Professional Documents
Culture Documents
United Services
Automobile
Association
Web Hacking Report
December 6, 2015
Table of Contents
Executive Summary:
Document Properties:
Version Control:
Burp Suite:
Summary
Detailed Steps
Recommendations
Firebug
Summary
Detailed Steps
Recommendations
WebGoat
Summary
Detailed Steps
Recommendations
References:
Executive Summary:
Net Ninjas LLC was asked to demonstrate several methods of website hacking. Using
several well-known website security testing tools Net Ninjas LLC was successful in
demonstrating two of the most popular website security testing tools.
Document Properties:
Name
Classification
Confidential
Version
Authors
Reviewed By
Approved By
Date Approved
Version Control:
Version
Date
Authors
Description
1.0
December 6, 2015
First Draft
2.0
December 6, 2015
Second
Draft
Burp Suite:
Summary
Burp Suite is one of the most used tools for testing the security of websites and is recognized by most
security firms as one of the most reliable tools for thoroughly testing the security of websites. Net Ninjas
LLC was successful in demonstrating the basic functionality of Burp Suite.
Detailed Steps
Net Ninjas LLC configured the selected website browser to proxy through 127.0.0.1:8080 to allow Burp
Suite to properly function.
Net Ninjas LLC configured Burp Suite to not capture Googles safe browsing updates to provide cleaner
results during the demonstration.
Net Ninjas LLC navigated to Google.com, analyzed the captured cookies, and was able to determine the
expiration dates of the cookies.
Net Ninjas LLC examined the Im feeling lucky button on Google.com and determined that at the time
it was called Im Feeling Artistic.
Recommendations
To mitigate the risks associated with insecure websites it is important that all corporate websites be fully
updated with the latest security patches and be hosted on a supported operating system. If updating to a
supported operated system is not a viable option it is recommended that the insecure website be placed on
an isolated portion of the corporate network without public access.
Firebug
Summary
Firebug is one of the most well-known browser add-ons for testing website security. Net Ninjas LLC was
successful in demonstrating the basic functionality of the Firebug browser add-on.
Detailed Steps
Net Ninjas LLC was able to change the word Blog to Blaargh on the target website
Recommendations
To prevent unauthorized individuals from making changes to corporate websites it is important to ensure
that all website servers are properly hardened and constantly remain up to date with the latest security
patches.
WebGoat
Summary
WebGoat is one of the most well known platforms for practicing website security testing. It contains
several tutorials for various website security testing methods. Net Ninjas LLC was successful in
demonstrating the basic functionality of the WebGoat platform.
Detailed Steps
1. As mentioned under the previous section, perform the different labs in WebGoat. Get a feeling for web
app vulnerabilities. Start with the Introduction and then General sections. After that, work in any order
you choose. Do as many as you can.
1.
2. Under "Authentication Flaws" There is a lab called Multi Level Login 2. For this lab, you are an attacker
and you have a username and password. What is the username and password for this attacker?
1. Joe
2. Banana
2.
4. How many operations are defined in the WebGoat WSDL file? It is under the Web Services section.
1. 4
Recommendations
To mitigate the risks associated with website attacks it is important to ensure that all corporate webservers
are properly hardened. All corporate websites should be hosted on a currently supported operating system,
if updating to a currently supported operating system is not a viable option it is highly recommended that
all vulnerable corporate web servers be placed in an isolated section of the network without public
network access.
References:
Alharbi, M. A. (2010, April 6). Writing a Penetration Test Report. Retrieved from SANS
Institute InfoSec Reading Room: http://www.sans.org/readingroom/whitepapers/testing/writing-penetration-testing-report-33343