Software Vulnerability Testing

CSD4001
Unit No. 1
Date: January -2025

By
N.D. Patel
Email: narottamdaspatel@[Link]
Linkden: [Link]
Contact Number: 9450095800
1
 Software Vulnerability Testing
CSD4001
Unit No. 1
Introduction to Vulnerability Assessment What is Vulnerability Assessment and why do we
need it? – Vulnerability Assessment and Penetration Testing Process (Goals and objectives,
scope, Info gathering, vulnerability detection and info analysis and planning) -Vulnerability
Testing Methods (active and passive, network and distributed testing, verifying file/system
access)

By N.D. Patel
Email: narottamdaspatel@[Link]
Linkden: [Link]
2
Contact Number: 9450095800
Software Vulnerability Testing
CSD4001

3
Comparison between Secure and Unsecure Network

Attacker
The Connected World - Increased Security Breaches
The Connected World - Increased Security Breaches
Security/ Privacy Intrusion Flow

chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj/[Link]
Security Threats (why difficult to prevent?)
Security Studies (Research) (an ocean)
Introduction to Vulnerability Assessment
 Open Worldwide Application Security Project (OWASP) Top 10

[Link]
 A01:2021 – Broken Access Control
Access control enforces policy such that users cannot act outside of their intended permissions. Failures typically lead to
unauthorized information disclosure, modification, or destruction of all data or performing a business function outside the
user's limits. Common access control vulnerabilities include:

• Violation of the principle of least privilege or deny by default, where access should only be granted for particular
capabilities, roles, or users, but is available to anyone.

• Bypassing access control checks by modifying the URL (parameter tampering or force browsing), internal application
state, or the HTML page, or by using an attack tool modifying API requests.

• Permitting viewing or editing someone else's account, by providing its unique identifier (insecure direct object
references)

• Accessing API with missing access controls for POST, PUT and DELETE.

• Elevation of privilege. Acting as a user without being logged in or acting as an admin when logged in as a user.

[Link]
 Search CVE List

[Link]
Search CVE List
Search CVE List
 Common Vulnerability Scoring System Version 3.1 Calculator

[Link]
Introduction to Vulnerability Assessment

• Vulnerability Assessment is a systematic process of identifying, quantifying, and

prioritizing vulnerabilities in a system, network, or application.

• It involves evaluating security weaknesses that could be exploited by threats, leading to

potential breaches or compromises.

• The goal is to understand the risks and take appropriate measures to mitigate them before
they can be exploited.
Why Do We Need Vulnerability Assessment?

• Identify Security Weaknesses: It helps in uncovering vulnerabilities that could be

exploited by attackers, such as outdated software, misconfigurations, or weak
passwords.

• Prioritize Risks: Not all vulnerabilities pose the same level of risk. Vulnerability
assessment helps in prioritizing which vulnerabilities need immediate attention based
on their severity and potential impact.

• Compliance Requirements: Many industries are subject to regulatory requirements

that mandate regular vulnerability assessments to ensure data protection and privacy
(e.g., GDPR, HIPAA, PCI-DSS).
Why Do We Need Vulnerability Assessment?

• Proactive Security: By identifying vulnerabilities before they are exploited,

organizations can take proactive measures to strengthen their security posture,
reducing the likelihood of successful attacks.

• Cost-Effective Security: Addressing vulnerabilities early is generally more

cost-effective than dealing with the aftermath of a security breach, which can
include financial losses, reputational damage, and legal consequences.

• Continuous Improvement: Regular vulnerability assessments contribute to a culture

of continuous improvement in security practices, ensuring that systems remain
resilient against evolving threats.
Key Components of Vulnerability Assessment
• Asset Identification: Identifying all assets within the organization, including hardware,
software, and data.

• Threat Identification: Recognizing potential threats that could exploit vulnerabilities.

• Vulnerability Scanning: Using automated tools to scan systems and networks for
known vulnerabilities.

• Risk Assessment: Evaluating the potential impact and likelihood of each vulnerability
being exploited.

• Remediation Planning: Developing a plan to address identified vulnerabilities,

including patching, configuration changes, and other mitigation strategies.

• Reporting: Documenting the findings and providing recommendations for improving

security.
Types of Vulnerability Assessments
• Network Vulnerability Assessment: Focuses on identifying vulnerabilities in network
devices, such as routers, switches, and firewalls.

• Host-Based Vulnerability Assessment: Targets individual systems or servers to identify

vulnerabilities in operating systems, applications, and configurations.

• Application Vulnerability Assessment: Specifically looks for vulnerabilities in web

applications, mobile apps, and other software.

• Database Vulnerability Assessment: Concentrates on identifying vulnerabilities in

database systems, including misconfigurations and weak access controls.
Tools for Vulnerability Assessment: Network
• Nessus: A widely used vulnerability scanner that provides comprehensive coverage of
vulnerabilities.

• OpenVAS: An open-source vulnerability scanner that offers extensive scanning

capabilities.

• Qualys: A cloud-based solution that provides continuous monitoring and vulnerability

management.

• Nexpose: A vulnerability management tool that helps in identifying and prioritizing

vulnerabilities.
 Tools for Vulnerability Assessment: Web Application
•OWASP ZAP Zed Attack Proxy)
• An open-source web application security scanner maintained by the Open Web Application
Security Project OWASP.
• Features: Automated and manual testing, API scanning, and extensibility through plugins.
• Use Case: Ideal for developers and security professionals looking for a free, community-driven
tool.
•Burp Suite
• A popular tool for web application security testing, available in both free Community) and paid
Professional) versions.
• Features: Advanced scanning, manual testing tools, and integration with CI/CD pipelines.
• Use Case: Best for penetration testers and security researchers.
•Acunetix
• A fully automated web vulnerability scanner that detects a wide range of vulnerabilities.
• Features: Integration with issue trackers, compliance reporting, and support for
JavaScript-heavy applications.
• Use Case: Suitable for organizations with complex web applications.
•Netsparker
• A web application scanner that combines automation with proof-based scanning.
• Features: Accurate vulnerability detection, integration with DevOps tools, and compliance
reporting.
Microsoft
Tools forBaseline Security
Vulnerability Analyzer MBSA
Assessment: Host-Based
•A free tool from Microsoft for identifying misconfigurations and missing
updates on Windows systems.
•Features: Checks for Windows updates, weak passwords, and insecure
configurations.
•Use Case: Best for small to medium-sized businesses using Windows
environments.
Lynis
•An open-source security auditing tool for Unix-based systems.
•Features: System hardening, compliance checks, and detailed reporting.
•Use Case: Suitable for system administrators managing Linux/Unix
servers.
Nmap
•A network scanning too that can also be used for host-based vulnerability
detection.
•Features: Port scanning, service detection, and scripting engine for
vulnerability testing.
•Use Case: Ideal for network administrators and security professionals.
 Tools for Vulnerability Assessment: Database

DbProtect

A database security tool that identifies vulnerabilities and enforces compliance.

Features: Automated scanning, risk assessment, and integration with SIEM systems.

Use Case: Suitable for organizations with large database environments.

SQLMap

An open-source tool for detecting and exploiting SQL injection vulnerabilities.

Features: Automated detection, support for multiple database systems, and integration with other tools.

Use Case: Ideal for penetration testers and security researchers.

 Tools for Vulnerability Assessment: Cloud
Prowler

An open-source tool for assessing the security of AWS environments.

Features: Compliance checks, CIS benchmark assessments, and detailed reporting.

Prisma Cloud (by Palo Alto Networks)

A cloud security platform that provides vulnerability assessment and compliance monitoring.

Features: Multi-cloud support, real-time alerts, and integration with CI/CD pipelines.

CloudSploit

A cloud security tool for identifying misconfigurations and vulnerabilities in cloud environments.

Features: Automated scanning, compliance checks, and integration with cloud platforms.
 Tools for Vulnerability Assessment: Open-Source and Free Tools
Nikto

A web server scanner that identifies vulnerabilities and misconfigurations.

Features: Comprehensive scanning, plugin support, and detailed reporting.

Wapiti

A web application vulnerability scanner that detects common vulnerabilities.

Features: Command-line interface, support for multiple attack vectors, and open-source.

Retina CS (Community Edition)

A free version of the Retina vulnerability scanner for small environments.

Features: Basic vulnerability scanning and reporting.

10 Best Vulnerability Assessment and Penetration Testing (VAPT) Tools
NAT: Network Address Translation

NAT translation table

1: host [Link]
2: NAT router
WAN side addr LAN side addr
sends datagram to
changes datagram [Link], 5001 [Link], 3345
[Link], 80
source addr from …… ……
[Link], 3345 to S: [Link], 3345
D: [Link], 80
[Link], 5001, [Link]

updates table S: [Link], 5001

1
2 D: [Link], 80 [Link]
[Link]

[Link] S: [Link], 80
D: [Link], 3345 4
S: [Link], 80
D: [Link], 5001 3 [Link]
4: NAT router
3: Reply arrives
changes datagram
dest. address:
dest addr from
[Link], 5001
[Link], 5001 to [Link], 3345
 Home Network
NAT stands for Network Address Translation. Network Address
Translation, as the name indicates, translates a given set of
private IP addresses to a single public IP address attached to a
gateway device. For example, a home modem or a firewall
device in an organization.
Wireshark
Where to Locate the Wireshark
Where to Locate the Wireshark
Wireshark
Wireshark Flow Graph
Wireshark Packets
Active vs. Passive Testing
Active Testing:
Definition: Actively interacting with the system to identify vulnerabilities by simulating
attacks or probing for weaknesses.

Methods:

• Penetration Testing: Simulating real-world attacks to exploit vulnerabilities.

• Vulnerability Scanning: Using automated tools (e.g., Nessus, OpenVAS) to scan for known
vulnerabilities.
• Fuzz Testing: Sending malformed or random data to applications to trigger unexpected
behavior.
• Password Cracking: Attempting to brute-force or guess passwords to test authentication
mechanisms.
• Exploitation: Attempting to exploit identified vulnerabilities to assess their impact.
Active vs. Passive Testing
Passive Testing:
Definition: Observing and analyzing systems without actively
interacting with them to avoid disrupting operations.
Methods:
• Traffic Analysis: Monitoring network traffic to identify anomalies
or suspicious patterns.
• Log Analysis: Reviewing system and application logs for signs of
vulnerabilities or breaches.
• Configuration Review: Auditing system configurations for
misconfigurations or insecure settings.
• Passive Vulnerability Scanning: Using tools to detect
vulnerabilities without sending traffic to the target (e.g., reading
banners or analyzing responses).
Network vs. Distributed Testing
Network Testing
Definition: Focuses on identifying vulnerabilities in network
infrastructure, devices, and protocols.
Methods:
• Port Scanning: Identifying open ports and services (e.g., using
Nmap).
• Firewall Testing: Checking firewall rules for misconfigurations or
weaknesses.
• Protocol Analysis: Testing network protocols (e.g., TCP/IP, DNS,
HTTP) for vulnerabilities.
• Wireless Network Testing: Assessing Wi-Fi networks for weak
encryption or rogue access points.
• Man-in-the-Middle MITM Testing: Simulating MITM attacks to
Network vs. Distributed Testing
Distributed Testing
Definition: Testing systems or applications that are distributed across
multiple nodes or locations.
Methods:
• Load Testing: Simulating high traffic to test the resilience of
distributed systems.
• Distributed Denial of Service DDoS Testing: Assessing the
ability of systems to handle DDoS attacks.
• Consistency Testing: Ensuring data consistency across
distributed databases or systems.
• API Testing: Testing APIs for vulnerabilities in distributed
architectures (e.g., microservices).
 Verifying File/System Access
Definition: Testing the security of file and system access controls to ensure only authorized users
can access sensitive resources.
Methods:
Permission Testing:
•Reviewing file and directory permissions (e.g., using chmod icacls
, ).
•Ensuring least privilege principles are enforced.
Access Control Testing:
•Attempting to access restricted files or systems without proper credentials.
•Testing role-based access control RBAC) mechanisms.
Privilege Escalation Testing:
•Attempting to escalate privileges (e.g., from a standard user to an administrator).
•Checking for misconfigured sudo rights or group memberships.
File Integrity Checking:
•Using tools like Tripwire or AIDE to detect unauthorized changes to files.
Registry and Configuration Testing:
•Auditing system registries (e.g., Windows Registry) for insecure settings.
Logging and Monitoring:
•Verifying that access attempts are logged and monitored for suspicious activity.
 Tools for Vulnerability Testing
Active Testing Tools:
• Nessus, OpenVAS, Metasploit, Burp Suite, Nmap, Wireshark.
Passive Testing Tools:
• Splunk, ELK Stack Elasticsearch, Logstash, Kibana), Wireshark
(for traffic analysis).
Network Testing Tools:
• Nmap, Wireshark, Netcat, Aircrack-ng (for wireless testing).
Distributed Testing Tools:
• JMeter, Locust, Gatling (for load testing), OWASP ZAP (for API
testing).
File/System Access Testing Tools:
• Tripwire, AIDE, Lynis, AccessEnum Windows).