Skip to main content

Web-Penetration

Have heard the term "Web Penetration" before and want to know what it is and how is it related to you? Then here you go...
Web penetration is an authorised(legal) simulated(more or less like real) attack on a system to check its vulnerability for cyber attacks. It is a component of Security Audit. It comprises of two parts: "Discover the vulnerabilities"(legal) and "Exploit the vulnerabilities"(Illegal). It determines whether unauthorised access or other malicious activity is actually possible or not.
Sounds interesting isn't it?

Vulnerability Assessment is an essential part of Web penetration. There exist many testing techniques e.g. Fuzzing(cool name huh!! well its a part of vulnerability assessment) is a software testing technique in which random or invalid data are provided which can create invalid behaviour in the program and can check the program for failure in built in code assertions and potential memory leaks.

And as all the important work need some effective equipments thus,various Security Assessment Tools are available for penetration test. These generate some automated tasks, improve testing efficiency and discover issues that might be difficult using manual pen-testing. Since some of the operating systems are geared for pen-testing. Popular among them are:
·         Kali Linux (replaced BackTrack December 2012) based on Debian
·         Parrot Security OS based on Debian
·         BlackArch based on ArchLinux
·         BackBox based on Ubuntu
·         Pentoo based on Gentoo
·         WHAX based on Slackware
The tools required for penetration testing are of two types: static analysis tools and dynamic analysis tools. The dynamic analysis tools checks the program for vulnerabilities, while the program is in the running state. Features or characteristics of dynamic analysis tools are as follows:
• To detect memory leaks;
• To identify pointer arithmetic errors such as null pointers;
• To identify time dependencies.

Well you don't need to bother your mind and design everything by yourself, there exist some tools in the market. Some of the popular testing tools are:
Metasploit: Commercial product, can be used on web-applications, networks, servers etc., has a GUI and command line interface runs on Linux, Apple Mac OS X and Microsoft Windows.
WireShark: A network protocol analyser, works on Windows, Linux, OS X, Solaris, FreeFBD etc.
W3AF: A web-application attack and an audit framework, has a command line interface and works on Windows, Mac OS X, Linux.
NetsParker: A web-application Scanner, helps to exploit SQL and LFI(Local File Induction).Works only on Microsoft Windows.
Nessuss: A robust web-application scanner, specializes in compliance checks, Sensitive Data searches. IPS scanning, aids in finding the weak spots.Works on most of the environment.
Burpsuite: Works good in intercepting proxy, crawling content and functionality, web application scanning, Can be used in Linux, Microsoft Windows, Mac OS X etc.
Cain & Abel: It uses network sniffing, Dictionary, Brute-Force & Cryptanalysis attacks, cache uncovering and routing protocol analysis methods to crack encrypted passwords and network keys. Works only on Microsoft Windows.
Zed Attack Proxy: Includes Proxy intercepting aspects, a variety of scanners, spiders etc.
John the Ripper: Password hash code and strength-checking code are made available to be integrated into your own software/code, is primarily for Unix-systems.
Though these are my favourites, there are many other as well:
Acunetix
Retina
Sqlmap
Canvas
Social Engineer Toolkit
Sqlninja
Nmap
BiIF
Dradis
Ettercap
Hydra
Veracode
Shatan
Shodhan
Aircrack-ng
Arachni
Maltego
IronWasp
Nicto
PunkSpider
Nagios
IBM Appscan
WebScarabNG
HconSTF
OpenVAS
SecuniaPSI
Pass-the-Hash

Manual penetration testing
Manual penetration testing layers human expertise on top of professional penetration testing software and tools, such as automated binary static and automated dynamic analysis, when assessing high assurance applications. A manual penetration test(Pen Test) provides complete coverage for standard vulnerability classes, as well as other design, business logic and compound flaw risks that can only be detected through manual testing.

Thus, if the topic interests you and you want to learn web pentesting checkout these links (all of them are free!!!):
https://security.stackexchange.com/question-s/11444/howto-learn-penetration-testing-at-home
https://www.cybrary.it/course/ethical-hacking/
https://pentesterlab.com/
https://www.tutorialspoint.com/penetration_testing/
https://www.pentestgeek.com/
https://kb.help.rapid7.com/docs/

Sources: www.wikipedia.com, www.veracode.com, www.isqtbexamcertification.com, www.softwaretestinghelp.com,

Feel free to write for improvements and feedbacks in the comment section.


Labels:

Comments

Post a Comment

Popular posts from this blog

IoT: The Magic Wand Technology.

Just imagine how exciting and amazing this w orld would be if everything around us is connected, it would not only save our time but also reduce our unnecessary tensions and stress. And since human-kind has evolved and developed many-folds, thus, we have a super-power technology to turn this into reality and that’s termed as “ IoT ” or “ Internet of Things ” - the connection of Physical World with the Cyber World . Sounds fascinating, isn’t it? Now, let us see how it works in reality . The Cyber-Physical system is configured or designed by following these functions: ·         Connection level : It involves attachment-free or wireless communication, monitoring and recording the physical conditions of the environment using sensors and organizing them at a central location. ·         Conversion level (Data-to-information): Involves data-correlation, tracking of machine-failures, malfunctions, reduces dow...
4 comments
Read more

All you want to know about UX/UI designers.

Have you ever imagined how do they build such beautiful web-pages and so much user friendly websites, or you yourself have dreamt of developing one of your own? Then you must be aware of UX/UI designing and learning about its applications would give you a complete idea of what you want to build and how would it look like in the real world. source: Google Images UX Design refers to the term  User Experience Design , while UI Design stands for  User Interface Design . Both elements are crucial to a product and work closely together. But despite their professional relationship, the roles themselves are quite different, referring to very different parts of the process  and the design discipline. Both of them have a plain goal of making the user interaction simpler and efficient . The User Experience Design or UX Design is more or less non-technical, as it involves content-development, prototyping, analysis and iteration, basically the interaction with the users ...
Post a Comment
Read more

What is BIG DATA ANALYSIS ?

Big data analytics is the process of examining large and varied data sets -- i.e., big data(Black box Data, Social media Data, Stock Exchange Data, Search Engine Data, Transport Data, Power grid Data) -- to uncover hidden patterns, unknown correlations, market trends, customer preferences and other useful information that can help organizations make more-informed business decisions. Volume, Variety and Velocity are the three V’s of Big Data. A person involved in this kind-a-job is called to be a “Data Analyst”. And to receive this tag by large group of people he/she needs to be super good at statistics and if accompanied by software developing skills he/she would be called as “Data Scientist”. How to be a renowned and efficient data scientist? Technical Skills that the person needs to be good at are: Statistical methods and packages (e.g. SPSS) R and/or SAS languages Data warehousing and business intelligence platforms SQL databases and database querying languag...
2 comments
Read more