I need to build a Penetration Testing LAB for WEB application by using VmWare Workstation. I need to know how should it be done or how can I do it. Also I need to do the following criteria: 1. Proposed a General Architecture of Peneteraion testing Lab 2. Types of Software that is needed to set up a Penteraion testing Lab 3. Different components of Penteraion testing in details 4. All the configuration and steps to build Penteraion testing Lab 

Build Penetration Testing LAB in VmWare

I do not know the difference between penetration testing and other forms of security testing. Could anyone experienced in that area tell me the differnces? I would really appreciate it. On the side note, is there any testing that simulates DoS? I do not know how to defend against it. 

Penetration Testing vs Other Security Testing

There are couple of tools for penetration testing. Some of them free like MSF (community) as commercial version. Which is the best tool for the penetration test. Also suggest good book fo the same. I am looking for pen test for distributed and web application. 

tool or framework for penetration test

What, if any, are the differences between Dynamic Code Analysis and Penetration Testing? Are they related? 

Dynamic Code Analysis and Penetration Testing are both essential components of a comprehensive security testing strategy, but they serve different purposes and have distinct approaches. Below are the key differences between the two:

Dynamic Code Analysis (DCA): DCA, also known as Dynamic Application Security Testing (DAST), focuses on analyzing the application's behavior during runtime. It interacts with the application, sending inputs, and observing responses to identify vulnerabilities and security flaws.

Penetration Testing: Penetration testing, also known as "pen testing" or "ethical hacking," is a simulated attack on a system, network, or application to identify security weaknesses and vulnerabilities. It involves actively exploiting identified vulnerabilities to assess the impact and determine the level of risk they pose.

DCA: It primarily focuses on the application layer, examining how the application handles inputs, processes data, and responds to different requests.

Penetration Testing: Pen testing assesses the overall security of the system, network, or application. It includes testing both technical (e.g., software vulnerabilities) and human-related (e.g., social engineering) aspects.

DCA: It is often automated, utilizing specialized tools to scan and test applications quickly. Automated DCA tools can be integrated into the software development life cycle to perform regular security checks.

Penetration Testing: While some aspects of penetration testing can be automated, it often requires manual efforts, especially when attempting more complex attack scenarios or testing custom applications.

DCA: Dynamic Code Analysis is typically performed during the application's runtime or in a live environment.

Penetration Testing: Pen testing is often scheduled and performed during a specific period, allowing the organization to prepare for the test and analyze the results afterward.

DCA: The primary goal of DCA is to uncover security vulnerabilities and weaknesses within the application, allowing developers to identify and fix issues.

Penetration Testing: Pen testing aims to simulate real-world attacks to assess the organization's ability to detect and respond to security incidents and to provide actionable recommendations for improving security posture.

In summary, Dynamic Code Analysis focuses on analyzing the application's behavior during runtime to identify vulnerabilities, while Penetration Testing is a simulated attack on the system or application to assess overall security and response capabilities. Both approaches are critical for ensuring a robust and secure environment, and organizations often use them in conjunction to comprehensively assess their security posture.

Difference between Dynamic Code Analysis and Penetration Testing? 

I'm doing penetration-testing on an Android application.

This application detects ROOT environment, but instead of stopping the application and exits, it's displaying a warning message and letting the user decide about running or not.

So based on OWASP for Mobile (MASVS), is it a correct implementation or not?

Is it enough for OWASP MASVS to display a root detection warning message, rather than terminating the app entirely?

I am currently planning to do some web application vulnerability testing on an EC2 server with OWASP ZAP.

From my very quick google search, I found that AWS has stated that penetration testing services are allowed without approval (https://aws.amazon.com/security/penetration-testing/).

However, to double down, I am wondering if anyone in the community has done this without issue.

Performing web application vulnerability testing on an EC2 server with OWASP ZAP is a great approach to assessing the security of your web applications hosted on AWS. Below is a step-by-step guide to help you get started:

Launch an EC2 instance on AWS with the appropriate configuration for your web application. Ensure that the security group associated with the EC2 instance allows access to the necessary ports for running and accessing OWASP ZAP.

Use SSH to connect to your EC2 instance securely. You will need the public IP address or DNS name of the EC2 instance to access it.

Install OWASP ZAP on the EC2 instance. You can follow the official documentation for installing OWASP ZAP on your specific operating system. For example, if your EC2 instance runs Ubuntu, you can use apt to install ZAP.

Run OWASP ZAP in headless mode on the EC2 instance. Headless mode allows you to run ZAP without a graphical user interface (GUI), which is necessary for server environments like EC2 instances. You can start ZAP in headless mode using the following command:

zap. sh -daemon -host 0.0.0.0 -port 8080 -config API.disablekey=true

This command starts ZAP in daemon mode, binds it to all available network interfaces (0.0.0.0), on port 8080, and disables the API key for easier integration with automation.

If you want to access the OWASP ZAP GUI remotely for monitoring or configuration purposes, you can set up a secure tunnel using SSH port forwarding. This way, you can access ZAP's GUI from your local machine via SSH. Use the following command on your local machine:

ssh -i /path/to/your/key.pem -L 8080:localhost:8080 ec2-user@your-ec2-public-ip

Ensure your web application is running and accessible from the EC2 instance's public IP or DNS. Make sure your web application is in a test environment, as vulnerability testing can have unintended consequences.

On your local machine or the machine from where you are running the ZAP GUI remotely, configure your web browser's proxy settings to point to the OWASP ZAP instance running on the EC2 server. Set the HTTP and HTTPS proxy to the EC2 instance's IP and port 8080.

With the proxy settings configured, access your web application using your browser. OWASP ZAP will intercept and capture the traffic, allowing you to perform various security tests and scans.

After performing the security tests, analyze the results in the OWASP ZAP GUI or through its reporting capabilities. Address any vulnerabilities and retest as needed.

If you need to retain the test results, securely store them and follow any relevant data protection guidelines. Be cautious not to expose sensitive information inadvertently.

Using OWASP ZAP (and tools of the same purpose) on AWS EC2

Good day! Have anyone encountered these two findings on Odoo CE 10 after a Vulnerability Assessment and Penetration Testing?

Can you please share how we can resolve this? Is this solvable through a step of super admin configurations only or should this be fixed on a code level? Thank you in advance, will appreciate very much any ideas or answers.

VAPT Result: Link Manipulation DOM-BASED, Session token in URL in Odoo CE 10 how to resolve?

I want to pen test rest apis, the use case I have is a client(desktop app with username and password) connecting to a server. So I am confused from where to start and how to configure burp. Usually I use burp to pen test websites, which is quite easier to configure, you only set the proxy and intercept in the browser, but now the use case is different. Furthermore, I did some search on google I noticed postman is mentioned many times, I know it's a tool for building apis, but is it also used in the pentesting with the burp? 

It may be useful to first confirm that the application is communicating via HTTP/HTTPS to ensure Burp is the right tool to use.

Postman is only useful for penetration testing if you already have Postman docs. It doesn't sound like that's the case here so I wouldn't worry about that.

Assuming the desktop app does use HTTP, there are two things you will need to do:

Change system-level proxy settings to point to Burp (127.0.0.1:8080)

Install and trust the Burp CA Certificate (available locally from http://burp:8080).

In some cases, you might need to enable 'invisible proxying' in Burp.

Depending on the type of client, this may not always work at first, but if the client supports a proxy, you should see the traffic in your Burp window. Please do pay attention to your Dashboard in Burp, if you see TLS warnings, it may be an indicator the client uses certificate pinning, and some reverse engineering may be needed on the client.

How to pentest rest apis using burpsuite?

Is there any way where I can replace the hostname in url but I do not want the browser to load/redirect/open the replaced hostname, it should just show it above in address bar nothing to do with it.

I am testing a website (legally) where I found that it is just checking the top.location.hostname in URL and if it is equal to self.location.hostname then it behaves normally else it throws the alert which is why I am guessing there could be a possibility of clickjacking if I can replace the hostname in address bar

If it can be done through JS then its awesome, i can load the my script of changing the name before the iframe domain hits it

You can use pushState to do what you describe.

replace/manipulate "hostname" in url without redirecting to it

Infact, I ask you to help me with the first step, means any website or tutorial about Kubernetes penetration testing. 

Yes, there are several guidelines and best practices for conducting penetration testing and security audits for Kubernetes environments. Kubernetes is a powerful container orchestration platform, and ensuring its security is crucial to protect sensitive data and prevent unauthorized access. Some of the prominent guidelines and frameworks for Kubernetes security include:

The Center for Internet Security (CIS) provides a comprehensive benchmark for securing Kubernetes deployments. It offers a detailed checklist of security best practices, covering various aspects such as Kubernetes components, network policies, RBAC, etc., and more.

Kubernetes Security Best Practices (by Kubernetes.io):

Kubernetes.io, the official Kubernetes documentation website, has a dedicated section on security best practices. It covers topics such as securing cluster components, pod security policies, securing, etc, using network policies and securing container images.

The OWASP Kubernetes Goat is a deliberately vulnerable application that helps security professionals and developers understand common Kubernetes security risks and vulnerabilities. It serves as an educational tool for learning and testing Kubernetes security.

Kubernetes Security Audit (by Aqua Security):

Aqua Security has developed a comprehensive Kubernetes security audit tool that assesses the security posture of Kubernetes clusters and provides recommendations to improve security. It covers various areas, including network segmentation, RBAC, storage, and more.

NIST Special Publication 800-190: Application Container Security Guide:

While not specific to Kubernetes, this NIST publication guides securing containerized environments, which includes Kubernetes. It offers insights into container security risks and best practices for mitigating them.

Kube-Bench is an open-source tool that checks Kubernetes configurations against the CIS Kubernetes Benchmark, highlighting security-related misconfigurations. Kube-Hunter, on the other hand, is a penetration testing tool designed to identify and exploit security weaknesses in Kubernetes clusters.

Kubernetes Security Audit Framework (KSAF):

KSAF is an open-source project developed by Trail of Bits, designed to help organizations conduct security audits of Kubernetes clusters. It automates security checks and provides detailed reports on security vulnerabilities and misconfigurations.

When conducting a security audit or penetration testing for Kubernetes, it's essential to consider the specific context and requirements of the environment in question. Remember to obtain proper authorization before performing any security testing to avoid legal and ethical issues. Additionally, keeping up with the latest Kubernetes security updates and patches is crucial to stay protected against emerging threats.

Is there any Penetration Testing or Security Audit guidelines (Such as OWASP) for Kubernetes? 

 I am a bug hunter and founded CVE-2020-11022 through an automated scan on a domain.But there's a problem i don't know how to test jquery manually.You can recommend me blog etc or anything related to it.I shall be very thankful to you. 

Test jquery for vulnerabilities,

Due to in-built feature of flutter, it is not possible to intercept the HTTPs traffic with BurpSuite via a traditional way (an SSL-Pinning bypass does not work with Objection). Since it is proxy-unaware, I am struggling to capture the HTTPs traffic for penetration testing (mostly dynamic analysis). I have come across one workaround by routing the mobile traffic via OpenVPN but that option does not work for me. Would like to know if there are any working solutions that can resolve this traffic interception issue, particularly for iOS mobile apps from a tester point of view? 

Intercepting HTTPS traffic with Burp Suite or any other proxy tool for iOS mobile applications involves setting up a proxy, installing a certificate, and configuring the device. The steps below outline the process:

Download and install Burp Suite on your computer. Ensure it's the latest version to have the most updated features and security.

Open Burp Suite and navigate to the "Proxy" tab. Ensure the "Intercept" is turned on, which allows you to intercept and modify HTTP/HTTPS requests.

Go to the "Proxy" tab, click on the "Options" sub-tab, and then click on "Import / Export CA Certificate." Export the certificate in DER format.

Send the exported certificate to your iOS device. You can use AirDrop, email it to yourself, or use any other file-sharing method.

On your iOS device, open the email or file containing the certificate. Install the certificate by following the prompts.

After installing the certificate, go to "Settings" > "General" > "About" > "Certificate Trust Settings." Enable the toggle for the Burp certificate to trust it.

Go to "Settings" > "Wi-Fi" > select the Wi-Fi network you are connected to > "Configure Proxy." Choose "Manual" and enter the IP address and port of your Burp Suite proxy (usually 127.0.0.1 and 8080).

Launch the iOS application you want to test. Burp Suite will intercept HTTPS traffic, and you'll see requests in the "Proxy" > "Intercept" tab.

In the Burp Suite "Intercept" tab, you can choose to forward or drop requests. Analyze and modify requests as needed before forwarding them.

When you're done intercepting and testing, you can disable the intercept feature in Burp Suite to allow traffic to flow normally.

Note: Intercepting HTTPS traffic in mobile applications raises ethical and legal considerations. Ensure you have permission to test the application and avoid using this technique for malicious purposes.

Additionally, some modern iOS applications may have certificate pinning, which prevents interception. In such cases, you may need to employ more advanced techniques to bypass certificate pinning or modify the application to test its security. Always approach security testing responsibly and ethically.

How to intercept the HTTPs traffic with BurpSuite (or any other proxy tools) for iOS mobile applications

key in this form https://ampcid.google.com/v1/publisher:getClientId")+"?key=AIzaGyA652EHUEizIsNtlvNo-l6K18dT680ksaM 

It can be dangerous because, if the api key has been published then automated account creation, data scraping or DDoS attacks can be happened .

penetration-testing

Trending Blogposts on penetration-testing

Popular Discussions on penetration-testing

openBuild Penetration Testing LAB in VmWare

0

0

0

openPenetration Testing vs Other Security Testing

2

0

0

opentool or framework for penetration test

2

0

0

openDifference between Dynamic Code Analysis and Penetration Testing?

2

1

0

openIs it enough for OWASP MASVS to display a root detection warning message, rather than terminating the app entirely?

2

0

0

openUsing OWASP ZAP (and tools of the same purpose) on AWS EC2

2

1

0

openVAPT Result: Link Manipulation DOM-BASED, Session token in URL in Odoo CE 10 how to resolve?

2

0

0

openHow to pentest rest apis using burpsuite?

2

1

0

openreplace/manipulate "hostname" in url without redirecting to it

4

1

0

openIs there any Penetration Testing or Security Audit guidelines (Such as OWASP) for Kubernetes?

3

1

0

openTest jquery for vulnerabilities,

2

0

0

openHow to intercept the HTTPs traffic with BurpSuite (or any other proxy tools) for iOS mobile applications

2

1

0

openI was working on atarget and i found ampcid google api key? i need to know is it dangerous to disclose it to public?

3

2

0

PRODUCTS

QUICK LINKS

LEGAL