Scribd Logo
Upload

Welcome to Scribd!

  • USSA Web Hacking Report

    Uploaded by

    Mara
    24 views10 pages
    Along with other security measures, corporations websites must all have protection in place. This analysis of a website used different security testing tools to determine the security of the site.

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Along with other security measures, corporations websites must all have protection in place. This analysis of a website used different security testing tools to determine the security of the site.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    24 views10 pages

    USSA Web Hacking Report

    Uploaded by

    Mara
    Along with other security measures, corporations websites must all have protection in place. This analysis of a website used different security testing tools to determine the security of the site.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Net Ninjas LLC, 1

    United Services
    Automobile
    Association
    Web Hacking Report
    December 6, 2015

    This Report Was Prepared By:


    Net Ninjas LLC
    Darren Blakely Security Analyst
    Marie Whiting Security Analyst
    David Savlowitz Security Analyst

    Net Ninjas LLC, 2

    Table of Contents
    Executive Summary:
    Document Properties:
    Version Control:
    Burp Suite:
    Summary
    Detailed Steps
    Recommendations
    Firebug
    Summary
    Detailed Steps
    Recommendations
    WebGoat
    Summary
    Detailed Steps
    Recommendations
    References:

    Net Ninjas LLC, 3

    Executive Summary:
    Net Ninjas LLC was asked to demonstrate several methods of website hacking. Using
    several well-known website security testing tools Net Ninjas LLC was successful in
    demonstrating two of the most popular website security testing tools.

    Document Properties:
    Name

    USAA Recon Documentation

    Classification

    Confidential

    Version

    Authors

    Darren Blakely, Marie Whiting,


    and David Savlowitz

    Reviewed By
    Approved By
    Date Approved

    Version Control:
    Version

    Date

    Authors

    Description

    1.0

    December 6, 2015

    Darren Blakely, Marie


    Whiting, and David
    Savlowitz

    First Draft

    2.0

    December 6, 2015

    Darren Blakely, Marie


    Whiting, and David
    Savlowitz

    Second
    Draft

    Net Ninjas LLC, 4

    Burp Suite:
    Summary
    Burp Suite is one of the most used tools for testing the security of websites and is recognized by most
    security firms as one of the most reliable tools for thoroughly testing the security of websites. Net Ninjas
    LLC was successful in demonstrating the basic functionality of Burp Suite.

    Detailed Steps
    Net Ninjas LLC configured the selected website browser to proxy through 127.0.0.1:8080 to allow Burp
    Suite to properly function.

    Net Ninjas LLC configured Burp Suite to not capture Googles safe browsing updates to provide cleaner
    results during the demonstration.

    Net Ninjas LLC, 5

    Net Ninjas LLC navigated to Google.com, analyzed the captured cookies, and was able to determine the
    expiration dates of the cookies.

    Net Ninjas LLC examined the Im feeling lucky button on Google.com and determined that at the time
    it was called Im Feeling Artistic.

    Net Ninjas LLC, 6

    Recommendations
    To mitigate the risks associated with insecure websites it is important that all corporate websites be fully
    updated with the latest security patches and be hosted on a supported operating system. If updating to a
    supported operated system is not a viable option it is recommended that the insecure website be placed on
    an isolated portion of the corporate network without public access.

    Firebug
    Summary
    Firebug is one of the most well-known browser add-ons for testing website security. Net Ninjas LLC was
    successful in demonstrating the basic functionality of the Firebug browser add-on.

    Detailed Steps
    Net Ninjas LLC was able to change the word Blog to Blaargh on the target website

    Request is sent for the Blog update as shown below.

    Name of page sending request is update.php.

    Net Ninjas LLC, 7

    Recommendations
    To prevent unauthorized individuals from making changes to corporate websites it is important to ensure
    that all website servers are properly hardened and constantly remain up to date with the latest security
    patches.

    Net Ninjas LLC, 8

    WebGoat
    Summary
    WebGoat is one of the most well known platforms for practicing website security testing. It contains
    several tutorials for various website security testing methods. Net Ninjas LLC was successful in
    demonstrating the basic functionality of the WebGoat platform.

    Detailed Steps
    1. As mentioned under the previous section, perform the different labs in WebGoat. Get a feeling for web
    app vulnerabilities. Start with the Introduction and then General sections. After that, work in any order
    you choose. Do as many as you can.

    1.
    2. Under "Authentication Flaws" There is a lab called Multi Level Login 2. For this lab, you are an attacker
    and you have a username and password. What is the username and password for this attacker?
    1. Joe
    2. Banana

    3. What is the name of the session id that WebGoat is using?


    1. 39877

    2.
    4. How many operations are defined in the WebGoat WSDL file? It is under the Web Services section.

    Net Ninjas LLC, 9

    1. 4

    Recommendations
    To mitigate the risks associated with website attacks it is important to ensure that all corporate webservers
    are properly hardened. All corporate websites should be hosted on a currently supported operating system,
    if updating to a currently supported operating system is not a viable option it is highly recommended that
    all vulnerable corporate web servers be placed in an isolated section of the network without public
    network access.

    Net Ninjas LLC, 10

    References:
    Alharbi, M. A. (2010, April 6). Writing a Penetration Test Report. Retrieved from SANS
    Institute InfoSec Reading Room: http://www.sans.org/readingroom/whitepapers/testing/writing-penetration-testing-report-33343

    You might also like