542.1 Introduction and Information Gathering

Question 1

Why are web applications important?

Answer 1

• Are ubiquitous across all sizes and types of businesses
• Enable business-critical functionality
• Provide access to sensitive and/or critical data

Question 2

Web application Pen Test provides one method of assessing an application’s security posture.

Answer 2

Understanding how web app pen testing fits into the overall
spectrum proves important

• Might not be the right or best tool for a given application
• Might need to be complemented by other approaches

Also, varied approaches to web app pen testing itself also exist and could be relevant

Question 3

What are the different security testing methods?

Answer 3

Security testing methods:

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Interactive Application Security Testing (IAST2)
• Out-of-Band Application Security Testing (OAST3)

Question 4

What is threat modelling?

Answer 4

Brainstorm potential vulnerabilities and realistic threats to the web
application, then think of mitigation strategies for each weakness:

• Consider using NIST 800-301, Appendix D, as a resource to assist with threat
  modeling
• Can help to prioritize limited resources to address the most likely attack vectors and weaknesses in the application

Question 5

What are the Advantages of Threat Modeling?

Answer 5

1. Practical attacker’s view of the
   system

2.Flexible

3.Early in the SDLC

Question 6

What are the Advantages of Threat Modeling?

Answer 6

1.) Relatively new technique

2.) Good threat models don’t automatically mean good software

Question 7

What is Source Code Review?

Answer 7

• Certain vulnerabilities cannot be found without reading the source code
• The time necessary to develop a suitable exploit can be dramatically reduced
• Usually only performed under a full knowledge pen test, or if a vulnerability permits access to source code within the web root.

Question 8

What are some advantages of a Source Code Review?

Answer 8

1. Completeness and effectiveness
2. Accuracy
3. Fast (for competent reviewers)

Question 9

What are some disadvantages of a Source Code Review?

Answer 9

1. Requires highly skilled security developers
2. Can miss issues in compiled libraries
3. Cannot detect run-time errors easily
4. The source code actually deployed might differ from the one being analyzed

Question 10

What is Static Application Security Testing (SAST) ?

Answer 10

SAST involves scrutinizing application source code looking for security deficiencies.

Employs tools rather than relying simply on manual code review

• However, SAST can be seen simply as a more automated or efficient type of code review
• Characterized as a full knowledge testing technique due to source code
  access being required for this type of testing

Question 11

What are some strengths and weakness of SAST ?

Answer 11

Strengths: Identifies security deficiencies not readily apparent in deployed application

Weaknesses: Requires access to source code; might overlook APIs or libraries leveraged by the application; overlooks ops side of apps.

Question 12

What is Dynamic Application of Security Test (DAST) ?

Answer 12

• Commonly used as the sole way to find vulnerabilities in applications
• Pen tests are not always the most efficient method of finding security weaknesses

o Certain classes of vulnerabilities (i.e., logic flaws) are much easier to detect in a DAST test.

Question 13

What are some advantages and Disadvantage of DAST ?

Answer 13

Advantages
-Can be automated and fast (and therefore cheap)

-Requires a relatively lower skill set than source code review

-Tests the code that is actually being exposed

Disadvantages

-Too late in the SDLC

-Front impact testing only

Question 14

Wielding DAST tools effectively proves much more challenging than merely pushing a button; at a minimum it requires ?

Answer 14

• Properly configuring scans for the target application
• Guiding scans to ensure comprehensive review
• Following up on results to reduce false positives
• Assessing true positives to understand potential impact
• Understanding and shoring up deficiencies in capabilities

Question 15

What are Manual Inspections and Reviews ?

Answer 15

Manual inspections are human reviews that typically test the security implications of people, policies, and processes — WSTG v4.2, p. 18

• Involves reviewing documentation, as well as interviewing designers and system owners
• To ensure accuracy, be sure to verify the documentation and information related in
  interviews are correct

Question 16

Advantages of Manual Inspection and Reviews.

Answer 16

Requires no supporting technology

Can be applied to a variety of situations

Flexible

Promotes teamwork

Early in the SDLC

Question 17

What are some disAdvantages of Manual Inspection and Reviews?

Answer 17

Can be time consuming

Supporting material not always available

Requires significant human thought and skill to be effective

Question 18

What is the best method of Pentesting?

Answer 18

Balancing both automated and manual = BesT!

Question 19

Zero knowledge vs Full knowledge.

Answer 19

• Zero-knowledge represents an assessment in which the pen tester has very few details, perhaps only a URL, about the target application

o Difficult and time consuming (i.e., expensive) to perform
o

o Many people mistakenly think this form of test represents a “real-world” scenario

• Full-knowledge testing involves the pen tester having access to all details about the application, such as architecture drawings, source code,
  developers, etc.

o Common with in-house security teams

o Try to shift assessments as close to a full knowledge assessment as possible

Question 20

what are 2 Frameworks that exist on Pen Testing

Answer 20

• OWASP Web Security Testing
  Guide (WSTG)
• Penetration Testing Execution
  Standard (PTES)

Question 21

What can a Pen Test Methodology help?

Answer 21

• Consistent
• Reproducible
• Rigorous
• Under quality control

Question 22

What is OWASP ?

Answer 22

“The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.

Our mission is to make software security visible, so that individuals and organizations are able to make informed
decisions.

OWASP is in a unique position to provide impartial, practical
information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide.

Operating as a community of like-minded professionals, OWASP issues software tools
and knowledge-based documentation on application security. “1

Question 23

What are interception PRoxies ?

Answer 23

On one end of the spectrum we have automated scanners, and on the other we have browsers

Interception proxies are a major piece of our toolkit, providing a middle ground between the fully automated and the overtly manual

The interception proxy occupies a primary role in the web penetration tester’s arsenal

ZAP and Burp will be the proxies of choice for the class, and we will spend much time with each.

Question 24

Most Essential piece of Burp Suite is to understand the Scope Tab.

Answer 24

Properly defining the scope of your application assessment:

• Makes the difference between tools running forever and completing
• Keeps you from accidentally
  overlooking relevant resources
• Allows you to avoid paths/systems explicitly excluded
• Ensures you generally don’t run afoul of your authority and scan the universe.

Question 25

Sometimes the things you want to see in Burp is flitered because of the site map Fliter function.

Answer 25

New Burp users very often
overlook the Site Map: Filter

• Once it’s discovered, simple
  filtering makes finding
  desired data much easier
• Also makes finding
  inadvertently hidden data
  easier

Question 26

SEC 542 OSINT information means the following.

Answer 26

• Could be free/open information about target in the public domain
• Data provided by users/employees of the target organization
• Information provided (un)intentionally by the target organization
• Information from social media sites

Question 27

Domain NAme System - global hierarchical database of
domain names.

Answer 27

o Uses UDP port 53 for payloads <= 512 bytes*

Uses TCP port 53 for payloads > 512 bytes, notably zone transfers

Question 28

what is the command line to do a zone transfer using dig?

Answer 28

$ dig sec542 . org -t axfr

Question 29

What is a Reverse DNS Scan?

Answer 29

Many DNS administrators (and DNS tools) reliably create reverse (PTR) records for every forward (A) record:

• A: www.sec542.org -> 192.168.1.8
• PTR: 192.168.1.8 -> sec542.sans.org

or they never configure a reverse lookup zone.

Question 30

Tools for DNS Reconnaissance

Answer 30

• nslookup
• dig
• Nmap
• DNSRecon

Question 31

Dig Syntaxes

Answer 31

The basic usage is:
$ dig example.com options
* Will use the default DNS name server if@<nameserver> is omitted</nameserver>

Iook up all sec542.org records (SOA, A, NS, MX, and more):

dig @192.168.1.8 sec542.org

look up sec542.org MX records only:
dig @192.168.1.8 sec542.org -t mx

Attempt a zone transfer of sec542.org:
dig @192.168.1.8 sec542.org -t axfr

Simplified yrR (reverse) lookup:
$ dig -x 192.168.1.23

Query the nameserver’s version of BIND:
$ dig @192.168.1. 8 version. bind. chaos txt