Scribd
Upload
19 views6 pages

Weekly Report - W6

Uploaded by

hzhu13
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
19 views6 pages

Weekly Report - W6

Uploaded by

hzhu13
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Weekly Report – Week 6

Penetration testing for a web application

Team members: Baichuan Zhao / Hong Zhu / Tianrui Huang


Instructor : Sara Khanchi
Tasks for Last Week
• Biweekly meeting with the company.
--Share checklist and project plan with the company
--Wait for the feedback from the company

• Review source code to check the vulnerability of


application ---Ongoing
Stage 2
Vulnerability identification and information gathering.
• Explore the tool usage ---Ongoing

• Continue collecting the information about the


application(Version of software components i.e., web
framework).---Ongoing

• Penetration testing(On-gonging).
Testing for Weak Cryptography
• Testing for Weak Transport Layer Security
--Server Configuration (TLS1.2/1.3/Pass)
--Digital Certificates (google-ca/pass)
The key strength should be at least 2048 bits (RSA 2048/Pass)
The signature algorithm should be at least SHA-256. Legacy algorithms such as MD5 and SHA-1 should not be used(This is use for legacy page)
--Implementation Vulnerabilities (Ongoing)
--Application Vulnerabilities(Ongoing, such as Mixed Active Content, Redirecting from HTTP to HTTPS) Stage 2
• Testing for Padding Oracle—(TBD)
• Testing for Sensitive Information Sent via Unencrypted Channels(TBD) Vulnerability identification and information gather

• Testing for Weak Encryption(TBD)


Testing for Error Handling
• Testing for Improper Error Handling
--Web Servers (Ongoing)
--Applications (Ongoing)

Errors sometimes rise as:


1. stack traces,
2. network timeouts, Stage 2
3. input mismatch,
4. and memory dumps. Vulnerability identification and information gather

Improper error handling can allow attackers to:


5. Understand the APIs being used internally.
6. Map the various services integrating with each other by gaining insight on internal systems and frameworks used, which opens up doors to attack
chaining.
7. Gather the versions and types of applications being used.
8. DoS the system by forcing the system into a deadlock or an unhandled exception that sends a panic signal to the engine running it.
9. Controls bypass where a certain exception is not restricted by the logic set around the happy path.
Tasks for Next Week
• Biweekly meeting with the company.
--Share checklist and project plan with the company
--Wait for the feedback from the company

• Review source code to check the vulnerability of


application ---Ongoing
Stage 2
Vulnerability identification and information gathering.
• Explore the tool usage ---Ongoing

• Continue collecting the information about the


application(Version of software components i.e., web
framework).---Ongoing

• Penetration testing(On-gonging).
Q&A

Thanks

You might also like