Dr.G.

NIRMALA

UNIT-3

Penetration testing

Exploring various servers and clients:

In general, all of the machines on the Internet can be categorized as two types: servers and
clients. Those machines that provide services (like Web servers or FTP servers) to other
machines are ​servers​. And the machines that are used to connect to those services are ​clients​.
When you connect to Yahoo! at www.yahoo.com to read a page, Yahoo! is providing a machine
(probably a cluster of very large machines), for use on the Internet, to service your request.
Yahoo! is providing a server. Your machine, on the other hand, is probably providing no services
to anyone else on the Internet. Therefore, it is a user machine, also known as a client. It is
possible and common for a machine to be both a server and a client, but for our purposes here
you can think of most machines as one or the other.

A server machine may provide one or more services on the Internet. For example, a server
machine might have software running on it that allows it to act as a Web server, an ​e-mail​ server
and an ​FTP​ server. Clients that come to a server machine do so with a specific intent, so clients
direct their requests to a specific software server running on the overall server machine. For
example, if you are running a Web browser on your machine, it will most likely want to talk to
the Web server on the server machine. Your ​Telnet​ application will want to talk to the Telnet
server, your e-mail application will talk to the e-mail server, and so on...

Discussion of various web architectures:

● The web is a two-tired architecture.

● The web browser displays or sends the clients requests by means of either HTML file or
java script or XML file.
● In a web server process the request issued by the client and then transfer information to
the client.
Dr.G.NIRMALA

WEB BROWSER:
● A web browser is a software application for retrieving, presenting and transferring,
information resources on www.
● The primary purpose of a web browser is to bring information resources to the user.
● The major web browser is windows, internet explorer, googlechrome, Mozilla.

WEB SERVER :

● A computer program that accepts Http requests and return HTTP response.
● The major components of web architecture are:
1. World wide web
2. Html
3. url
4. HTTP
5. CGI
6. Javascript
7. Cookies
8. Sevions

Discussion of the different types of vulnerabilities?

1.Injection vulnerabilities

Injection vulnerabilities occur every time an application sends untrusted data to an interpreter.
Injection flaws are very common and affect a wide range of solutions. The most popular
injection vulnerabilities affect SQL, LDAP, XPath, XML parsers and program arguments.

The possible consequences of a cyber-attack that exploits an Injection flaw are data loss and
consequent exposure of sensitive data, lack of accountability, or denial of access.

An attacker could run an Injection attack to completely compromise the target system and gain
control on it.

2. Buffer Overflows

A buffer overflow vulnerability condition exists when an application attempts to put more data in
a buffer than it can hold. Writing outside the space assigned to buffer allows an attacker to
overwrite the content of adjacent memory blocks causing data corruption, crash the program, or
the execution of an arbitrary malicious code.

Buffer overflow attacks against are quite common and very hard to discover, but respect the
injection attacks they are more difficult to exploit. The attacker needs to know the memory
Dr.G.NIRMALA

management of the targeted application, the buffers it uses, and the way to alter their content to
run the attack.

3. Sensitive Data Exposure

Sensitive data exposure occurs every time a threat actor gains access to the user sensitive data.

Data could be stored (at rest) in the system or transmitted between two entities (i.e. servers, web
browsers), in every case a sensitive data exposure flaw occurs when sensitive data lack of
sufficient protection.

Sensitive data exposure refers the access to data at rest, in transit, included in backups and user
browsing data.

The attacker has several options such as the hack of data storage, for example by using a
malware-based attack, intercept data between a server and the browser with a
Man-In-The-Middle attack, or by tricking a web application to do several things like changing
the content of a cart in an e-commerce application, or elevating privileges.

4. Broken Authentication and Session Management

This attack takes advantages of some weak spot in session management as as well as connection
authentication between two system failure to employ sufficiency encryption techniques can help
hackers do all kinds of cyber information using this vulnerability.

The exploitation of a broken Authentication and Session Management flaw occurs when an
attacker uses leaks or flaws in the authentication or session management procedures (e.g.
Exposed accounts, passwords, session IDs) to impersonate other users.

This kind of attack is very common; many groups of hackers have exploited these flaws to access
victim’s accounts for cyber espionage or to steal information that could advantage their criminal
activities.

5. Security misconfiguration:

It is quite easy to discover web servers and applications that have been misconfigured resulting
in opening to cyber-attacks. Below some typical example of security misconfiguration flaws:

● Running outdated software.

● Applications and products running in production in debug mode or that still include
debugging modules.
● Running unnecessary services on the system.
● Not configuring problems the access to the server resources and services that can result in
the disclosure of sensitive information or that can allow an attacker to compromise it.
● Not changing factory settings (i.e. default keys and passwords).
● Incorrect exception management that could disclose system information to the attackers,
including stack traces.
Dr.G.NIRMALA

● Use of default accounts.

Types of penetration testing:

The type of penetration testing normally depends on the scope and the organizational wants and
requirements. This chapter discusses about different types of Penetration testing. It is also
known as ​Pen Testing​.
Following are the important types of pen testing −

● Black Box Penetration Testing

● White Box Penetration Testing
● Grey Box Penetration Testing

For better understanding, let us discuss each of them in detail −

Black Box Penetration Testing

In black box penetration testing, tester has no idea about the systems that he is going to test. He
is interested to gather information about the target network or system. For example, in this
testing, a tester only knows what should be the expected outcome and he does not know how the
outcomes arrive. He does not examine any programming codes.
Advantages of Black Box Penetration Testing
It has the following advantages −
Dr.G.NIRMALA

● Tester need not necessarily be an expert, as it does not demand specific language
knowledge
● Tester verifies contradictions in the actual system and the specifications
● Test is generally conducted with the perspective of a user, not the designer
Disadvantages of Black Box Penetration Testing
Its disadvantages are −
● Particularly, these kinds of test cases are difficult to design.
● Possibly, it is not worth, incase designer has already conducted a test case.
● It does not conduct everything.
White Box Penetration Testing
This is a comprehensive testing, as tester has been provided with whole range of information
about the systems and/or network such as Schema, Source code, OS details, IP address, etc. It is
normally considered as a simulation of an attack by an internal source. It is also known as
structural, glass box, clear box, and open box testing.
White box penetration testing examines the code coverage and does data flow testing, path
testing, loop testing, etc.
Advantages of White Box Penetration Testing
It carries the following advantages −
● It ensures that all independent paths of a module have been exercised.
● It ensures that all logical decisions have been verified along with their true and false
value.
● It discovers the typographical errors and does syntax checking.
● It finds the design errors that may have occurred because of the difference between
logical flow of the program and the actual execution.
Grey Box Penetration Testing
In this type of testing, a tester usually provides partial or limited information about the internal
details of the program of a system. It can be considered as an attack by an external hacker who
had gained illegitimate access to an organization's network infrastructure documents.
Advantages of Grey Box Penetration Testing
It has the following advantages −
● As the tester does not require the access of source code, it is non-intrusive and unbiased
● As there is clear difference between a developer and a tester, so there is least risk of
personal conflict
● You don’t need to provide the internal information about the program functions and
other operations
Dr.G.NIRMALA

Areas of Penetration Testing

Penetration testing is normally done in the following three areas −
● Network Penetration Testing​ − In this testing, the physical structure of a system needs
to be tested to identify the vulnerability and risk which ensures the security in a network.
In the networking environment, a tester identities security flaws in design,
implementation, or operation of the respective company/organization’s network. The
devices, which are tested by a tester can be computers, modems, or even remote access
devices, etc
● Application Penetration Testing​ − In this testing, the logical structure of the system
needs to be tested. It is an attack simulation designed to expose the efficiency of an
application’s security controls by identifying vulnerability and risk. The firewall and
other monitoring systems are used to protect the security system, but sometime, it needs
focused testing especially when traffic is allowed to pass through the firewall.
● The response or workflow of the system​ − This is the third area that needs to be tested.
Social engineering gathers information on human interaction to obtain information about
an organization and its computers. It is beneficial to test the ability of the respective
organization to prevent unauthorized access to its information systems. Likewise, this
test is exclusively designed for the workflow of the organization/company.

WEB APLLIACTION TEST PROCESS​ :

What is Web Application Testing?

Web application testing, a software testing technique exclusively adopted to test the
applications that are hosted on web in which the application interfaces and other functionalities
are tested.

Web Application Testing - Techniques:

1. ​Functionality Testing​ - The below are some of the checks that are performed but not limited
to the below list:
● Verify there is no dead page or invalid redirects.
● First check all the validations on each field.
● Wrong inputs to perform negative testing.
● Verify the workflow of the system.
● Verify the data integrity.
Dr.G.NIRMALA

2. ​Usability testing - ​To verify how the application is easy to use with.
● Test the navigation and controls.
● Content checking.
● Check for user intuition.
3. ​Interface testing - ​Performed to verify the interface and the dataflow from one system to
other.
4. ​Compatibility testing- ​Compatibility testing is performed based on the context of the
application.
● Browser compatibility
● Operating system compatibility
● Compatible to various devices like notebook, mobile, etc.
5. ​Performance testing - ​Performed to verify the server response time and throughput under
various load conditions.
● Load testing - ​It is the simplest form of testing conducted to understand the behavior of
the system under a specific load. Load testing will result in measuring important
business critical transactions and load on the database, application server, etc. are also
monitored.
● Stress testing - ​It is performed to find the upper limit capacity of the system and also to
determine how the system performs if the current load goes well above the expected
maximum.
● Soak testing - ​Soak Testing also known as endurance testing, is performed to determine
the system parameters under continuous expected load. During soak tests the parameters
such as memory utilization is monitored to detect memory leaks or other performance
issues. The main aim is to discover the system's performance under sustained use.
● Spike testing - ​Spike testing is performed by increasing the number of users suddenly
by a very large amount and measuring the performance of the system. The main aim is
to determine whether the system will be able to sustain the work load.
6. ​Security testing - ​Performed to verify if the application is secured on web as data theft and
unauthorized access are more common issues and below are some of the techniques to verify
the security level of the system.
● Injection
● Broken Authentication and Session Management
● Cross-Site Scripting (XSS)
Dr.G.NIRMALA

● Insecure Direct Object References

● Security Misconfiguration
● Sensitive Data Exposure
● Missing Function Level Access Control
● Cross-Site Request Forgery (CSRF)
● Using Components with Known Vulnerabilities
● Unvalidated Redirects and Forwards