presentation

advertisement
Penetration testing (tests to overcome protection, penetration testing, pentest) is popular worldwide services in
the field of information security. The essence of such work is authorized by an attempt to circumvent the existing
set of tools to protect information systems. During testing, the auditor plays the role of attacker motivated to
breach network security customers.
As a rule, subjected to intensive technical verification remedies corporate network, but depending on the set
conditions can be evaluated and other safety aspects, for example - the level of awareness of users.
Penetration testing process involves modeling the real action attacker - find vulnerabilities and protect their
subsequent operation. Penetration test allows you to get an independent assessment and expert opinion on the
state of protection of confidential information.
According to the results of work we are preparing a detailed report, which will allow you not only to learn about
the level of protection of confidential data, but also to get specific recommendations to address identified threats
to information security.
During a penetration test attempts are made operational vulnerabilities of “Information System” (in other words,
attempts to penetrate the “Information System”). In the case of the successful implementation of such attempts
can effectively demonstrate the possibility of penetration of “Information System” and identify weaknesses in
information security. Which in turn allows us to separate the critical security problems that require immediate
attention from those who are less of a threat.
Our working process:
Types vulnerabilities:
SQL Injection
The introduction of SQL-code (Eng. SQL injection) - one of the most common ways to hack websites and
programs, working with databases, based on the introduction of the random SQL-code.
The introduction of SQL, depending on the type of database and the conditions of implementation, may
allow an attacker to execute arbitrary query the database (for example, to read the contents of any tables,
delete, edit or add data) to be able to read and / or write local files and execute arbitrary commands on the
target server.
Attack type of SQL injection may be possible because of incorrect processing of incoming data used in
SQL-queries.
PHP Injection
PHP-injection (Eng. PHP injection) - one of the ways of hacking websites running on PHP, which consists
in carrying out foreign code on the server side. Potentially dangerous functions are:
* Eval (),
* Preg_replace () (modifier «e»),
* Require_once (),
* Include_once (),
* Include (),
* Require (),
* Create_function ().
PHP-injection becomes possible if the input parameters are accepted and used without verification.
Remote File Inclusion
Remote File Inclusion (RFI) is a type of vulnerability that allows an attacker to use a remote file on the
server side, through a script on the web server. The vulnerability is caused due to the use of the input data
without proper verification.
Local File Inclusion
Local File Inclusion (LFI) is a type of vulnerability that allows an attacker to use a local file on the server
side, through a script on the web server. The vulnerability is caused due to the use of the input data without
proper verification.
Cross Site Scripting (XSS)
XSS (Eng. The relevant quantity Ssrirting Site - "XSS") - the type of vulnerability interactive information
systems on the web. XSS occurs when the server-generated pages, for whatever reason, get custom scripts.
The specificity of these attacks is that instead of immediate attack server they use a vulnerable server as a
means of attack on the client.
XSS now account for about 15% of all vulnerabilities. For a long time programmers have not paid enough
attention to them, considering them harmless. However, this view is mistaken: the page or HTTP-Cookie
can be very sensitive data (eg, session identifier administrator).
On the mechanism of execution of XSS attacks can be divided into active and passive.
Passive XSS imply that the script is not stored on the server of an affected site or it can not automatically be
executed in the browser of the victim. To trigger the passive XSS requires some additional action which
should perform the victim's browser (for example, click on a specially formed link).
When active XSS malicious script is stored on the server and works in the victim's browser when you open
any page of the infected site.
Cross Site Request Forgery (CSRF)
CSRF (Eng. The relevant quantity Site Request Forgery - «Cross-Site Request Forgery", also known as
XSRF) - kind of attacks on visitors to the web site, use the shortcomings of the protocol HTTP. If the
victim visits the site, created by an attacker from her face secretly sends a request to another server (for
example, the server of the payment system), which carries a kind of malicious operation (for example, the
transfer of money to the account of the attacker). To carry out this attack, the victim must be authorized on
the server to which to send the request, and the request should not require any confirmation from the user,
which can not be ignored or tampered attacking script.
One use CSRF - exploitation passive XSS, found on another server. It is also possible sending e-mail
(spam) on behalf of the victim and change any settings, user accounts on other sites (such as security
question for password recovery).
XML External Entity
XML - a markup language that is widely used in distributed applications, including web applications. To
write special characters in XML documents using the so-called entity (Entity). Named Entity called data
usually text (including special characters). Essence can be divided into the following categories:
- predefined
- nternal
- external
Attack XML eXternal Entity Example predefined entities: & quot; (double quote character). Example inner
essence: <! ENTITY pentest «hek»> ... <bla> & pentest; </ bla> External entities refer to third-party files.
Attack XML eXternal Entity is to use external entities. <! ENTITY epicwin SYSTEM «file: /// etc /
passwd»> Fix - prohibit the use of external entities: DOMDocument :: loadXML ($ xml,
LIBXML_NOENT);
Clickjacking
Clickjacking technique is to create a special iFrame with CSS and Javascript, which creates a button-fake.
By pressing (or automatically, without user action) on the button in the invisible iframe to load a special
page with malicious code. Hidden page could be a fake current and force the user to do something that he
did not want to re-authenticate for example, to read his registration data.
Path Traversal
This technique attacks aimed at gaining access to files, directories, and commands that are outside the main
directory of the web server. An attacker could manipulate the URL parameters in order to access files or
execute commands Located in the file system Web server.
AXFR
AXFR - disclosure of the transfer zone.
Domain Name System is described in RFC 1034/1035 specification includes a full zone transfer (AXFR).
Typically, this mechanism is used to replicate zone information between servers, but it can also be used to
obtain a variety of information for mass mailings, distributed DoS attacks and other malicious purposes.
The vulnerability stems from the fact that many DNS servers do not perform restrictions on AXFR
requests.
XFR data can be used to find a mail relay, proxy servers, hosts with certain OS or applications installed.
When the DNS-server receives a request AXFR-he gives all the data that he knows for the requested
domain. It is understood that such a request comes from the DNS-server that is trying to zone transfer
(transfer the domain to itself, replicate). But if the DNS-server is configured incorrectly, any user can gain
access to this data.
Very often the sites have "secret" subdomains (dev. *, Test. *, And the like) for internal use. Typically,
these domains are unsafe configuration (included stacktrace for dev domain as an example) or developed
features.
Information Leakage
These vulnerabilities arise in situations where the server publishes important information such as developer
comments or error messages, which can be used to compromise the system.
Information Disclosure
Attacks of this class are intended to provide additional information about the Web application. Using these
vulnerabilities, an attacker can determine the distribution of used software version number of the client and
the server and installed updates. In other cases, a leaking location information may be contained or
temporary file backups.
HTTP Response Splitting
When using vulnerability HTTP Response Splitting (splitting HTTP-request) an attacker sends a specially
crafted server request, the response to which is interpreted as an attack target two different answers. The
second response is completely controlled by the attacker, giving him the opportunity to forge a response
from the server.
As a result of the success of this attack, an attacker can do the following:
Cross-Site Scripting.
Modification of the data cache proxy server.
Inter-user attacks (single user, single page, temporary substitution of the page).
Interception pages that contain user data.
Credential/Session Prediction
Predictable session ID value can capture session other users. These attacks are carried out by predicting or
guessing the unique identifier of the user's session.
X-Path Injection
Implementation operators XPath (XPath Injection)
These attacks are directed to a web server, create a query language XPath based on user input.
Language XPath 1.0 is designed to allow access to parts of the document in XML. It can be used directly or
as part of the transformation XSLT-documents or XML-query XQuery.
SSI Injection
Attacks of this class allow an attacker to pass executable code, which will later be executed on the Web
server. Vulnerability, leading to the possibility of implementing these attacks usually result in the absence
of test data provided by the user, before storing them in an interpreted file server.
Before generating HTML pages server can execute scripts, for example Server-site Includes (SSI). In
certain situations, the source code of pages is generated based on data provided by the user. If an attacker
sends the server operators SSI, he may be able to perform operating system commands or include the
restricted content the next time displayed.
Denial of Service (DoS)
This class of attacks (DoS (Denial of Service, DoS) aims to breach the availability of the Web server.
Usually attacks against denial of service implemented at the network level, however, they can be directed at
the application layer. Using the function Web Applications An attacker can deplete critical system
resources, or to exploit this vulnerability, leading to the cessation of operation of the system.
Typically, DoS attacks are aimed at the exhaustion of critical system resources such as processing power,
memory, disk space or bandwidth communication channels. If any of the resource reaches the maximum
load, the entire application is not available.
Attacks may be directed to any of the components of Web applications, such as database server,
authentication server, etc.
If the attack is carried out simultaneously with a large number of computers that talk about DDoS-attack
(from the English. Distributed Denial of Service, distributed attacks such as "Denial of Service"). In some
cases, a DDoS-attack causes legitimate action, for example, publishing a link to the site (placed on not very
productive server) on the popular Internet site (Slashdot effect). Large influx of users that exceed the load
on the server, and denial of service of some of them.
The level of compliance:
professional specialist
critical data, high traffic, payment systems
From 30 days
instrumental Analysis
manual analysis
social engineering
We study the web environment
We study the web server
We investigate all related infrastructure
surface vulnerability
typical vulnerability
vulnerability architecture
conceptual vulnerability
2- 4 employees
detailed report
recommendations
compliance Management
removing vulnerabilities
Download