Professional Documents
Culture Documents
Vulnerability Assessment and Penetration Testing PDF
Vulnerability Assessment and Penetration Testing PDF
Vulnerability Assessment and Penetration Testing PDF
AbstractVulnerability assessment and Penetration Testing and respond to security incidents done by Pen testers aka Red
(VAPT) is the most comprehensive service for auditing, Team.
penetration testing, reporting and patching f or your
c o m p a n y s web based applications. With port 80 always II. METHODOLOGY OVERVIEW
open for web access there is always a possibility that a 1) Discovery: The penetrator performs information
hacker can beat your security systems and have discovery via a wide range of techniques such as,
unauthorized access to your systems. Vulnerability
scan utilities, Google dorks, and more in order to
assessment and penetration testing are two different and
complimentary proactive approaches to assess the security
gain as much information about the target system as
posture of an information systems network. The possible. These discoveries often reveal sensitive
Vulnerability Assessment is done to test the security posture information that can be used to perform specific
of the information system both internally and externally. attacks on a given machine.
Penetration tests provide evidence that vulnerabilities 2) Enumeration: Once the specific networks and
do exist as a result network penetrations are possible. systems are identified through discovery, it is
They provide a blueprint for remediation. Methodology important to gain as much information possible about
include: discovery, enumeration, vulnerability identification, each system. The difference between enumeration
vulnerability assessment, exploitation and launching of and discovery depends on the state of intrusion.
attack, reporting, external penetration testing, internal
penetration testing, legal issues before you start.
Enumeration is all about actively trying to obtain
usernames as well as software and hardware device
Keywords- Vulnerability Assessment, Penetration Testing, version information.
Acunetix 3) Vulnerability Identification: The vulnerability
identification step is a very important phase in
I. INTRODUCTION penetration testing. This allows the user to determine
Vulnerability Assessment and Penetration Testing (VAPT) is the weaknesses of the target system and where to
a Systematic analysis of security status of Information systems. launch the attacks.
Vulnerability assessment is an on-demand solution which 4) Exploitation and launching of attacks: After the
makes it convenient to run tests over the Internet anywhere, vulnerabilities are identified on the target system, it
anytime. It is a hybrid solution which blends automated is then possible to launch the right exploits. The goal
testing with security expert analysis. The unique technology of launching exploits is to gain full access of the
identifies all possible attack vectors. Vulnerability assessment target system. Denial of Service: A DoS (Denial of
offers partial evaluation of vulnerabilities, actually testing for Service) test can be performed to test the stability of
vulnerabilities done by penetrating barriers is useful adjunct. production systems in order to show if they can be
As it identifies potential access paths missed by VAS. crashed or not. When performing a penetration test of
Penetration testing aka pen testing is the practice of testing a a production system, it is important to test its stability
computer system, network or Web application to find and how easily can it be crashed. By doing this, its
vulnerabilities that an attacker could exploit [1]. stability can be ensured once it is deployed into a real
environment. It is important to perform DoS attack
Pen tests can be automated with software applications or they to ensure the safeness of certain systems. If an
can be performed manually. Either way, the process includes attacker takes down your system during busy or peak
gathering information about the target before the test hours, this could lead to significant financial losses.
(reconnaissance), identifying possible entry points, attempting III. VULNERABILITY ASSESSMENT
to break in (either virtually or for real) and reporting back the
findings. [2] Vulnerability assessment is to find vulnerabilities and to
take more holistic look at security. Penetration testing is a
focused attack of a single or a few vulnerabilities that
The main objective of penetration testing is to determine
are generally already known to exist or are suspected of
security weaknesses. A pen test can also be used to test an
existing. Vulnerabilities now scale beyond technology the
organization's security policy compliance, its employees'
operational processes like patch management and incident
security awareness and the organization's ability to identify
management have a significant impact on the lifecycle of
vulnerability. Vulnerability analysis can forecast the
techniques are used for remote database exploitation. [3] credentials and sessions tokens are often not
properly protected, third party can access to
V. BENEFITS OF VAPT ones account. Method of attack use weakness
Avoid network downtime due to breach. in authentication mechanism:
Discover methods that hackers use to 4.
compromise the network. Logout
Enhancive effectiveness of an overall Password Management Timeout
security life cycle. Remember me
Provide a strong basis for helping to
determine appropriate security budgets. 5. Insecure Direct Object References: Occurs when
developer uses HTTP parameter to refer to
VI. WEB APPLICATION VULNERABILITIES internal object. A direct object reference occurs
Web applications are those applications that can be when a developer exposes a reference to an internal
availed from anywhere in the world, attackers may be implementation object, such as a file, directory,
sitting worldwide to make these applications vulnerable, database record, or key, as a URL or form
on the basis of specific protocols such as HTTP and parameter. An attacker can manipulate direct
HTTPS (and also streaming) object references to access other objects without
authorization, unless an access control check is in
A. Types of Web Application Vulnerabilities place. For example, in Internet Banking
applications, it is common to use the account
1. SQL- Injection: SQL Injection is the hacking number as the primary ke y. Therefore, it is
technique which attempts to pass SQL commands tempting to use the account number directly in
(statements) through a web application for the web interface. Even if the developers have
execution by the backend database. If not sanitized used parameterized SQL queries to prevent SQL
properly, web applications may result in SQL injection, if there is no extra check that the user is
Injection attack that allow hackers to view the account holder and authorized to see the
information from the database and/or even wipe account, an attacker tampering w i t h the account
it out. In SQL Injection, the hacker uses SQL number parameter can see or change all accounts
queries and creativity to get to the database of
sensitive corporate data through the web 6. Failure to Restrict URL: Many web applications
application.[6] check URL access rights before rendering protected
links and button. However, applications need to
2. Cross-Site Scripting: If the web site allows perform similar access control checks each time
uncontrolled content to be supplied by users. User when pages are accessed, or attackers will be able to
can introduce malicious code in the content for forge URLs to access these hidden pages anyway.
example: Modification of the Document Object Some site just prevent the display links or URLs to
Model-DOM (change some links, add some unauthorized users, attackers can access directly
buttons), Send personal information to third party the URLs by gaining access to protected areas.
(JavaScript can send cookies to other sites)[1][2]. Code that evaluates privileges on the client rather
XSS attacks involve three parties: than on the server. Privileges tested in JavaScript and
The attacker access to a hidden address. But attacker can see the
The victim code the address. [4]
The vulnerable web site that the attacker
exploits to take action on the victim. 7. Remote Code Execution: This vulnerability allows an
attacker to run arbitrary, system level code on the
XSS vulnerabilities exist when a web application vulnerable server and retrieve any desired
accepts user input t h r ough HTTP requests such information contained therein. Improper coding errors
as a GET or a POST and then redisplays the input lead to this vulnerability. It is difficult to discover this
somewhere in the output HTML code. vulnerability during penetration testing assignments
but such problems are often revealed while doing a
3. Broken Authentication and Session source code review. However, when testing web
Management: Application functions related to applications is important to remember that
authentication and session management are exploitation of this vulnerability can lead to total
often not implemented correctly, allowing system compromise with the same rights as the web
attackers to compromise passwords, keys, server itself [8].
session tokens, or exploit other implementation
flaws to assume other users identities. Account
VII. VULNERABILITY ASSESSMENT USING utility when performed on its own, as all the injected exploits
ACUNETIX would be blind, i.e., they would be launched at the target
Acunetix S i t e Audit provides you with an immediate and without knowing its specific details or susceptibility 6
comprehensive securit y audit of all off-the-shelf and Vulnerability Assessment IA Tools Report Sixth Edition to
bespoke web applications. Performed by web security the exploits. For this reason, the majority of vulnerability
experts using Acunetix Web Vulnerability Scanner, assessment tools combine both passive and active scanning,
Acunetix Site Audit: the passive scanning is used to discover the vulnerabilities
that the target is most likely to contain, and the active
scanning is used to verify that those vulnerabilities are, in
Provides you with an immediate and fact, both present and exposed as well as exploitable.
comprehensive website security audit. Determining that vulnerabilities are exploitable increases the
Ensures your website is secure against accuracy of the assessment tool by eliminating the false
we b attacks. positives, i.e. , the instances in which the scanner detects a
Checks for SQL injection, Cross site pattern or attribute indicative of a likely vulnerability that
scripting an d other vulnerabilities. which, upon analysis, proves to be either
Audits shopping carts, forms, and 1. Not present,
dynamic content. Scans all your website and web
2. Not exposed, and
applications including JavaScript / AJAX
applications for security vulnerabilities. 3. Not exploitable.
It is the combination of passive and active scanning,
VIII. WORKING OF VULNERABILITY ASSESSMENT together with increased automation, that has rendered
TOOL auto- mated penetration testing suites more widely useful
Vulnerability assessment tools generally work by attempting in vulnerability assessment. Most vulnerability
to automate the steps often employed to exploit vulnerabilities: assessment tools are capable of scanning a number of
they begin by performing a footprint analysis to determine network nodes, including networking and networked devices
what network services and/or software programs (including (switches, routers, firewalls, printers, e t c .) , as well as
versions and patch levels) run on the target. The tools then server, desktop, and portable computers. The
attempt to find indicators (pat- terns, attributes) of, or to vulnerabilities that are identified by these tools may be
exploit vulnerabilities known to exist, in the detected the result often programming fl a ws (e.g. Vulnerabilities
services/software versions, and to re- port the findings that to buffer overflows, SQL-Injections, cross site scripting
result. Caution must be taken when running exploit code [XSS], etc.) ,or implementation flaws and
against live (operational) targets, because damaging results misconfigurations. A smaller subset of tools also provide
may occur. For example, targeting a live Web application enough information to enable the user to discover
with a drop tables Standard Query Language (SQL) design and even architecture flaws.
injection probe could result in actual data loss. For this The reason for specialization of vulnerability
reason, some vulnerability as- assessment tools are (or are assessment tools, e.g., network scanners, host scanners,
claimed to be) entirely passive. Passive scans, in which no
database scanners, web application scanners, is that to
data is injected by the tool into the target, do nothing but
be effective, the tool needs to have a detailed knowledge
read and collect data. In some cases, such tools use
of the targets it will scan. A network scanner needs to
vulnerability signatures, i.e., patterns or attributes associated
know how to perform and interpret a network footprint
with the likely presence of a known vulnerability, such as lack
of a certain patch for mitigating that vulnerability in a given analysis that involves first discovering all active nodes on
target. All passive tools are limited in usefulness (compared the network, then scanning them to enumerate all of the
with tools that are not completely passive) because they can available net- work services (e.g., File Transfer Protocol
only shows the presence of vulnerabilities based on [FTP], Hyper Text Transfer Protocol [HTTP]) on each
circumstantial evidence, rather than testing directly for host. As part of this service enumeration process, the
those vulnerabilities.[9] scanner attempts to identify vulnerabilities through
Most vulnerability assessment tools implement at least some grabbing and analysing banners, and checking open port
intrusive scanning techniques that involve locating a status, n protocol compliance, and service behaviour,
likely vulnerability (often through passive scanning) , then and through direct injection of exploits targeting known
injecting either random data or simulated attack data into the vulnerabilities (listed in the tools built-in vulnerability
interface created or exposed by that vulnerability, as database) into any open port it has found.
described above, then observing what results. Active
scanning is a technique traditionally associated with A host-based vulnerability assessment tool needs full
penetration testing, and like passive scanning, is of limited knowledge of the software and software patches installed
on the target host, down to specific version/ release they can also retrieve or generate and apply those
and patch levels. Thus, requires full access to that remediation /patches in real time, and follow up with
host in order to scan the host and discover all of its ongoing periodic automated and/or event driven(ad-hoc)
software programs/patches, and to perform various reassessments to ensure that no new vulnerabilities have
configuration checks. Most often, this requires the emerged, or old ones resurfaced, during the evolution of
installation (on the target hosts) of software agents that the target or its threat environment. The ability of a
collect the information for that host, and report it tool to not only assess but also remediate and
back to a central scan server, which aggregates all of continuously monitor the system for vulnerabilities
the data received from all of the agents, analyzes it, promotes it from a vulnerability assessment tool to a
then determines what exploits from its vulnerability vulnerability management system.
database should be attempted on each target host to
discover and validate the existence of known/ suspected IX. VAPT OF PEC WEBSITE
vulnerabilities on that target. Un- like remote network
scanning, agent-based host scanners can test for both In this we have analysed website of
client-side and perform common attacks against it, such PEC (www.pec.edu.in) using acunetix vulnerability
as SQL injections, XSS, least privilege violations, etc. assessment tool. Using this tool we have identified
The growing power and size of computing platforms able some major vulnerability as shown below: Major flaw in PEC
to host more complex scanning applications and their website/server that password transmitted over HTTP . If an
larger databases (used for storing vulnerability databases attacker can intercept network traffic he/she can steal users
and collected findings) , along with simultaneous increases credentials. All sensitive data should be transferred over
in network throughput and available bandwidth, allowing HTTPS rather than HTTP. Forms should be served over
for more scan-related traffic, have been enablers in the HTTPS. All aspects of the application that accept user
growing category of multilevel vulnerability assessment input starting from the login process should only be served
tools. Multilevel scanners seek and assess vulnerabilities over HTTPS.
at multiple layers of the ICT infrastructure, in essence Another major flaw discovered during vulnerability
combining the capabilities of two or more of the other assessment that the target web server is disclosing ASP.NET
scanner types (network and host, host and database, version in the HTTP response. This in- formation can
host and application, etc.) . This consolidation of help an attacker to develop further attacks and also the
scanners into a single tool parallels the trend towards system can become an easier target for automated attacks.
It was leaked from X-AspNet-version banner of HTTP
consolidating multiple security-relevant analysis,
response or de- fault ASP.NET error page. An attacker can
assessment, and remediation functions into a single
use dis- closed information to harvest specific security
vulnerability management system that, in turn, may be
vulnerabilities for the version identified. The attacker can
part of an even larger enterprise security management also use this information in conjunction with the other
system. The type and level of detail of a vulnerability vulnerabilities in the application or web server. Solve this
assessment tools findings varies from tool to tool. Some issues server administrator should do error handling in
tools attempt to detect only a narrow set of widely- ASP.NET pages and applications , also remove X-AspNet-
known vulnerabilities and provide little information about Version header from configuration files.
those it discovers. Others attempt to detect a much larger
number of vulnerabilities and weaknesses (i.e., anomalies
that are only suspected to be exploitable as
vulnerabilities) , and provides a great deal of
information about its findings, including potential
impacts of level of risk posed by the discovered
vulnerabilities, suggested remediations for them (e.g.,
necessary reconfigurations or patches) , and
prioritization of those remediations based on their
perceived or assessed impact and/or risk.
Vulnerability assessment tools are most useful when
applied during two phases in a targets lifecycle:
1. Just before deployment of system.
2. Re-Iteratively after its deployment.
The most sophisticated vulnerability assessment tools
not only identify vulnerabilities, analyze their likely X. LIMITATIONS OF PENETRATION TESTING
impact, and determine and prioritize mitigations,