A Penetration Test Plan Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This manuscript is a sketch for our imminent penetration test plan. The goal of this project is to conduct a penetration test for vulnerabilities in a given web application. This investigation will be conducted on a virtual machine behind the DMU firewall. This test will be conducted through port 80 for vulnerabilities. In the later section will be discussing about the tools used for conducting penetration testing and the techniques associated behind the penetration testing. A well written test plan is an inevitable part for a penetration test. This plan will define the test objectives


There are lots of vulnerabilities in the internet. Enterprises open their infrastructure to public internet. Penetrations test widely known as pen test is identifying vulnerability in a system and infrastructure. This includes systems to web servers. Penetration test stands different from hacking. Hackers get into the system without the knowledge and permission of the system's owner whereas; pen test is conducted by trusted ethical hackers. The basic flaw in the systems is due to deficiency of underlying patches. The outcomes of the finding will be match theoretical or paper based audit and transfer to a report. This report will be send to the concerned person or team responsible for resolution or workarounds. Pen test are attempts to breach security. The penetration test can result in reverse results in worst scenarios so proper planning need to be done before s and is not supposed to be done in a production environment as there might be network congestions and unavailability of services concentrated on certain ports.

Present days IT infrastructure is vulnerable in many ways due to the complexity existing in the heterogeneous network in an exposed to the internet. It's highly demanding for pen test to close all backdoors in the system.

The pen test will get expired soon or may last for sometime depending on the organisations. Penetration tests are conducted in different intervals depending on the enterprise. The Payment Card Industry Data Security Standard (PCI DSS), insist organisations to conduct penetration tests every year after major upgrades in their network.

Pen tests are crucial for web application to withstand attacks. Web application pen test will run from a remote box with no information about the actual working of the application hosted.

(Chan Tuck Wai- Sans Institue, 2002) (Symantec, 2003)

Top 10 Most Dangerous Open Web Application Security Project Vulnerabilities via Port80

The below graph depicts about the percentage of vulnerabilities which are most probably to affect web servers

(Port80 Software, 2011)

SQL Injection

SQL injection is an attack in which malicious code is introduced into strings that are later passed to a case for parsing and execution of SQL Server. Every method which creates SQL statements must be reassessed for injection flaws since SQL server implement every syntactically applicable question that it gets. A skilful and strong-minded invader is able to manipulate even a parameterized data.

An example script of SQL injection

var Shipcity;

ShipCity = Request.form ("ShipCity");

var sql = "select * from OrdersTable where ShipCity = '" + ShipCity + "'";

(James, 2011)

Cross-Site Scripting[XSS]

XSS is the universal application layer vulnerability which usually aims scripts fixed in a page which are implemented on the client side to a certain extent than server side. XSS in itself is a threat which is fetched by the internet security weaknesses of client-side scripting languages, with HTML and JavaScript as the key reasons for XSS exploit. The XSS perception is to manipulate scripts of a web application on client-side to implement according to the manner of malicious user. Such a strategy is capable of insert a script in a page which can be accomplished either the page is reloaded each time or a linked event is executed.

An example diagram for XSS

(Guillaumier, 2011)

Session Fixation

This is an attack try to exploit the vulnerability of a system which permits one person to fixate a different person's session identifier. Mainly session fixation attacks are web focused, and largely rely on session identifiers being established from URLs POST data.

Session fixation vulnerabilities take place during the following periods

A web application validates a client devoid of first cancelling the active session ID, thus progressing to utilize the session ID previously linked with the client.

An assailant is capable to strength a recognized session ID on a user so that, once the client validates, the assailant has the right of entry to the authenticated session.

An example for session fixation -shows a snippet of code from a J2EE web application

private void auth(LoginContext lc, HttpSession session) throws LoginException {





(OWASP, Session Fixation, 2009)

Information Leakage

It's an application weakness in which an application exposes sensitive data, for example web application technical details and situations. Sensitive information can be utilized by an attacker towards the target web application exploits and its hosting network. As a result, sensitive data leakage must be partial or not permitted when possible. In its most common form, Information Leakage is the consequences of the following conditions. The first condition includes a failure to scrub out HTML Script comments holding responsive information, inappropriate application, or dissimilarities in page responses for acceptable versus unacceptable data.

Example of Information Leakage

Developer comments left in page responses:

<TABLE border="0" cellPadding="0" cellSpacing="0" height="59" width="591">



<!--If the image files fail to load, check/restart -->

<TD bgColor="#ffffff" colSpan="5" height="17" width="587"> </TD>


(Auger, Information Leakage, 2010)

Remote File Inclusion(RFI)

This is an attack rehearsal applied to exploit dynamic file comprise web applications mechanisms. Once web applications obtain user input like URL, parameter value, and so on and pass them addicted to file contain directives, the web application might be trapped into counting remote files with malicious code.

Normally, RFI attacks are executed by allocating the request parameter value to a URL that refers to a file containing malicious code. Consider the following PHP code which can exploit code if the web application does not sanitise the value of parameter:

$incfile = $_REQUEST["file"];


(Auger, Remote File Inclusion, 2010)

Brute Force Attack

A brute force attack consists of annoying all likely code, combination, or password until the hacker finds the right one. The flaw captures benefit of the truth that the entropy of the values is lesser than professed.

For instance, though an 8 character alphanumeric password is able to provide around 2.8 trillion possible values and still many people reside on smaller common words and terms for passwords.

Brute force attacks common to web applications are follows

Brute forcing log-in credentials

Brute forcing session identifiers

Brute forcing directories and files

Brute forcing credit card information

(Auger, Brute Force, 2010)

Cross-Site Request Forgery(CSRF)

CSRF is an attack that traps the victim keen on executes a page with a malicious request code. The malicious code thereby inherits the identity and rights of the victim to execute an unwanted purpose on the victim's behalf, for example like change the e-mail address of victim's, address of home, or password. CSRF attacks usually aim purposes to facilitate a change of state on the server however can also be employed to access sensitive data.

(OWAS-CSRF, 2010)

Denial of Service(DoS)

DoS are an attack method with the target of web site prevention from helping activities of a normal user. Moreover, Dos are simply implemented to the network layer as well as achievable at the application layer. These nasty attacks are able to perform the critical resources elimination from a system, exploitation of vulnerability, or misuse of functionality.


A DoS threat attacks the following services to break down a web server running an application.

Bandwidth of network

Space of database

Usage of CPU

Server memory

Connection pool of Database

Mechanism for application exception handling

Space of hard disk

(Applicure Technologies Ltd, 2011)

Insecure Direct Object Reference

A direct object reference is when a developer represents a suggestion to an internal implementation object, for instance a file or directory, as a URL or form parameter. A hacker can change straight object references to access former objects devoid of approval.

Two classic examples of insecure direct object reference vulnerability are Open Redirects and Directory Traversal.

(Hardin, 2009)

Insecure Cryptographic Storage

The key part of most web applications is protecting sensitive data with cryptography. Basically deteriorating to encrypt sensitive data is incredibly extensive. Applications that do encrypt often enclose weakly intended cryptography, moreover via inappropriate ciphers or building severe errors using well-built ciphers. These errors can guide to expose of sensitive data and compliance breaches.

(OWASP, The Ten Most Critical Web Application Security Vulnerabilities, 2007)

The below graph depicts about the chance to notice vulnerabilities of different risk levels perceived through audits and automatic scrutinizing.

(Port80 Software, 2011)


There are many tools available in the internet both open source and closed source. As we don't need all the tools for this project, we are listing the best capable pen test tools. These tools are internet browser add-on toolbar, network mapping tools and port scanner. These are the mostly used tools by enterprises and well versed security professionals.


Nessus is one of the most important tools intended to perform testing and detection of recognized security problems. Moreover, it's a great tool with a lot of capabilities and in particular designed to identify and resolve vulnerabilities, before a hacker gets the benefit of them. The main features include high speed discovery, asset profiling, and configuration auditing, sensitive data discovery and vulnerability analysis of the specified security posture.


A modular computer software program for undertaking probabilistic examination of structural mechanisms and schemes.

NESSUS merges modern probabilistic algorithms with common function statistical investigation techniques to calculate the probabilistic response and consistency of engineered schemes.

Distinctions in loading, objects properties, geometry, border settings, and primary settings can be replicated.

It presents an extensive choice of abilities, a graphical user interface, and is confirmed via hundreds of test problems.

The Nessus Security Scanner is an auditing tool for security. It is made up client and server part. Server side is in charge of the attacks, while the client provides an interface to the user.


-c <config-file>, --config-file=<config-file>

-n, no pixmaps mode.

-q, batch mode.

-p, find plug-in lists on the server.

-P, find list of server and plugin preferences.

-S, issue SQL output for -p

* host

* port

* use

* password

* targets

* results

(Tenable Network Security, Inc, 2011) (Nessus Southwest Research Institue, 2010)


Hackbar is one of the best tools used for penetration testing on the web Hackbar 1.6.0 is the most recent release. It is a tool used for testing SQL injections, XSS holes and site security. Developer use hackbar to do security audits on their codes. Complicated ULR's readable.MD5/SHA1/SHA256 Hashing, MS SQL oracle mysql server shortcuts .XSS useful functions. Can be called at anytime on a running browser by using F9 short key.

(FF Extensions, 2011)

Figure 1: Loading the URL on the text Area

Figure 2: Splitting the URL at & and?

Figure 3: Resizing the text area

Figure 4: Adding 1 to the integer

Figure 5: Selecting MD5 Hash

Figure 6: Generating My SQL Character conversion of the text

(FF Extensions, 2011)


Network Mapper (NMAP) is an open source utility for network exploration. Furthermore, administration and security auditing are the key duties done by Nmap. Nmap employs IP packets in novel ways to find out which hosts are accessible online, which TCP or UDP ports are available and to determine the applications and services are listening on each port. It's a user-friendly tool for the IT security administrator. Describes all open ports sitting inside a firewall and lets the administrator know unused ports or ports which might be of risk. In addition, it provides flexible goal and port conditions and extremely optimized timing algorithms for speedy scanning. Nmap works with all chief computer operating systems like Linux, Windows, and Mac OS. Nmap suite includes a results viewer, flexibility in data transfer, correcting tool, a utility for comparing scan results, and a packet examination tool. Nmap is flexible, powerful, portable, easy, free, well documented, supported, acclaimed and popular.

(Lyon, 2011) (Bennieston, 2009)

NMAP Terminal View

NMAP Front End

(Softpedia, 2011)


Wapiti is a high-quality web applications vulnerability scanner otherwise a security auditor. Presently wapiti investigate vulnerabilities similar to Cross-site scripting, Structured Query Language injections, XPath injections, and file additions, execution of commands, Lightweight Directory Access protocol injections, and Carriage Return Line Feed injections. It makes use of the Python programming language.

Wapiti executes black-box testing which means it does not learn the source code of the application however, will scrutinizes the webpage's of the organize web application, appears for scripts and figures where it be able to inject data.

After getting this list, Wapiti performs similar to a fuzzier including the function, inserting payloads to observe if a script is susceptible. Wapiti is capable of differentiating punctual and permanent XSS vulnerabilities.

(Surribas, 2006) (Goodwin, 2009)


Metasploit framework is an open source free pen test tool. Metasploit breaks down IT and defends them. Prioritises risks in the network. Powerful command line evasion tool written in ruby. Three versions framework, express and pro. Metasploit has some cool features will search a group of clients compromise and return a tidy list of command. It can be configured (Metasploit, 2011)

(Sharma, 2011)