Penetration Testing Overview

Penetration testing is used to detect vulnerabilities present in the system in order to protect the sensitive data from the attackers who try to exploit the vulnerabilities present in the system.

It basically determines the weak areas for any intruder to attack. This is required majorly when updating the system or adding new network infrastructure. But penetration testing differs from a vulnerability assessment in some ways. Penetration testing finds the scope of an attack and exploits the vulnerabilities whereas vulnerability assessment determines the threats to any particular resource or identify and quantify vulnerabilities.

There are two types of injection attacks:

  1. Client-side 
  2. Back end

Shodan.io is one of the dangerous search engines. It is used to find the devices which are connected to the internet over the public IPs. With this one can find devices like webcams etc.

HTTRACK copier is a website copier which is to copy the contents of the website like HTML pages, CSS and javascript files.

NMAP is a software for scanning the network in order to determine open ports, running services on a corresponding port and also finds the operating system.

HTTP is a protocol which requests resources from the server and receives the response to the client from it. The difference between HTTP 1.0 and 1.1 is that connection remains intact even after fetching the resources from the server in case of HTTP 1.1 and multiple requests can be made using the previous connection. There are various methods like GET, POST, PUT and DELETE. There are various status codes like 404, 200, 301 etc. in which each of them represent a different meaning.

Burp Suite is also one of the tools specially used for security testing. It can work as proxy, intruder etc.

The HTTP protocol is a stateless protocol because each time users open any website they will be treated as a new user and in order to get rid of this Cookies are used. Cookies are just a small file in the order of KBs and stored on a client-side, It contains information of the user and their login. Information is preserved inside the files in the form of name-value pair. Similarly, session ids are used on server-side and sessions are more secure than cookies since values are not visible in this.

Injection attacks are done both on client and server-side. These involve both input and output.  Ex: Cross-site scripting, HTML injection, Command injection, SQL injection etc.

Cross-site scripting: It is also known as XSS and one of the types of injection attacks on client-side. It’s mostly found in areas where the input is obtained like search box, feedback forms etc. The attacker injects javascript code into those instead of legitimate text and if that code is executed then the website is XSS vulnerable. With this, the intruder can steal cookies, session ids etc. Usually, there are two types of XSS. They are non-persistent and persistent XSS. The difference between these two is that in the case of Non-persistent XSS, input will not be stored in the database and the user/intruder can only see the information. This usually occurs in case of search bar whereas, in case of persistent XSS, it’s the vice versa that is input will be stored in the database and every user/intruder can see the information which is very dangerous and should be avoided.

HTML injection: It is similar to XSS, but in this instead of javascript code intruder injects HTML code and if that gets executed by the webpage then the web page is HTML injection vulnerable. This is also of two types. They are non-persistent and persistent.

Command injection: These are server-side attacks where an intruder tries to execute more than one command on a remote server. So the penetration tester can inject something malicious so that two commands can be executed in parallel on a remote server. If the tester is able to do so then he can try with local file inclusion, remote file inclusion etc. So to avoid this user input should be sanitized properly.

XXE injection: If web application parses the XML data provided by the user the attacker can exploit this poor configuration of XML parser and read all the internal files. In order to access a particular resource on a remote server, a keyword named system can be used.

XPATH injection: It is equivalent to SQL injection. The queries are XPath queries here.  If the user can supply any malformed input that will fetch him the restricted data.

SQL injection: Attacker tries to inject the SQL queries as input and if the web application is not able to sanitize the input well, then that query will be executed on the database and will fetch all the data available in that database. The attacker can perform operations like insertion, updation and deletion of data using the SQL queries.

Login page SQL injection: Similar to SQL injection the attacker can provide some crafted input into the login pages and bypass the login pages authentication. 

MongoDB injection: MongoDB is a non-relational database. It can be exploited in a similar manner as SQL injection. Providing a little modification in simple characters will be enough to do this injection.

CSS injection: These are injections which are done on client-side. If a user tries to inject a malicious script that gets executed and even adds some CSS property to the web application, then that website is CSS injection vulnerable. Malicious input becomes a part of the value of CSS property.

Unvalidated redirects: One of the most common vulnerabilities. Usually, there are instances such as the payment process where the user is redirected from one website to another. If these redirects are unvalidated this will bring the user to a different website.

File inclusion vulnerability: If in a web application one file tries to include another file in its current context and the web application include those files then that web application is file inclusion vulnerable. This will lead to the disclosure of sensitive information. This is of two types. They are:

1.Local file inclusion

2.Remote file inclusion

Local file inclusion: The attacker can include local server files like security files, user files, password files and if the web application is including those files and showing the content of those files, then that web application is local file inclusion vulnerable.

Remote file inclusion: This is similar to the previous one. The attacker tries to include remote files which are hosted on the different web server. These files are called web shells. A web shell is a small piece of code which is written in different programming languages based on the web application. Through web shell, one can access the remote server. If the web shell is included then the attacker can access that web application’s remote server.

File upload vulnerability: Attacker can upload some malicious scripts such as web shells on a remote server then that server can be accessed remotely and the application is file upload vulnerable.

Security misconfiguration: If the developer implements wrong application logic then it results in security misconfiguration. The developer tries to hide some pages through URLs and if the attacker can brute force the web application URLs and if they can find those hidden URLs that result in security misconfiguration issues.

Path traversal attack: If the server is misconfigured, directory browsing is allowed on a server, then the attacker tries to access the files which are present outside the home directory of those web servers. These files are server-internal files which are not accessible by users but by using this attack the attacker can access them.

Cross-site request forgery(CSRF): If there is a user who’s logged in on a particular website, the attacker sends a malicious link to the user and if the user clicks that link and opens malicious website then that malicious website makes a request to the legitimate website the user is logged in. The request is triggered as soon as clicking the link. Session ids will be sent by the user’s browser to that legitimate website if the malicious website maker requests. 

Server-side request forgery(SSRF): This works on the server-side. In this server gets affected. If the web application downloads a particular file from the URL provided by the attacker and also if that web application is displaying the response of that server from whom it is downloading the file if it’s not sanitizing the response that may lead to port scanning etc.

Buffer overflow: If user-supplied input is more than the allocated memory then that extra input will do the overwriting of memory fragments which leads to unexpected errors. 

Captcha testing: This is usually done to differentiate whether the user is a man or a bot. But captcha will easily get bypassed no matter how tricky it is being designed. It is done to get rid of CSRF attacks, bot etc.

HTTP authentication: It’s a way of protecting the resources in a server. 

HTTP basic authentication: If the client sends the request for a particular resource which is protected, then that server requests client the user name and passwords which on receiving the server provides the resource requested.

In order to deal with all the above attacks, a penetration tester can set up the testing environment. For this tester needs virtual box set up, Kali Linux set up and Metasploitable Linux set up.

 

Leave a Reply