COS30015 PRACTICAL PROJECT

PENETRATION TESTING
Due Date: 26 MAY 2023

MAY 22, 2023

MAX CHRISTEAN ONG
101210046
Introduction
Information systems security is a significant concern due to the increased interconnectivity,
system extensibility, and complexity. Organisations must secure their data resources by
implementing a comprehensive and systematic risk management strategy. To overcome
these security difficulties and ensure compliance with legislation, security specialists have
devised a variety of methodologies, such as proof of correctness, layered design, software
engineering environments, and penetration testing.
Penetration testing is a thorough approach that assesses the overall integrity, functionality,
and trustworthiness of the entire computing system, encompassing hardware, software, and
human factors. This process actively analyses the system to identify vulnerabilities such as
system misconfigurations, software and hardware flaws, and operational weaknesses.
It is important to differentiate penetration testing from security functional testing. While
security functional testing demonstrates the correct operation of security controls,
penetration testing focuses on assessing the difficulty of unauthorized access and simulating
real-world attacks. This involves utilizing automated tools, manual methods, or a
combination of these to simulate the actions of an unauthorized user attempting to breach an
organization's security controls.
This assignment presents an overview of penetration testing, emphasising its benefits,
tactics, and different types. The methodology for conducting penetration testing is also
discussed.
Justification
The primary objective of this assignment is to detect and address security flaws in a
controlled environment before unauthorised individuals may exploit them. To tackle the
challenges associated with vulnerability assessment, professionals in the field of computing
systems utilize penetration testing.

Benefits of Penetration Testing

From a business standpoint, penetration testing provides several advantages that help
protect the organization and justify investments in information security. Firstly, it helps
prevent financial losses by identifying and addressing risks before security breaches occur.
Furthermore, compliance with industry regulations is essential for organizations to avoid
heavy fines, legal repercussions, or even failure. Penetration testing is a proactive measure
providing undeniable information to meet auditing and compliance requirements.
The impact of compromised client data can be devastating, damaging consumer confidence
and the organization's reputation. Penetration testing helps to prevent security incidents that
can harm the corporate image.
From an operational standpoint, penetration testing plays a vital role in shaping an
organization's information security strategy. It facilitates the quick and accurate identification
of vulnerabilities, allowing for proactive risk mitigation and the implementation of corrective
measures.
By incorporating penetration testing into security practices, organizations gain detailed
insights into actual and exploitable security threats. This enables them to identify real and
potential vulnerabilities swiftly and accurately. Penetration testing assists in isolating and

1
prioritizing vulnerabilities, enabling organizations to fine-tune modifications or apply updates
to proactively reduce identified hazards.
Lastly, the process of conducting a penetration test requires significant time, effort, and
expertise to navigate the complexities of the test environment. Consequently, penetration
testing enhances the knowledge and skill levels of those involved in the process.

Planning
Penetration testing goes beyond the perception of being a routine process involving
automated tools and technical reports. Its true value lies in providing clear and concise
guidance on securing an organization's information and information systems against real-
world attacks. The methodology employed in penetration testing plays a crucial role in its
success. It should adhere to a systematic and scientific approach, ensuring that tests are
thoroughly documented, and reports are tailored for different management levels within the
organization. It should not be overly restrictive, allowing us to fully explore our insights.
As shown in the diagram below, penetration testing consists of three stages: preparation,
execution, and analysis.

Most of the penetration testing methodology occurs during the test phase, which involves
utilizing a range of software applications. The table below provides a compilation of these
tools. This phase includes various essential activities, such as data collection, vulnerability
analysis, and vulnerability exploitation.

2
The initial stage of information gathering in penetration testing involves us scanning both the
logical and physical aspects of the targeted website to determine relevant data necessary for
the subsequent vulnerability analysis stage. Based off the available data collected, we
proceed to analyse the vulnerabilities present in the network, host, and application of the
target. While the analysis can be conducted manually, there are also automated tools
available to assist us in this step.

3
The final step entails locating exploits for the vulnerabilities discovered in prior steps. If the
exploits fail to achieve the desired outcome, such as gaining root access, further analysis is
required. This is represented by the iterative loop between the vulnerability analysis and
vulnerability exploit phases.
During the test analysis phase, the results of the penetration test are thoroughly examined. It
is crucial for us to be comprehensive and systematically organized. Additionally, it is
important to prepare a mitigation plan as part of the penetration testing process. Thus,
including a dedicated section on the mitigation plan within the analysis report is mandatory.

Web Application Penetration Testing

Penetration testing involves systematically probing systems, which can encompass
networks, apps, or hosts. Penetration testing methodology in general serves as a valuable
process for identifying and resolving security vulnerabilities, particularly in websites. This
part demonstrates the penetration testing procedure using a website called bWAPP.
Assuming the test preparation stage is finished before the test stage, the test stage consists
of three steps: information gathering, vulnerability analysis, and vulnerability exploit. The
reconnaissance stage, vulnerability stage, and hacking simulation stage are the names
given to these stages. The test analysis step comes after the testing stage.

Intel Gathering
During this stage, we should gather all available information, even if it initially appears
irrelevant or insignificant, as the importance of specific details may become apparent later.
This stage can be completed in a variety of ways, including using freely accessible tools like
scanners, search engines, sending HTTP queries or personally exploring the website. We
could browse through the application to identify its purpose, fingerprint the web server,
identify client and server-side applications, and assess the material and features. The table
below provides a list of common tools utilized in web application penetration testing.

4
Brief description of bWAAP
bWAPP (bWASP-Beef) stands for "Buggy Web Application" and is a deliberately vulnerable
web application developed for educational and training purposes. It is designed to help
individuals, particularly web developers and security professionals, understand common web
application vulnerabilities and practice their skills in a safe environment.

5
bWAPP provides a wide range of security flaws and vulnerabilities, allowing users to
simulate various attack scenarios and learn how to mitigate or exploit them. It covers
vulnerabilities such as cross-site scripting (XSS), SQL injection, remote code execution, file
inclusion, and many others commonly found in web applications.
The application offers a user-friendly interface and provides detailed explanations of each
vulnerability, along with hints and solutions to help users understand and fix the issues. It
allows users to select different security levels, ranging from low to high, to gradually increase
the complexity of the challenges.
By using bWAPP, individuals can gain hands-on experience in identifying and securing web
application vulnerabilities, enhancing their understanding of web security best practices. It
serves as an effective tool for training, testing security tools, and deepening knowledge in
the field of web application security.

Web Server Fingerprinting

Identifying the web server is crucial for vulnerability analysis. It allows us to determine the
specific vulnerabilities they should focus on and the corresponding exploits to employ. Using
Fiddler, we obtained the following figure that displays the HTTP headers of bWAPP. The
response headers' miscellaneous section demonstrates the server is running Apache-
Coyote 1.1.

Fingerprinting of Application
Application fingerprinting aims to identify what types of files are processed by the system
being targeted and determine its available assets. These kinds of files often reveal the
syntax of the programming language and programme utilized for implementing functions,
which can be valuable in identifying vulnerabilities.
This information can be obtained from the HTTP headers and error messages. An example
of an HTTP header from bWAPP, captured using the Fiddler tool, is presented in the

6
previous figure. The JSESSIONID field value contained in the cookies branch of the request
header shows that Java is being used.
The figures below display an error message generated by the web application, revealing the
usage of Microsoft Active Server Pages for its implementation. An additional warning
notification from the website reveals that MySQL is being used as the backend database.

Analysing Vulnerability
During the vulnerability analysis stage, we utilize the intel gathered in the previous step to
examine the vulnerabilities present in the web application. Various aspects of the application
such as configuration management, business logic, authentication, session management,
authorization, data validation, denial of service, and web services can be subjected to
testing. This step involves the examination of vulnerabilities related to the web server,
authentication mechanisms, input handling, and specific functions of the application.
Vulnerabilities of Web Server

7
In the context of web server vulnerabilities, it is important for us to assess factors such as
default credentials, default content, risky HTTP methods, proxy functionality, and potential
misconfigurations related to virtual hosting. It should be noted the web application utilizes the
Apache web server. However, the specific details regarding vulnerability scanning within the
Apache web server are not addressed in this discussion.

Vulnerabilities in the Authentication Mechanism

It is essential to evaluate the structure and execution of a website's methods of
authentication to identify any potential flaws. This includes testing aspects such as
username enumeration, password guessing, password quality, etc.
During the testing of bWAPP, to evaluate password quality, numerous situations were tested,
including typing names in the username and password fields or extremely long, short, blank,
and common dictionary words. It permitted any user to simply access their accounts, even
with a blank username and password, which posed a security concern. Throughout the
testing process, verbose error messages were not displayed by the web application for
authentication mechanism vulnerabilities. Additionally, no sensitive information was revealed
through the Uniform Resource Locator (URL) bar while credentials are being transmitted.
Notably, the web application did not have "remember me" or account recovery functions that
could potentially expose further vulnerabilities.
Web applications that rely on data inputs are susceptible to input-based risks, which can be
identified through testing for Cross-Site Scripting (XSS) vulnerabilities and SQL injection.

SQL Injection Vulnerabilities Testing:

SQL injection allows intruders to inject SQL statements into an application to change or
retrieve data from a database server. In the case of the web application, manual testing was
conducted to identify SQL injection vulnerabilities. For the password and username fields,
various SQL injection query strings were tested. However, the website reacted similarly
when the blank username and password values were provided. Notably, one specific string,
"' OR "='", triggered abnormal messages when applied to the "Blogger login" and "Visitor
registration" functions (refer to figures below). These messages suggest that "password" and
"username" were perhaps used been utilized as field names in the database table. This data
becomes crucial towards the subsequent vulnerability exploitation phase.

8
Cross-Site Scripting (XSS) Vulnerabilities Testing:

XSS (Cross-Site Scripting) is a prevalent vulnerability found in web applications, enabling

attackers to inject malicious client-side scripts into web pages viewed by other users. This
type of vulnerability is frequently seen in web apps that allow for user-submitted comments.
To assess XSS vulnerabilities, the web application's "new post" and "read comment"
features were used. When writing a post, the following string was inserted into the Text Box:
"script> alert ("This application is vulnerable to XSS")/script>". When the programme
accepted the post, an alert window opened, showing the presence of XSS vulnerabilities as
shown below.

9
10
Vulnerability Exploitation
Once we finish the vulnerability analysis phase, we ought to obtain a clear understanding of
which zones would be targeted for exploitation. Both applications were subsequently
exploited using the compiled list of vulnerabilities.
Its authentication procedures have flaws, rendering it vulnerable to SQL injection and XSS
attacks. Because there are no effective validation methods in place, any user could
acquire unauthorized access to the system. One potential attack was to overload the website
with data that jeopardized the system's security, including publishing forums that defamed
individuals, linking to scammer's websites, or introducing potentially hazardous sites.
Additionally, armed with the knowledge that the website was vulnerable to SQL injection, we
delved deeper into the various functions of the application. The objective was to gather more
information and ideas on how to advantage of the system. This case study exemplifies the
iterative process between vulnerability exploitation and analysis stages.
An image presented below displays the site's content accessed through the URL
http://localhost:8080/bWAPP/individual.jsp?id=69. Through persistent manipulation of the
URL using the UNION operation, several pages were discovered containing crucial
information. The data appears to represent authorised users' account details. Unauthorised
access to the system can be acquired by using these accounts.

While conducting the XSS vulnerability testing, the application was successfully attacked via
an illicit message uploaded on the site before the blog was displayed. An alternative
approach for exploiting this vulnerability involved utilizing a hyperlink instead of a warning
message.
Another technique of exploiting this issue was to steal crucial information. The following was
accomplished by constructing a bogus website with enticing materials that persuaded people

11
to enter confidential data. The figures below depict this scenario.

12
Analysis of Test Results
During this phase, the test results are examined. It is crucial for us to have knowledge about
common attacker methods, techniques, and tools, as well as any potential data exposure
issues. These actions required to react to and rectify the identified problems should be
outlined in this phase. In the case of bWAPP, one possible remediation strategy could
involve sanitizing user input data before incorporating it into a SQL query. The systems could
be protected against SQL injection attacks by ensuring that the login and password provided
to the database do not contain any malicious characters.
Discussion
Penetration testing can be an effective and cost-effective method of protecting an
organization's systems from attacks. It aids in detecting internal practices that lead to
vulnerabilities and discovering potential sources of vulnerabilities when carried out correctly.
By addressing such factors, the corporation can eliminate vulnerabilities, appropriately focus
its security efforts, encourage retailers to enhance their goods, upgrade internal
security procedures, and demonstrate to clients and stakeholders.
The selection of a capable penetration testing team is a crucial factor in the success of the
process. Evaluating the team should involve considering their qualifications, experience,
knowledge, reputation within the e-business community, and access to advanced tools. It is
generally advisable to avoid engaging a team that provides the systems to be tested,
ensuring an unbiased assessment. It is important to note that penetration testing cannot
uncover all potential security vulnerabilities as it is just one aspect of comprehensive testing.
Furthermore, penetration testing should not be viewed as a one-time service. The security
landscape continues to evolve, fixing or patching the vulnerabilities identified is not the end
of security concerns but rather the beginning of an ongoing and continuous cycle. It is crucial
to recognize that a penetration test does not guarantee absolute security; rather, it provides
a measurement of the security posture at a given time.

Conclusion

13
Penetration testing is an extensive approach used to identify vulnerabilities within a system.
It offers several advantages, including the prevention of financial loss, compliance with
industry regulations, assurance for customers and shareholders, and safeguarding the
corporate image. Additionally, they can opt for external or internal testing may be required
based on the precise objectives to be met.
This assignment outlines an approach for conducting penetration testing, which includes test
preparation, test execution, and test analysis. Three main phases are carried out throughout
the testing phase: vulnerability analysis, intel gathering and vulnerability exploitation. To
illustrate the penetration testing process, a web application, bWAPP, was utilized.
When presenting the test results, it is crucial to follow a comprehensive format. A major
component of the test analysis process is the creation of a remediation plan that defines the
necessary corrective actions for detected vulnerabilities. The final report should
have sufficient evidence for those responsible to duplicate and address the identified
vulnerable patterns and discoveries.

14