Beruflich Dokumente
Kultur Dokumente
Overview of the web Web proxy tool Reporting Gaps in the process
app penetration
testing process
§ Penetration testing vs vulnerability
assessment
What is it? § Finding security issues, exploiting them,
and reporting on it
FINDING UNDERSTANDING LEGAL
VULNERABILITIES THE APPLICATION REQUIREMENTS (E.G
BEFORE THE BAD SECURITY POSTURE PCI COMPLIANCE)
GUYS DO
Why is it needed?
§ Requirements for testing
§ Effort days
§ Software/hardware requirements
Our Methodology
Developing
Reporting
test cases
Vulnerability
Risk analysis discovery &
exploitation
Methodology 2 – Information Gathering
• Your browser and dev tools are your best friend
• Unauthenticated vulnerabilities and exposures are the most critical
• Depending on the timeline, proceed in order of attacks that are most likely to succeed
• Try non-intrusive methods such as searching DNS records, as well as traceroute and other
enumeration
Breaking components
of the application by
issues: Developing Business
• Authentication and
logic test cases:
authorization issues • Jumping user flows
• Session management • Testing authorization
• Data validation controls
• Misconfigurations
• Network Level issues
Carrying out the test cases
Google everything
uhttps://www.kisspng.com/png-owasp-top-10-web-application-
security-computer-sec-4965837/
Risk Analysis
Likelihood of a successful
Impact of a successful attack
attack
Reporting
Impact/Likelihood
Recommendations
of an attack
Presentation Support
§ Burp Suite Pro:
Gaps in the
ABILITIES
process