In part 1, I gave an overview of Penetration Testing, the causes of vulnerabilities, why Penetration Testing is performed, testing scope and strategy, steps to be performed during Penetration Testing, testing techniques, roles involved in the penetration testing and its limitation. In the second part, sample test scenarios, suggestions, automated tools and some reference websites will be covered.
Penetration Testing sample test scenarios
The following are some of the test scenarios that can be considered during Penetration Testing:
- Verify if spam attacks are possible on the contact forms used on the website.
- Exploit all servers, desktop systems, laptops, printers and network devices.
- Verify that all usernames and passwords are encrypted and transferred through a secured connection like https.
- Verify that URL cannot be tampered with. For example, if a user creates a login and accesses his inbox or dashboard then he should not be able to access any other user’s inbox or dashboard by changing the URL from the address bar. This happens especially if you use a query string in your application.
- Verify information is stored in cookies. It should not be in a readable format.
- The password should be at least 8 characters long. The password should contain at least one number and one special character. So, the password should be strong.
- Verify that Usernames like “admin” or “administrator” are not used for authorized or restricted areas.
- Application login should be locked after a few unsuccessful login attempts.
- Error messages should be generic and should not mention specific error details such as, “Invalid username” or “Invalid password”.
- Verify if special characters, HTML tags and scripts are handled properly as an input value.
- Internal system details should not be revealed in any of the error or alert messages.
- Custom error messages should be displayed to end user if a web page crashes.
- Verify use of registry entries. Sensitive information should not be kept in the registry.
- All files must be scanned before uploading to the server.
- Sensitive data should not be passed in an URL while communicating with different internal modules of the web application.
- There should not be any hard-coded usernames or passwords in the system.
- Verify all input fields with long input string with and without spaces to make sure there is no issue.
- Verify if reset password functionality is secure.
- Critical resources in the system should be available to authorized persons only.
- All access logs should be maintained with proper access permissions.
- Verify user session ends upon log off.
- Verify that directory browsing is disabled on the server.
- Verify that all applications and database versions are up to date.
- Verify URL manipulation is not allowed.
- Verify if the system is safe from Brute Force Attacks to make sure that sensitive information is protected.
- Verify if system or network is secured from DoS (denial-of-service) attacks. Hacker can target the network or a single computer with continuous requests. Due to this target system resources are overloaded and that results in denial of service for legit requests.
- Verify that SQL Injection does not work.
- Verify application for Cross Site Scripting.
- Verify all HTTP methods. PUT and Delete methods should not be enabled on web server.
- Verify that all previous vulnerabilities found during testing have been fixed.
- Verify if there is no open port in the network.
- Verify all telephone devices.
- Verify WIFI network security.
- Verify memory leak and buffer overflow.
- Verify if network has virus software installed that controls the Trojan attacks.
- Financial data must be secured while transferring between different systems
- Verify that sensitive data is secure.
HIPAA specific Test Scenarios
- Personal and confidential data should be saved in the database in an encrypted format.
- Data or information should float on the network in the encrypted format. For instance, if a person retrieves a patient’s data then the request and response should be sent and receive in an encrypted format.
- Data should not be accessed, changed or updated in an unauthorized manner.
- Patient personal and medical history should not be accessible publicly. It should only be accessed by authorized persons or authorities.
- Patient billing information is protected.
- Data should not be lost or unsaved during the add or update process.
- Recover password process of an existing user should not be so easy. It should follow a process that prevents hackers or unauthorized users to access the application by cracking the password.
- Proxy server – Verify that network traffic is monitored by proxy applications. Hackers find difficulties to get the network details due to proxy servers.
- Spam email filters – Verify that incoming and outgoing email traffic is filtered and unsolicited. Email clients, such as Outlook’s spam filters can be configured as per your needs. The configuration rules can be applied to email headers, subject or body.
- Firewall – Verify that the entire network or computers are protected with Firewall. Firewall blocks unauthorized access to the system and prevents sending data outside the network without your permission.
Penetration Testing Tools
|Tool||Short Description||Usage in Pen Test||Reference Website|
|NMAP||NMAP (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.||To find the open ports on the network.||http://nmap.org/|
|Fiddler – Watcher||Watcher is a runtime passive-analysis tool for Web applications. It detects Web-application security issues as well as operational configuration issues.||Verification of the code including sessions and SSL configurations – XSS (Cross-side scripting)||http://fiddler2.com/add-ons
|Firefox Add-ons||Extensions for Turning Firefox Into a Penetration Testing Tool||Firefox Add-ons for Security Researchers and Penetration Testers||http://resources.infosecinstitute.com/use-firefox-browser-as-a-penetration-testing-tool-with-these-add-ons/
|IBM Security AppScan Family||Comprehensive application vulnerability management across the application lifecycle||Application security solutions from IBM provide pre-emptive protection to keep applications secure, protected from malicious use, and hardened against future failure.||http://www-03.ibm.com/software/products/us/en/category/SWI10|
Reference Websites – Worth Reading
PCI Compliance (Payment Card Industry Compliance)
HIPAA (Health Insurance Portability and Accountability Act)
Cross site scripting (XSS)