andiparos, PowerFuzzer, Acunetix, Burp Suite Professional,
Reflected Cross Paros Proxy, Oedipus, Uber NTO Spider, Syhunt Dynamic,
Site Scripting Web Security Scanner, Jsky, QualysGuard WAS, Netsparker,
safe3wvs, WebSecurify, Grabber, ScantoSecure, Jsky, N-Stalker,
Netsparker, WebCruiser, Ammonite, ParosPro, WebCruiser
Proxy Strike, Acunetix WVS,
WebScarab, N-Stalker, XSSer,
Gamja, Secubat,
W3AF, IronWASP, ZAP, arachni,
Syhunt Mini (Sandcat Mini),
SkipFish, Wapiti, Sandcat,
Vega, Grendel Scan, WATOBO,
Andiparos, PowerFuzzer,
Paros Proxy, Oedipus, Uber IBM AppScan, WebInspect,
Web Security Scanner, Jsky, Acunetix, Burp Suite Professional,
safe3wvs, WebSecurify, Grabber, NTO Spider, Syhunt Dynamic,
SQL Injection
Netsparker, WebCruiser, Proxy QualysGuard WAS, Netsparker,
Strike, SQLiX, sqlmap, Gamja, ScantoSecure, Jsky, N-Stalker,
Mini Mysqlator, Secubat, Ammonite, ParosPro, WebCruiser
WSTool, DSSS, aidSQL,Scrawlr,
LoverBoy, SQLID, VulnDetector,
openAcunetix, Priamos, Gamja,
Secubat, XCobra, safe3wvs,
iScan
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
IBM AppScan, WebInspect,
Unvalidated
W3AF, IronWASP, ZAP, arachni, Acunetix, Burp Suite Professional,
Redirects and
SkipFish NTO Spider, QualysGuard WAS,
Forwards
Netsparker, ScantoSecure, NStalker
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
ACCORDING TO GARTNER ONE LAPTOP IS STOLEN
EVERY 53 SECONDS
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
AJAX applications have similar vulnerabilities like SQL injection, data validation etc.
that a traditional web application can have. In addition, AJAX application can be
vulnerable to new classes of attack such as Cross Site Request Forgery (XSRF). Testing
AJAX applications can be challenging due to different encoding or serialization
scheme used by developers while submitting POST data and make it difficult for
testing tools to reliably create automated test requests. The use of web proxy tool is
extremely helpful for analyzing the traffic.
Sample Scanning Tools
A list of scanning tools that can identify vulnerabilities related to AJAX are as follows:
Disclaimer
This white paper is issued for information only. Cigniti declines all responsibility for
any errors and any loss or damage resulting from use of the contents of this White
Paper. Cigniti also declines responsibility for any infringement of any third party’s
Intellectual Property Rights but will be pleased to acknowledge any IPR and correct
any infringement of which it is advised.
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd
US India Hyderabad
Cigniti Technologies Inc. Cigniti Technologies Ltd.
433 E Las Colinas Blvd, 6th Floor, ORION Block, “The V”
Suite 1300, (Ascendas)
Irving, TX 75039 Plot #17 Software Units Layout
Madhapur, Hyderabad-500081
Australia Sydney
Cigniti Technologies Australia Pty Ltd UK
Level 13, 135 King Street Cigniti Technologies (UK) Limited
Sydney, NSW 2000 1 Fore Street
London EC2Y 9DT
Canada
Cigniti Technologies Canada Inc New Zealand
2425 Matheson Blvd E., Cigniti Technologies (NZ) Ltd
Suite 731, 24b, Moorefield Road
Mississauga, Ontario, Johnsonville, Wellington 6037
L4W 5K4
South Africa
Cigniti Technologies Ltd.
Ballyclare Place, 14 Ballyclare Drive,
Bryanston 2021
About Cigniti
Cigniti Technologies Limited (BSE: 534758, www.cigniti.com), Global Leaders in Independent Software Testing
(IST) Services, is headquartered at Hyderabad, India. Cigniti’s 2000+ career testers are spread across US, UK, India,
Australia, and Canada. Cigniti is the world’s first IST Services Company to be appraised at CMMI-SVC v1.3, Maturity
Level 5, and is also ISO 9001:2008 & ISO 27001:2013 certified. Cigniti’s test offerings include Quality Engineering,
Advisory & Transformation, Next Generation Testing, and Core Testing. Over the last decade, Cigniti has helped
Enterprises and ISVs build quality software while improving time-to-market and reducing cost of quality. Cigniti
has translated its R&D into BlueSwan, a proprietary test platform comprising of 5 elements - Verita, Velocita, Cesta,
Praxia, and Prudentia – which complement the existing QA and QE tools of enterprises. BlueSwan will help clients
Align their Business Goals, Assure market leadership, and Accelerate their digital transformation journey. Cigniti has
India’s first of its kind Robotics Test Lab, a Mobile Cloud Test Lab with HP & Experitest, a Cloud-enabled Performance
Test Lab, and an IoT & Smart Meter Lab. Gartner has postioned Cigniti as a “Niche Player” in 2016 and has been in
the Magic Quadrant for 2 years in a row. Forrester cites Cigniti among the 9 services firms and systems integrators
working to enable Quality at Speed. NelsonHall recognizes us as a ‘Leader’ in Overall, Pure-Play, Consulting & Digital
market segments in NEAT 2016 and 2nd largest by headcount. Everest Group recognizes Cigniti as a Major Contender
with a “Best in Class” rating for Buyer satisfaction in the PEAK Matrix™ for Independent Testing Services, while Forbes
recognizes Cigniti as Asia’s 200 best under-billion companies. Cigniti has been awarded a place on the Crown
Commercial Service latest G-Cloud 6 framework for providing Lot 4: Specialist Cloud Services that will provide public
sector enterprises better access to Cigniti’s expertise. Cigniti is also a recipient of the prestigious Frost and Sullivan
Customer Value Leadership Award for Global Automated Software Testing Services category consecutively in 2014
and 2015. Cigniti’s CSR initiative, Project Cignificance, aims to impact 1 million+ lives through education as an enabler.
www.cigniti.com | Unsolicited Distribution is Restricted. Copyright © 2016 - 17, Cigniti Technologies Ltd