Application Penetration Test – Student Loan Genius

Application Penetration Test – Student Loan Genius

Application Penetration Test – ExampleCo – Important Web App

December 12, 2018

of 28

Contents Contents ................................................................................................................................................. 2

1. Executive Summary ........................................................................................................................ 3

Company Background ......................................................................................................................... 3

Assumptions and Constraints ............................................................................................................. 3

Objectives and Scope .......................................................................................................................... 4

Findings Rating Methodology ............................................................................................................. 4

Application Rating Methodology ........................................................................................................ 5

Findings Summary .............................................................................................................................. 6

Conclusion .......................................................................................................................................... 6

Project Team ....................................................................................................................................... 7

2. Detailed Analysis and Breakdown .................................................................................................. 7

Detailed Conclusion ............................................................................................................................ 7

Detailed Findings Table ....................................................................................................................... 8

Reconnaissance .................................................................................................................................. 8

Finding Details .................................................................................................................................... 8

Critical Risk Findings ....................................................................................................................... 8

High Risk Findings ........................................................................................................................... 8

Medium Risk Findings ..................................................................................................................... 9

Low Risk Findings .......................................................................................................................... 12

Informational Risk Findings .......................................................................................................... 23

3. Methodology ................................................................................................................................ 28

Tools and Technology ....................................................................................................................... 28

Goals and Objectives ........................................................................................................................ 28

of 28

1. Executive Summary

Founded in 2018 and headquartered in Austin, TX, ExampleCo provides business critical network and web application assets to commercial and government clients. ExampleCo contracted with VantagePoint to perform a web application-oriented penetration test against a defined environment to assist in discovering flaws and weaknesses. Testing was performed per industry best practices and focused upon the Open Web Application Security Project’s (OWASP) top vulnerabilities which represent industry consensus on the most critical security risks to web applications along with general security best practices testing. The test against the client provided environment occurred between December 4th and December 12th, 2018.

The purpose of this test was to perform an application level, authenticated assessment of an environment emulating the internet-facing equivalent hosts provided as part of the scope of this engagement, with the goal to evaluate existing security controls and measures, and to provide recommendations for improvement. Based on this objective, VantagePoint has concluded that some gaps in security coverage do exist, and the Important Web App application received an overall grade of B. Areas of improvement have been identified, and ExampleCo should formulate a remediation plan to mitigate findings uncovered during the assessment.

Company Background

VantagePoint Consulting provides the experts you need to enhance your security posture, reduce your risk, and facilitate compliance efforts. Our team of consultants are seasoned, highly certified security and compliance veterans that are committed to customer success and ensuring that our customers’ security and compliance goals are met or exceeded. Our services span the spectrum of Information Security and Compliance from security strategy and governance, to technical testing, and compliance readiness. Our many years of experience and sole focus on customer success make us a valuable partner for any company.

Assumptions and Constraints

The project scope, as defined in the Statement of Work, outlines the depth of these evaluation activities. The security assessment was conducted in a manner designed to be as thorough as possible. All scans were performed with “safe checks enabled”. Potentially destructive tests, such as Denial of Service (DoS) attacks, were not performed. However, given the nature of the security tests, system availability can be, and sometimes is, affected.

Manual testing was performed to provide a deep-dive analysis and validate automated scan results. Nevertheless, some documented vulnerabilities may be false positives. Likewise, existing vulnerabilities may not have been reported due to limitations in testing tools, time boundaries, deltas between the tested systems and the production environment, and/or limitation in scope.

of 28

VantagePoint believes the statements made in this document provide an accurate assessment of ExampleCo’s current security as it relates to the scope of the assessment. As environments change, and new vulnerabilities are made public, an organization’s overall security posture will change. Such changes may affect the validity of this assessment. Therefore, the findings described in this report describe a “snapshot” in time.

Objectives and Scope

Prior to testing, ExampleCo provided VantagePoint with an application URL and corresponding user credentials. The scope of the penetration test was limited to this URL, and other services running on this host. The penetration test was conducted from two views. First, as an unauthenticated attacker and second, as an authenticated user. The URL is listed below:

• https://www.examplecoapp.com/

Account Permissions

Exampleadmin1 Administrator

Exampleadmin2 Administrator

Exampleuser1 User

Exampleuser2 User

Using a mixture of techniques and scanning tools, these URLs were assessed for occurrences of published top vulnerabilities:

1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfigurations 7. Cross Site Scripting (XSS) 8. Missing Function Level Access Control

9. Insecure Deserialization 10. Insufficient Logging and Monitoring 11. Insecure Direct Object References 12. Cross-Site Request Forgery (CSRF) 13. Unvalidated Redirects and Forwards 14. Components with Known

Vulnerabilities

Findings Rating Methodology

VantagePoint determines the risk posed by vulnerabilities based on three main criteria: risk to users, risk to infrastructure, and attack complexity.

of 28

Risk to users is how a vulnerability may impact users of the application and their data. Low risk issues may only affect single users or non-critical data, while high risk vulnerabilities may be able to easily compromise data on large numbers of users, or highly sensitive data such as payment card information.

Risk to infrastructure measures the impact of a vulnerability to the hardware and network the application runs on. Low risk findings could involve possible service impacts given a large-scale denial of service attack, which VantagePoint would not simulate. High risk vulnerabilities would include flaws that would allow an attacker to execute code on the server, or an easily triggered denial of service condition.

Attack Complexity gauges how difficult it would be for an attacker to execute an attack against users or infrastructure. Some attacks require specific conditions be met for a successful attack, such as a certain network posture such as the ability to man-in-the-middle a victim, or access to a prohibitively large amount of computing resources. A higher attack complexity will lower the risk of a finding.

The overall risk rating for the finding is a sum of the above criteria to give an overall risk posed by the vulnerability. This gives an at-a-glance indication of the risk posed to your organization to help easily understand the issue and prioritize remediation efforts.

Application Rating Methodology

Current Application Risk: B

Severity Risk

D The application contains security flaws that require immediate remediation and pose a severe risk to users or infrastructure. Vulnerabilities are easy to exploit over the network and lead to significant compromise of user data or the ability to gain access to underlying infrastructure, likely without any form of authentication. Multiple vulnerabilities in the same functionality of the application, or attacks that can be chained together may increase the overall risk posed by the application.

C High risk applications contain security flaws which should receive priority attention. These flaws can be directly exploited to attack users or infrastructure; however, some constraints may impact the ease of attack. Authentication or a specific network posture may be necessary to exploit the vulnerabilities. Multiple vulnerabilities in the same functionality of the application, or attacks that can be chained together may increase the overall risk posed by the application.

of 28

B Medium risk applications do not contain major security flaws but may contain issues which should be considered for remediation in the near future. Vulnerabilities may present limited vectors for attack or may pose significant difficulty for an attacker to successfully exploit. Multiple vulnerabilities in the same functionality of the application, or attacks that can be chained together may increase the overall risk posed by the application.

A Low risk applications present a limited attack surface and contain no significantly exploitable flaws; however, some security best practices may not be followed.

A+ The application was found to contain no major security flaws, and adheres strongly to industry best practices for security.

Findings Summary

Severity Identified Remediated Remaining

Critical 0 0 0

High 0 0 0

Medium 2 0 2

Low 7 0 7

Informational 3 0 3

Totals 12 0 12

Conclusion

VantagePoint has successfully completed the application assessment of the URL defined in the scope. Overall, VantagePoint has found the security controls in place within scope of the assessment to be lacking in some areas, and a few gaps exist.

We recommend that the issues contained in this report be evaluated and a remediation plan formed. We would like to thank ExampleCo for their assistance in making the assessment go smoothly and for the opportunity to help the organization assess and improve their security posture.

of 28

Project Team

The following team members were involved in this assessment:

Team Member Role Contact Information Rohan Kotian Project Manager [email protected] Colin Szost Penetration Tester / Report Writer [email protected]

2. Detailed Analysis and Breakdown

Detailed Conclusion

VantagePoint has successfully completed the application assessment of the URL defined in the scope. Overall, VantagePoint has found the security controls in place within scope of the assessment to be lacking in some areas, and some gaps exist.

Most notably, the application does not enforce a password history, which can allow users to reset their password to the same they previously used, even if regular password changes are enforced, making it easier for attackers to compromise accounts.

The application also did not scan uploaded files for viruses. This can allow attackers to store malicious files and try to trick users into downloading them. Additionally, since the application can process files, vulnerabilities in the way the application parses and handles files can give attackers an avenue to attack the underlying server itself.

Beyond this medium risk vulnerability, VantagePoint noted a number of other minor flaws and configurations that deviate from security best practices. Most notably, the REST API appears to use different session management functionality, leaving it vulnerable to some issues the web interface properly handles. Having separate session management functionality increases complexity and leaves room for mistakes to be made. Fixing these issues will help reduce the application’s attack surface and will make it harder for attackers to exploit existing or unfixed vulnerabilities. There is room to take a more layered approach to security and shore up weaknesses by more strongly adhering to application hardening best practices and keeping software up to date.

We recommend that the issues contained in this report be evaluated and a remediation plan formed. We would like to thank ExampleCo for their assistance in making the assessment go smoothly and for the opportunity to help the organization assess and improve their security posture.

of 28

Detailed Findings Table

Severity: MEDIUM Issues ID# Description

1. No Password History Enforced 2. Uploaded Files Are Not Virus Scanned

Severity: LOW

Issues ID# Description 3. Application Does Not Define A Content Security Policy 4. Sensitive Data Returned by The Server 5. ViewState Unencrypted 6. DOM-Based Cross-Site Scripting 7. Excessive Session Timeout 8. Ineffective Logout Functionality 9. Weak Password Policy

Severity: Informational

Issues ID# Description 10. Wildcard Certificate Exposes Potential Certificate Forgery 11. Outdated JavaScript Resources 12. Concurrent Logins Allowed

Reconnaissance

Host IP Address Ports Server Session Cookie www.examplecoapp.com 1.2.3.4 80/tcp, 443/tcp,

8080/tcp Microsoft-

IIS ExampleAuth

Finding Details

Critical Risk Findings

None

High Risk Findings

None

of 28

Medium Risk Findings

Issue ID #1 No Password History Enforced

Attributes Overall Risk: Medium User Risk: Medium Infrastructure Risk: None Attack Complexity: Low

Description VantagePoint discovered that during a password reset, it is possible to change an account’s password to a recently used value. This goes against best practices for password changes. For example:

• If periodic password changes are required, users can simply change their passwords back to the previously used password. This not only artificially extends the lifetime of user passwords but also increases the likelihood that users will reuse passwords from other, less secure applications.

As a result, this increases the likelihood of an attacker guessing or otherwise discovering a user’s password.

Affected Location

https://www.examplecoapp.com/passwordReset

Test Method Login and navigate to the link listed under Affected Location. Change the password to a new value, log out and in to demonstrate it has successfully been changed. Next, change the password back to the previous value. Log in again to verify there is no password history enforced.

Remediation Maintain a previously used password history of at least the six most recent passwords. The history should contain hashes of previously used passwords and not the passwords themselves. Leverage this to prevent users from using a previously set password. Also, limit the number of allowed password changes to one or two per day.

References 1. Authentication Cheat Sheet • https://www.owasp.org/index.php/Authentication_Cheat_Sheet

2. Testing for Weak password policy • https://www.owasp.org/index.php/Testing_for_Weak_password_policy_

(OTG-AUTHN-007)

of 28

Issue ID #2 Uploaded Files Are Not Virus Scanned

Attributes Overall Risk: Medium User Risk: Low Infrastructure Risk: Low Attack Complexity: Low

Description The application provides the capability for users to upload files. However, uploaded files are not scanned for viruses or malicious content, potentially allowing users to store malware or other malicious files in the application. During the engagement, VantagePoint was able to upload the EICAR virus test file, which is an innocuous file that will be flagged by virus scanners. It was possible to then download the uploaded test file, indicating that no virus scanning is being performed by the server. As the application also has the ability to process various file types, an attacker may also be able to target the application itself through malicious files if vulnerabilities exist within file parsers.

Affected Location

https://www.examplecoapp.com/fileUpload

Evidence

Figure 1 – The EICAR test file is uploaded to the server.

of 28

Figure 2 – The EICAR test file is returned by the server.

Remediation Enable virus scanning of all user uploaded files to reduce the risk of malicious files being stored by the application.

References • https://www.owasp.org/index.php/Unrestricted_File_Upload

of 28

Low Risk Findings

Issue ID #3 Application Does Not Define A Content Security Policy

Attributes Overall Risk: Low User Risk: Medium Infrastructure Risk: None Attack Complexity: Medium

Description The application does not include a "Content-Security-Policy" (CSP) header in responses. The inclusion of this HTTP header lets the application define a whitelist of trusted sources and or source types from which the browser can include as content. A CSP header can reduce the impact of attacks such as Cross-Site Scripting by preventing an attacker from utilizing malicious JavaScript code hosted on another domain.

Affected Locations

https://www.examplecoapp.com/

Evidence

Figure 3 – The server does not include a CSP header in responses.

Remediation Configure the server to include a “Content-Security-Policy” HTTP header in responses: Content-Security-Policy: default-src self;

of 28

The above example CSP header will provide basic protections, but the header can restrict or allow several different sources and source types. Further documentation can be found listed in the references section below.

References 1. https://www.owasp.org/index.php/Content_Security_Policy 2. https://www.w3.org/TR/CSP/ 3. https://www.html5rocks.com/en/tutorials/security/content-security-

policy/

of 28

Issue ID #4 Sensitive Data Returned by The Server

Attributes Overall Risk: Low User Risk: Low Infrastructure Risk: None Attack Complexity: Low

Description The application includes functionality to store passwords under the “Sensitive Information” section. This information is stored in plain text and returned by the application.

This functionality is protected through user permissions, but further precautions should be considered to protect sensitive information.

Affected Locations

https://www.examplecoapp.com/sensitiveInfo

Evidence

Figure 4 – The application returns sensitive data unmasked.

Remediation Consider how necessary it is to return sensitive information to users and consider only allowing users to overwrite data instead of being able to view them directly.

References • https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

of 28

Issue ID #5 ViewState Unencrypted

Attributes Overall Risk: Low User Risk: Low Infrastructure Risk: None Attack Complexity: Low

Description The ASP.NET ViewState can provide helpful functionality to a web application, including transmitting form data, CSRF protection and other features. Including data in the ViewState can introduce additional locations for sensitive data to get stored and transmitted.

When using a ViewState to store or transmit data, the provided encryption mechanisms should be used to more securely protect any sensitive information.

Affected Locations


Evidence

Figure 5 – The application ViewState is not encrypted.

Remediation Enable encryption for the application ViewState.

References • https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet • https://www.owasp.org/index.php/Data_Validation#ASP.NET_Viewstate

of 28

Issue ID #6 DOM-Based Cross-Site Scripting


Description DOM-Based Cross-Site Scripting arises when user input is used by a JavaScript function to modify the DOM and the input is not sanitized. As this happens completely client-side, input validation and sanitization can be bypassed. Testing of XSS attacks was completed with SanitizeHTMLoutput = true.

The application is susceptible wherever the rich text editor is used. The text editor includes an “Insert Link” feature. The “URL” field is vulnerable to DOM-based XSS.

The following string was used in the proof of concept: <svg onload=alert(1)>

While this vulnerability usually carries a Medium risk, VantagePoint did not find any way for an attacker to exploit this in a realistic scenario. A user would have to enter the JavaScript themselves. Therefore, this vulnerability has been lowered to a Low risk.

Affected Location

https://www.examplecoapp.com/textEditor

Evidence

Figure 6 – JavaScript can be entered into the “URL” field and will execute when the user

clicks “Apply”.

of 28

Figure 7 – The JavaScript is executed.

Remediation The use of secure cookie flags “Secure” and “HttpOnly” limit the impact of cross-site scripting attacks, but input sanitization should be used even if the input isn’t returned to the server.

References 1. OWASP XSS a. http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

2. OWASP XSS Prevention Cheat Sheet a. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Preventio

n_Cheat_Sheet

of 28

Issue ID #7 Excessive Session Timeout


Description Authenticated sessions remain active for over twenty minutes without user activity. This can allow give an attacker more time to carry out attacks. With physical access to the user’s computer, an attacker can wait until the user leaves their computer unattended. A longer session timeout gives more leeway to a brute-force attack against session IDs as well.

While the application does have proper session timeout, background requests will keep the session alive if the application is left open in the browser. If the browser is closed, the user’s session will timeout.

Additionally, the REST API does not enforce a session timeout, and requests can be made even after the user’s browser session has timed out.

Affected Locations

https://www.examplecoapp.com/passwordReset

Evidence

Figure 8 – If the page remains open, background requests will keep the session alive despite no user activity.

of 28

Remediation VantagePoint recommends invalidating sessions that have shown no activity in over twenty minutes. For applications that contain sensitive data or functionality, a stricter timeout of ten or even five minutes may be preferred.

References • https://www.owasp.org/index.php/Session_Timeout • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

of 28

Issue ID #8 Ineffective Logout Functionality


Description When properly implemented, an application’s logout function should invalidate the user’s current authenticated session. This should happen on both the user’s side, where the cookie is cleared from the browser, as well as on the server side, where the session information is destroyed.

VantagePoint discovered that while the user’s browser accepts the logout, the session ID can still be used to access the application’s REST API. If an attacker had some way to retrieve this session ID, they could hijack the user’s session.

Note that only the REST API is still accessible. The user will not be able to access the application through their browser.

Affected Location

https://www.examplecoapp.com/REST/

Test Method Login and take note of the “Important Web AppAuth” value. Using an HTTP proxy, make a request that uses the REST API, such as https://www.examplecoapp.com/REST/search. Logout of the application using the browser. The session should no longer be valid through the browser, but should remain valid for REST API queries.

Remediation Ensure session information is destroyed on the server side for the REST API as well as the main application and consider consolidating the session management functionality so that weaknesses are not introduced and made harder to fix by a modular design.

References • https://www.owasp.org/index.php/Logout • https://www.owasp.org/index.php/Top_10-2017_A2-

Broken_Authentication • https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

of 28

Issue ID #9 Weak Password Policy


Description The application allows the use of weak passwords. The application allowed the use of a password containing only eight characters. Weak passwords are more susceptible to brute-force, which can facilitate unauthorized access of the application. This could result in disclosure of private information, compromise of customer accounts, or access to application functions.

The application enforces the following password requirements:

• Minimum of 8 characters • At least one upper and lowercase character • At least one numerical character • At least one non-alphanumeric character

Affected Location

https://www.examplecoapp.com/login

Evidence

Figure 9 – A weak password is used to log in.

Test Method Login and navigate to the link listed under Affected Location. Change the password to ‘Passwo1!’. Log out and back in with the new password and observe that it is valid.

of 28

Remediation Develop, or review, organizational-wide password policies. For web applications, ensure that passwords are processed via server-side validation: non-compliant passwords should be rejected. Strong passwords meet the following requirements:

• Do not use of dictionary words or phrases based on the username, • are at least 10 characters long (consider 14 characters for applications that

contain sensitive data), • contain uppercase and lowercase letters, numbers, and non-alphanumeric

“special” characters

Additionally, passwords must be changed periodically, which should be enforced by the system. This period should be adjusted to the sensitivity of the data being protected. Ensure that passwords cannot be reused under a reasonable timeframe.

References 1. Authentication Cheat Sheet a. https://www.owasp.org/index.php/Authentication_Cheat_Sheet

2. Testing for Weak password policy a. https://www.owasp.org/index.php/Testing_for_Weak_password_policy_

(OTG-AUTHN-007)

of 28

Issue ID #10 Wildcard Certificate Exposes Potential Certificate Forgery

Attributes Overall Risk: Informational User Risk: Low Infrastructure Risk: None Attack Complexity: High

Description It is considered a general best practice to avoid using wild card certificates. Wildcard certificates are often used to secure many hosts with the same certificate. However, as a guiding principle, certificates should be used to authenticate just one entity, which aligns with the principle of least privilege. Although this is a staging environment, where there is little to no impact, it is worth ensuring this is resolved before deployment since, by sharing the private key portion of the certificate with several other hosts, the attack surface is expanded and increases the chances of exposing this secret. In the case an attacker does come into possession of the wildcard certificate private key, they will be able to forge certificates for any of the hosts that use it. Note that the TLS certificate are assigned for *.examplecoapp.com, rather than for specific subdomains.

Affected Hosts

https://www.examplecoapp.com

Test Method Run the following command, and observer the wildcard certificate in use: openssl s_client -connect www.examplecoapp.com:443

Informational Risk Findings

of 28

Evidence

Figure 10 – The SSL certificate is signed for all subdomains of examplecoapp.com.

Remediation Avoid the use of wildcard certificates. Consider adding specific certificate for specific domains or switch to using multi-domain certificates, which can stand in for wild card domains, but include more flexibility, by using a “Subject Alternative Name” that allows the specification of additional host names; like IP addresses, common names, or sites, to be protected under a single SSL certificate.

References 1. https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

of 28

Issue ID #11 Outdated JavaScript Resources

Attributes Overall Risk: Informational User Risk: Low Infrastructure Risk: None Attack Complexity: High

Description The application includes outdated versions of the jQuery and AngularJS libraries. These libraries have known vulnerabilities in them and it is recommended to update to the latest versions. While VantagePoint was not able to exploit these libraries, changes to the application or a more dedicated attacker could discover a way to exploit vulnerable functions. The application was found to use jQuery-ui-dialogue v1.11.4, jQuery v1.7.1, and AngularJS v1.3.12.

Location: https://www.examplecoapp.com/jQuery.js

Description: In jQuery versions before 1.9.0b1, strings passed to jQuery( strInput ) may be interpreted as HTML and executed if containing JavaScript. parseHTML will execute inline scripts. Additionally, versions of jQuery before 1.12.0 will execute third-party $.get() if the content type is: “text/javascript”

Location: https://www.examplecoapp.com/angularJS.js

Description: All 1.x versions of AngularJS do not contain relevant countermeasures against Cross-Site Scripting attacks, and developers must rely on properly sanitizing user input to protect the application against XSS attacks.

Location: https://www.examplecoapp.com/jqueryUI.js

Description: Strings passed to jQuery UI’s “closeText” option (versions before 1.12.0) are vulnerable to injecting HTML which may lead to cross-site scripting vulnerabilities.

Affected Hosts


Remediation Upgrade the aforementioned JavaScript libraries to the latest versions. The latest version of jQuery is 3.3.1, the latest version of AngularJS is 1.7 , and the latest version of jQuery-ui-dialogue is 1.12.1.

References 1. https://bugs.jquery.com/ticket/11290 2. https://github.com/jquery/jquery/issues/2432 3. https://bugs.jquery.com/ticket/11974

of 28

4. https://github.com/twbs/bootstrap/issues/20184

of 28

Issue ID #12 Concurrent Logins Allowed

Attributes Overall Risk: Low User Risk: Indirect Infrastructure Risk: None Attack Complexity: Low

Description The application permits multiple login sessions; users can login more than one time concurrently. Maintaining multiple valid sessions for a user may result in concurrency faults, that could arise when records within the application are updated simultaneously by different active sessions. This could result in inconsistent data, exceptions, and may result in a loss of logged illegitimate activity on a compromised account, if legitimate activity is taking place at the same time.

As a consequence, users are less likely to notice that their accounts have been compromised. They may also be more likely to share accounts that permit concurrent login sessions. Additionally, there may be data integrity problems due to multiple simultaneous logins.

Note that this only affects the REST API portion of the application. The rest of the application handles multiple logins correctly and only one connection is allowed at a time. However, due to the Ineffective Logout issue within the REST API, previous API connections will still be allowed, potentially allowing multiple active API connections.

Affected Host

https://www.examplecoapp.com/REST/

Remediation Invalidate old, still existing, sessions when the user logs in. The user should be notified upon login that their previous session existed, and users of the old sessions should be notified that the sessions have been invalidated due to another login. Users should have security-relevant actions available to them (change password, report account compromise) if they do not recognize the other logins.

References 1. OWASP Session Management a. https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#

Simultaneous_Session_Logons

of 28

3. Methodology

VantagePoint uses a combination of automated and manual analysis to perform a rigorous assessment of the environment under the scope of this report. In addition to the tests and supporting evidence presented in prior sections, we leverage published OWASP testing protocols such as those listed below:

• Information Gathering • Configuration and Deployment Management Testing • Identity Management Testing • Authentication Testing • Authorization Testing

• Session Management Testing • Input Validation Testing • Error Handling • Cryptography • Business Logic Testing • Client-Side Testing

Tools and Technology

VantagePoint uses a variety of testing tools and technologies to perform automated analysis of client environments. Below is a list of the major tools used for testing:

• Burp Proxy Pro (https://portswigger.net/burp)

• Nikto (https://cirt.net/Nikto2) • Nmap (https://nmap.org/) • Testssl.sh (https://testssl.sh/)

• sqlmap (http://sqlmap.org/) • curl (https://curl.haxx.se/) • openssl s_client

(https://www.openssl.org/docs/manmaster/man1/s_client.html)

Goals and Objectives

The goals and objectives of the assessment are as follows:

• Identify “alive” hosts on the network using scanning automation • Identify open ports on hosts serving content to the Internet • Discover applicable servers via banners • Perform research on servers, host operating systems, and other applicable attack vectors to

perform additional analysis • Identify vulnerabilities in system services or operating systems in a manual and automated

fashion while operating in “passive” mode • Validate vulnerabilities to provide evidence and remove false positives • Inventory and prioritize vulnerabilities based on real-world security risk • Identify remediation steps for vulnerabilities • Report on all of the above steps

Application Penetration Test – Student Loan Genius

Documents

Transcript of Application Penetration Test – Student Loan Genius