際際滷

際際滷Share a Scribd company logo

Top mistakes that allows to make a successful pentest

Download as PPTX, PDF
Glib Pakharenko
Glib Pakharenko

The presentation from the ITT event https://events.iitt.com.ua/#schedule-2

1 of 53
Download to read offline
丐 于舒亟 弍亠亰仗亠从亳, 仂 亟仂亰于仂仍ム 仗仂于亠亳 仗仆亳亶 仗亠仆亠 舒亟亳 弍亠亰仗亠从亳
仆舒从舒.
仆舒从舒. 弌仍舒弍从 仗舒仂仍
仆舒从舒. 弌仍舒弍从 仗舒仂仍
仆舒从舒. 舒仂仍 于 亞仗仂于亳 仗仂仍亳从舒
亠于舒仆 舒仗亟亠亶亳. Microsoft EternalBlue
亠于舒仆 舒仗亟亠亶亳. Microsoft EternalBlue
仆舒从舒. 舒仂仍 亰舒 亰舒仄仂于于舒仆仆礆
仆舒从舒. 舒仂仍 亰舒 亰舒仄仂于于舒仆仆礆
仆舒从舒. 亠 于亳从仂亳舒仆仆 仗舒仂仍
仆舒从舒. 亠 于亳从仂亳舒仆仆 仗舒仂仍
CVE-2015-1427, ELASTICSEARCH UNAUTHENTICATED REMOTE CODE EXECUTION CVE-2018-11776 亠于舒仆 舒仗亟亠亶亳.
CVE-2015-1427, ELASTICSEARCH UNAUTHENTICATED REMOTE CODE EXECUTION 亠于舒仆 舒仗亟亠亶亳.
弌仍舒弍从舒 从仂仆亞舒. JBoss remote code execution
弌仍舒弍从舒 从仂仆亞舒. JBoss remote code execution
弌仍舒弍从舒 从仂仆亞舒. ARP spoofing
弌仍舒弍从舒 从仂仆亞舒. ARP spoofing
弌仍舒弍从舒 从仂仆亞舒. ARP spoofing 丕 仗舒从亠亳 亰 舒亟亠仂 亟亢亠亠仍舒 仗亳亰仆舒亠仆仆 172.31.81.160 舒 172.31.102.14 仗仂仂亟 亠亠亰 从仂仄仗ム亠 舒从亠舒.
弌仍舒弍从舒 从仂仆亞舒. Firewall only for IPv4 亳从仍舒亟 从舒仆于舒仆仆 亟仍 IPv6 舒亟亠 亳从仍舒亟 从舒仆于舒仆仆 亟仍 IPv4 舒亟亠 弌从舒仆于舒仆仆 仂亟仆仂亞仂 亶 仂亞仂 舒仄仂亞仂 仂舒 亰 IPv6 仆亠 于亟仂弍舒亢舒 亢仂亟仆仂亞仂 仍仂于舒仆仂亞仂 仗仂.
弌仍舒弍从舒 从仂仆亞舒. Responder/NBT spoofing
弌仍舒弍从舒 从仂仆亞舒. Responder/NBT spoofing
弌仍舒弍从舒 从仂仆亞舒. Responder/NBT spoofing
Web. 弌舒 亠亶仄于仂从亳
Web. 弌舒 亠亶仄于仂从亳
Web. 弌舒 亠亶仄于仂从亳 舒亰仍亳于, 亰仆舒亶亟亠仆舒 从于仆 2018 仂从 亟仂亰于仂仍磿舒 仗仂于亠亳 于亟亟舒仍亠仆仂 DoS-舒舒从 弍亠亰 弍亟-磻亳 仗舒于 亳亠仄. 舒仗亳从仆 仆 仂亞仂 仂从 舒舒 于舒亰仍亳于 亟舒仍舒 亰仄仂亞 亰仍仂于仄亳仆亳从舒仄 仗亠亠于舒于舒亳 于亟仆亳亶 舒从 舒 于仗仂于舒亟亳亳 弍亠从亟仂亳.
Web. SQL-injections. Error based
Web. SQL-injections. Time based
Web. XSS. Reflected
Web. XSS. DOM
Web. Directory listing enabled
Web. Unsafe file upload
Web. Unsafe file upload
Web. CORS bugs
Web. CORS bugs
Web. Unsafe URL redirect
Web. Unsafe URL redirect. Oauth2 threat 仍 于仂亟 于 仂弍仍从仂于亳亶 亰舒仗亳 仄仂弍仍仆仂亞仂 亟仂亟舒从舒 亢亠于亳 亰舒 亟仂仗仂仄仂亞仂 exploit 亰仍仂于仄亳仆亳从 弍舒亞舒仂 于亳仗舒亟从舒 仄舒亳仄亠 仗仂于仆亳亶 亟仂仗 亟仂 从仂仆亟亠仆亶仆仂 舒 仂仂弍亳仂 仆仂仄舒 亢亠于亳 (亢仆舒仍亳 舒, 仂仂亞舒, 仗亳从亳 从仂仆舒从于), 磻 仂亰仄亠仆仂 仆舒 亠于亠舒 于舒亰仍亳于仂亞仂 仄仂弍仍仆仂亞仂 亟仂亟舒从舒
Web. XML bombs
Web. XML external entities
Mobile. The lack of antidebug
Mobile. The lack of antidebug
Mobile. The lack of antidebug
Mobile. The lack of SSL verification
Mobile. Logging sensitive data to log files 仂亟舒仂从 亠 于亟仆 亟舒仆 亟仍 仗仂仍亠亞亠仆仆 仗仂亠 仆舒仍舒亞仂亟亢亠仆仆. 亊从仂 仗仂亞舒仄舒 亠 从仂仆亟亠仆亶仆 仆仂仄舒, 仂 亟舒仆 弍亟 亰舒仂仗仍亠仆 于 亢仆舒仍舒 仗亳仂于. 仍仂于仄亳仆亳从 仄仂亢亠 仍亠亞从仂 亰舒于舒仆舒亢亳亳 亢仆舒仍亳 仗亳仂于 仂亳仄于舒亳 从仂仆亟亠仆亶仆 仆仂仄舒 从仂亳于舒舒.
Mobile. Unencrypted data in application folder 舒仂仍 仍仂亞仆 从仂亳于舒舒 亰弍亠亞舒 于亟从亳仂仄 于亳亞仍磲 仗舒仗 /data/data/<package- name>/shared_prefs/key.xml.
Thick clients. Hardcoded passwords in the files
Thick clients. Hardcoded passwords in the files
Thick clients. 亠亰舒亟仂从仄亠仆仂于舒仆 API 亳仆亶 于亳从仍亳从 仆从 getExtractTask, 磻舒 仆亠 亰舒亟仂从仄亠仆仂于舒仆舒 仂亰仂弍仆亳从仂仄
Thick clients. 仄仗亠仂仆舒仍亰舒 亠于亠仂仄 从仍仆舒
Thick clients. DLL hijacking
亠从仂仄亠仆亟舒. 仆舒从舒
亠从仂仄亠仆亟舒. 仆舒从舒 仂亠亟亳 仗舒于仍仆仆 亰仄仆舒仄亳 仗舒于仍仆仆 于舒亰仍亳于仂礆亳 patch management 弌舒仆亟舒亳 security configuration baselines 丐亠仆仂仍仂亞 firewalls/network security devices SIEM vulnerability scanners IDM 仂仄仗亠亠仆 Cisco/Microsoft/XXXX security
亠从仂仄亠仆亟舒. Web 仂亠亟亳 requirements management release management architecture development 弌舒仆亟舒亳 security coding guidelines allowed set of frameworks 丐亠仆仂仍仂亞 WAF Static code analyzers Dynamic scanners Testing automation 仂仄仗亠亠仆 security coding trainings
亠从仂仄亠仆亟舒. DevOps 仂亠亟亳 仗舒于仍仆仆 亰仄仆舒仄亳 仗舒于仍仆仆 于舒亰仍亳于仂礆亳 deployment procedures 弌舒仆亟舒亳 security configuration baselines secure coding and deployment guidelines 丐亠仆仂仍仂亞 cloud based firewalls/VPNs cloud SIEM cloud IAM virtual patching 仂仄仗亠亠仆 Google (Docker+Kubernetes security)/AWS (Security)/Azure

More Related Content

Top mistakes that allows to make a successful pentest