Penetration testing (tests to overcome protection, penetration testing, pentest) is popular worldwide services in the field of information security. The essence of such work is authorized by an attempt to circumvent the existing set of tools to protect information systems. During testing, the auditor plays the role of attacker motivated to breach network security customers. As a rule, subjected to intensive technical verification remedies corporate network, but depending on the set conditions can be evaluated and other safety aspects, for example - the level of awareness of users. Penetration testing process involves modeling the real action attacker - find vulnerabilities and protect their subsequent operation. Penetration test allows you to get an independent assessment and expert opinion on the state of protection of confidential information. According to the results of work we are preparing a detailed report, which will allow you not only to learn about the level of protection of confidential data, but also to get specific recommendations to address identified threats to information security. During a penetration test attempts are made operational vulnerabilities of “Information System” (in other words, attempts to penetrate the “Information System”). In the case of the successful implementation of such attempts can effectively demonstrate the possibility of penetration of “Information System” and identify weaknesses in information security. Which in turn allows us to separate the critical security problems that require immediate attention from those who are less of a threat. Our working process: Types vulnerabilities: SQL Injection The introduction of SQL-code (Eng. SQL injection) - one of the most common ways to hack websites and programs, working with databases, based on the introduction of the random SQL-code. The introduction of SQL, depending on the type of database and the conditions of implementation, may allow an attacker to execute arbitrary query the database (for example, to read the contents of any tables, delete, edit or add data) to be able to read and / or write local files and execute arbitrary commands on the target server. Attack type of SQL injection may be possible because of incorrect processing of incoming data used in SQL-queries. PHP Injection PHP-injection (Eng. PHP injection) - one of the ways of hacking websites running on PHP, which consists in carrying out foreign code on the server side. Potentially dangerous functions are: * Eval (), * Preg_replace () (modifier «e»), * Require_once (), * Include_once (), * Include (), * Require (), * Create_function (). PHP-injection becomes possible if the input parameters are accepted and used without verification. Remote File Inclusion Remote File Inclusion (RFI) is a type of vulnerability that allows an attacker to use a remote file on the server side, through a script on the web server. The vulnerability is caused due to the use of the input data without proper verification. Local File Inclusion Local File Inclusion (LFI) is a type of vulnerability that allows an attacker to use a local file on the server side, through a script on the web server. The vulnerability is caused due to the use of the input data without proper verification. Cross Site Scripting (XSS) XSS (Eng. The relevant quantity Ssrirting Site - "XSS") - the type of vulnerability interactive information systems on the web. XSS occurs when the server-generated pages, for whatever reason, get custom scripts. The specificity of these attacks is that instead of immediate attack server they use a vulnerable server as a means of attack on the client. XSS now account for about 15% of all vulnerabilities. For a long time programmers have not paid enough attention to them, considering them harmless. However, this view is mistaken: the page or HTTP-Cookie can be very sensitive data (eg, session identifier administrator). On the mechanism of execution of XSS attacks can be divided into active and passive. Passive XSS imply that the script is not stored on the server of an affected site or it can not automatically be executed in the browser of the victim. To trigger the passive XSS requires some additional action which should perform the victim's browser (for example, click on a specially formed link). When active XSS malicious script is stored on the server and works in the victim's browser when you open any page of the infected site. Cross Site Request Forgery (CSRF) CSRF (Eng. The relevant quantity Site Request Forgery - «Cross-Site Request Forgery", also known as XSRF) - kind of attacks on visitors to the web site, use the shortcomings of the protocol HTTP. If the victim visits the site, created by an attacker from her face secretly sends a request to another server (for example, the server of the payment system), which carries a kind of malicious operation (for example, the transfer of money to the account of the attacker). To carry out this attack, the victim must be authorized on the server to which to send the request, and the request should not require any confirmation from the user, which can not be ignored or tampered attacking script. One use CSRF - exploitation passive XSS, found on another server. It is also possible sending e-mail (spam) on behalf of the victim and change any settings, user accounts on other sites (such as security question for password recovery). XML External Entity XML - a markup language that is widely used in distributed applications, including web applications. To write special characters in XML documents using the so-called entity (Entity). Named Entity called data usually text (including special characters). Essence can be divided into the following categories: - predefined - nternal - external Attack XML eXternal Entity Example predefined entities: & quot; (double quote character). Example inner essence: <! ENTITY pentest «hek»> ... <bla> & pentest; </ bla> External entities refer to third-party files. Attack XML eXternal Entity is to use external entities. <! ENTITY epicwin SYSTEM «file: /// etc / passwd»> Fix - prohibit the use of external entities: DOMDocument :: loadXML ($ xml, LIBXML_NOENT); Clickjacking Clickjacking technique is to create a special iFrame with CSS and Javascript, which creates a button-fake. By pressing (or automatically, without user action) on the button in the invisible iframe to load a special page with malicious code. Hidden page could be a fake current and force the user to do something that he did not want to re-authenticate for example, to read his registration data. Path Traversal This technique attacks aimed at gaining access to files, directories, and commands that are outside the main directory of the web server. An attacker could manipulate the URL parameters in order to access files or execute commands Located in the file system Web server. AXFR AXFR - disclosure of the transfer zone. Domain Name System is described in RFC 1034/1035 specification includes a full zone transfer (AXFR). Typically, this mechanism is used to replicate zone information between servers, but it can also be used to obtain a variety of information for mass mailings, distributed DoS attacks and other malicious purposes. The vulnerability stems from the fact that many DNS servers do not perform restrictions on AXFR requests. XFR data can be used to find a mail relay, proxy servers, hosts with certain OS or applications installed. When the DNS-server receives a request AXFR-he gives all the data that he knows for the requested domain. It is understood that such a request comes from the DNS-server that is trying to zone transfer (transfer the domain to itself, replicate). But if the DNS-server is configured incorrectly, any user can gain access to this data. Very often the sites have "secret" subdomains (dev. *, Test. *, And the like) for internal use. Typically, these domains are unsafe configuration (included stacktrace for dev domain as an example) or developed features. Information Leakage These vulnerabilities arise in situations where the server publishes important information such as developer comments or error messages, which can be used to compromise the system. Information Disclosure Attacks of this class are intended to provide additional information about the Web application. Using these vulnerabilities, an attacker can determine the distribution of used software version number of the client and the server and installed updates. In other cases, a leaking location information may be contained or temporary file backups. HTTP Response Splitting When using vulnerability HTTP Response Splitting (splitting HTTP-request) an attacker sends a specially crafted server request, the response to which is interpreted as an attack target two different answers. The second response is completely controlled by the attacker, giving him the opportunity to forge a response from the server. As a result of the success of this attack, an attacker can do the following: Cross-Site Scripting. Modification of the data cache proxy server. Inter-user attacks (single user, single page, temporary substitution of the page). Interception pages that contain user data. Credential/Session Prediction Predictable session ID value can capture session other users. These attacks are carried out by predicting or guessing the unique identifier of the user's session. X-Path Injection Implementation operators XPath (XPath Injection) These attacks are directed to a web server, create a query language XPath based on user input. Language XPath 1.0 is designed to allow access to parts of the document in XML. It can be used directly or as part of the transformation XSLT-documents or XML-query XQuery. SSI Injection Attacks of this class allow an attacker to pass executable code, which will later be executed on the Web server. Vulnerability, leading to the possibility of implementing these attacks usually result in the absence of test data provided by the user, before storing them in an interpreted file server. Before generating HTML pages server can execute scripts, for example Server-site Includes (SSI). In certain situations, the source code of pages is generated based on data provided by the user. If an attacker sends the server operators SSI, he may be able to perform operating system commands or include the restricted content the next time displayed. Denial of Service (DoS) This class of attacks (DoS (Denial of Service, DoS) aims to breach the availability of the Web server. Usually attacks against denial of service implemented at the network level, however, they can be directed at the application layer. Using the function Web Applications An attacker can deplete critical system resources, or to exploit this vulnerability, leading to the cessation of operation of the system. Typically, DoS attacks are aimed at the exhaustion of critical system resources such as processing power, memory, disk space or bandwidth communication channels. If any of the resource reaches the maximum load, the entire application is not available. Attacks may be directed to any of the components of Web applications, such as database server, authentication server, etc. If the attack is carried out simultaneously with a large number of computers that talk about DDoS-attack (from the English. Distributed Denial of Service, distributed attacks such as "Denial of Service"). In some cases, a DDoS-attack causes legitimate action, for example, publishing a link to the site (placed on not very productive server) on the popular Internet site (Slashdot effect). Large influx of users that exceed the load on the server, and denial of service of some of them. The level of compliance: professional specialist critical data, high traffic, payment systems From 30 days instrumental Analysis manual analysis social engineering We study the web environment We study the web server We investigate all related infrastructure surface vulnerability typical vulnerability vulnerability architecture conceptual vulnerability 2- 4 employees detailed report recommendations compliance Management removing vulnerabilities