Penetration Testing Scope Factors



Similar documents
Payment Card Industry (PCI) Data Security Standard

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

PCI Security Scan Procedures. Version 1.0 December 2004

PENTEST. Pentest Services. VoIP & Web.

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Penetration Testing in Romania

Security Testing. Vulnerability Assessment vs Penetration Testing. Gabriel Mihai Tanase, Director KPMG Romania. 29 October 2014

WordPress Security Scan Configuration

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

Magento Security and Vulnerabilities. Roman Stepanov

Web Application Report

Ethical Hacking Course Layout

Using Internet or Windows Explorer to Upload Your Site

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Network Security Audit. Vulnerability Assessment (VA)

Demystifying Penetration Testing for the Enterprise. Presented by Pravesh Gaonjur

HTExploit: Bypassing htaccess Restrictions

Cloudfinder for Office 365 User Guide. November 2013

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Learn Ethical Hacking, Become a Pentester

Pentests more than just using the proper tools

Payment Card Industry (PCI) Executive Report. Pukka Software

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Pentests more than just using the proper tools

Auditing a Web Application. Brad Ruppert. SANS Technology Institute GWAS Presentation 1

Penetration: from Application down to OS

Web Application Penetration Testing

How To Use Windows Live Family Safety On Windows 7 (32 Bit) And Windows Live Safety (64 Bit) On A Pc Or Mac Or Ipad (32)

Content Management System

FORBIDDEN - Ethical Hacking Workshop Duration

Vulnerability Assessment and Penetration Testing

MANAGED SECURITY TESTING

Smartphone Pentest Framework v0.1. User Guide

Ethical Hacking as a Professional Penetration Testing Technique

Baidu: Webmaster Tools Overview and Guidelines

How to hack VMware vcenter server in 60 seconds

Running a Default Vulnerability Scan

Proxies. Chapter 4. Network & Security Gildas Avoine

Livezilla How to Install on Shared Hosting By: Jon Manning

Workday Mobile Security FAQ

About Effective Penetration Testing Methodology

GETTING STARTED WITH THE ISCAN ONLINE DATA BREACH PREVENTION LIFECYCLE

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

noway.toonux.com 09 January 2014

(WAPT) Web Application Penetration Testing

Implementation & Management of Systems Security. Amavax Project. Ethical Hacking Challenge. Group Project By

WPAD TECHNOLOGY WEAKNESSES. Sergey Rublev Expert in information security, "Positive Technologies"

Aiming at Higher Network Security Levels Through Extensive PENETRATION TESTING. Anestis Bechtsoudis. abechtsoudis (at) ieee.

Intelligence Gathering. n00bpentesting.com

How-to: DNS Enumeration

Self Service Penetration Testing

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Intro to Firewalls. Summary


MOBICIP NAME. Mobicip. Company. Version Client. Type of product. Computer. Devices supported. Linux Ubuntu Windows 7 (Tested on Windows)

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Citrix XenApp-7.6 Administration Training. Course

Running a Default Vulnerability Scan SAINTcorporation.com

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

Getting Started. Confirm that the Wi-Fi settings on your mobile terminal are enabled. Download Canon Mobile Printing and install it.

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Professional Penetration Testing Techniques and Vulnerability Assessment ...

Configuring CQ Security

Web Vulnerability Assessment Report

This installation guide will help you install your chosen IceTheme Template with the Cloner Installer package.

Course Title Penetration Testing: Procedures & Methodologies

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Getting Started with the iscan Online Data Breach Risk Intelligence Platform

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

Bust a cap in a web app with OWASP ZAP

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Windows Remote Access

Web App Security Audit Services

Where every interaction matters.

Passive Vulnerability Detection

SAP: Session (Fixation) Attacks and Protections

Quick Start Guide Using OneDisk with the Tappin Service

Overview of the Penetration Test Implementation and Service. Peter Kanters

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

Wavecrest Certificate

User's voice OPTENET WEBFILTER PC. Comprehensibility: Test user did not provide any comments. Look and Feel: Time to install and configure: 45 minutes

Universal plug and play (UPnP) mapping attacks

THE OPEN UNIVERSITY OF TANZANIA

DATA BREACH RISK INTELLIGENCE FOR HIGHER ED. Financial prioritization of data breach risk in the language of the C-suite

Introduction to Penetration Testing Graham Weston

Metasploit The Elixir of Network Security

Information Security Office

Pentests: Exposing real world attacks

Joomla Security Report

Transcription:

1 NZ PAPER LINUX AND WEB APPLICATION SECURITY Penetration Testing Scope Factors April 20, 2013 Zeeshan Khan NZPAPER.BLOGSPOT.COM

2 Abstract: This paper contains the key points of penetration testing. All the points defined here must be treated properly. The maximum security in areas defined here can minimize the greater security. Keywords: Penetration Testing, Security

3 Introduction This article discusses the various factors which are investigated during the pen-testing process. We will try to point out how we can make the said points maximum possible secured, so that an attacker may get minimum possible information about our system. We will mostly, discuss this paper in a website perspective. Web Application Discovery This is, when an attacker finds useful information about our website. For example: we don't want others to know our sub domain named as mail.example.com, as it shows a separate scope of testing for the attacker, or if we keep the same location as example.com/mail, we should make an entry in Robots.txt file immediately at the time when we create a sensitive directory like above. More precisely, avoid possible access to all the areas of your website to which you don't want to grant access to others. Or the most applicable way is to configure the server for URL redirection which avoids seeing the actual URL locations of sensitive directories. This way, we can possibly avoid black hackers from seeing website sensitive areas. Open Port with default services Generally speaking, a service running on a port is accessible by IP:Port format. We can check it by entering in our browser. The more you have Open Ports on your system, the more your system will be penetrated by attackers. As each port has a service running on it, so it is better to change or spoof the service identification banner to avoid exposing the exact type and version of the service software currently in use. No ports should be left with unattended installations, or unattended services, or the services you don't use and update regularly. Search Engines Pen-testers reveal lots of information about your website with the use of Search Engines. They do it by using special Search Engine Advanced Operators like Google Commands. The attackers, can reveal information about your sensitive files, directories, server misconfiguration, URL structure, cached pages and so on. You have to understand every of these areas and make sure to protect possible Search Engine Discovery of the facts listed above. Known Web Apps on the server The attackers investigate all the known Web Apps (CMS) on a server, so that they can attack easily any discovered CMS with known flaws. They can exploit for low level vulnerabilities to high level risks. By hiding banners of these CMS, we can avoid each possible CMS from discovering by attackers.

4 The above is a list of possible, but important factors which are greatly pen-tested by attackers. These are the factors investigated by real pen-testers to break into target systems. With a little effort, it is possible to avoid maximum information disclosure in every of the above areas of the system. Conclusion Identifying the scope of pen-testing enables you to know the key areas of pen-testing process. Carefully point out the components being treated, and take appropriate actions, which ensures maximum security. The more you assess the scope of pen-testing well, the higher you are able to eliminate potential vulnerabilities.

References 1. steve-shead.com. Standard Penetration Testing Checklist. Steve- Shead.com. 2009. http://www.steveshead.com/blog/2009/04/24/standard-penetration-testing-checklist/ 2. Basu, Eric. What Is A Penetration Test And Why Would I Need One For My Company? Forbes.com. 2013. http://www.forbes.com/sites/ericbasu/2013/10/13/what-is-apenetration-test-and-why-would-i-need-one-for-my-company/ 3. Basu, coresecurity.com. Conducting Penetration Testing. Coresecurity.com. http://www.coresecurity.com/conductingpenetration-testing-0 4. Rasch, Mark. Legal Issues in Penetration Testing. Securitycurrent.com. 2013. http://www.securitycurrent.com/en/writers/mark-rasch/legal-issuesin-penetration-testing 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information