Pentesting modern day application technology stack

Pentesting modern day application technology stack

Continuous Build & Deployment tools, Message brokers, Configuration Management systems, Resource Management systems and Distributed file systems are some of the most common systems deployed in modern cloud infrastructures thanks to the increase in the distributed nature of software. Modern day pentesting is no more limited to remote command execution from an exposed web application. In present day scenario, all these applications open up multiple doors into a company’s infrastructure. One must be able to effectively find these systems and compromise them for a better foothold on the infrastructure.

In this 3 day course we start by looking at limited set of web security scenarios, good enough to dive into the application stack where we focus on database security and then on how we could pivot our way to the application stack consisting of CI tools, Distributed Configuration & Resource management tools, Containers, Big Data Environments, Search technologies and Message Brokers.

Along with the training knowledge, the course also aims to impart the technical know-how methodology of testing these systems. This course is meant for anyone who would like to know, attack or secure the modern day stack. The students are bound to have some real fun and entirely new experience through this unique course, as we go through multiple challenging scenarios one might not have come across.

After successfully completing this course, attendees will be able to

  • Analyse and identify vulnerabilities within the application stack and web applications.
  • Pivoting from the known web vulnerabilities to the application stack.
  • Gain in depth knowledge on how to pentest the modern stack consisting of Continuous Build & Deployment tools, Message broker’s, Configuration Management systems, Resource Management systems and Distributed file systems.
  • Security test an entire application from an end-to-end perspective.

What are the Requirements?

  • Knowledge of how web applications works
  • Unix command line basics.
  • Ability to use a web proxy like Burp Suite, ZAP.
  • Ability to write basic scripts in any interpreted language is an added advantage.
  • Minimum 4 GB RAM(8GB Recommended) and 100 GB HDD
  • Full Virtualization support to run VMWare or VirtualBox
  • WiFi/Ethernet support for connectivity.
  • Full Administrative access and USB ports enabled.

What are the take aways?

  • OpSecX Certificate of Completion
  • Presentation materials and associated pdfs.
  • 10+ containerized labs to emulate sophisticated production application stacks.
  • Access to relevant OpSecX courses and certifications.

Course Details

Duration: 3 days
Language: English
Location: As requested and onsite
Trainers: Bharadwaj Machiraju and Francis Alexander
No of Students: 10 – 25
Cost in India: 75000 INR/ Individual
Cost Abroad/Onsite: 2250 USD/ Individual

Course Syllabus

Module 1: Attacking the Web Application (Basics/Intermediate)

  • HTTP basics re-visited & setting up proxies.
  • Re-visiting OWASP Top 10.
  • Testing REST API for vulnerabilities.
  • Testing the Application server instances
    • Common misconfigurations in Apache, Nginx and JBoss.
    • Testing for SSL Vulnerabilities.

Module 2: Pentesting Databases

  • MySQL,Postgres and OracleDB
    • Basic Enumeration.
    • Laying out the attack surface.
    • Pentesting third party plugins.
    • Case Study of CVE-2016-6663.
    • Security testing using tools of trade.
  • Pentesting NoSQL Databases & Caches: MongoDB, Cassandra, Redis & Memcache
    • Fingerprinting NoSQL databases.
    • Injection attacks on NoSQL Databases.
    • Attacking and identifying vulnerabilities in NoSQL databases through NoSQL exploitation framework.
    • Case study on Mongo Ransomware.
  • Securing databases.

Module 3: Public Cloud Environments

  • Introduction to Cloud Environments.
  • AWS Configurations & AWS Security Checks.
  • Pentesting AWS lambda servers.
  • Best practices for Cloud environments and Securing AWS instances.

Module 4: CI Tools

  • Introduction to Jenkins, TeamCity and Go.
  • Basic misconfigurations and Attack surface for these tools.
  • Security testing of CI Tools and outlook on vulnerabilities like RCE in Jenkins, TeamCity and Go.
  • Case Study: Remote Code Execution on Jenkins.

Module 5: Containers

  • Hacking Docker environments.
  • Setting up vulnerability static analysis for Docker containers (Clair and other tools).
  • Pentesting Vagrant instances.
  • Securing Docker and Vagrant instances.

Module 6: Search Technologies

  • Introduction to ElasticSearch and Apache Solr (Lucene).
  • Laying out the Attack Surface and common misconfigurations.
  • Pentesting ElasticSearch and Solr.
  • Case Study :ElasticSearch CVE-2015-1427 RCE Exploit.

Module 7: Software Collaboration Tools

  • Leveraging Version Control Systems like Git, SVN and Perforce.
  • Attacking Code collaboration tools – Phabricator, Gitlab and Github Enterprise.

Module 8: Distributed Configuration Management Systems (DCMS)

  • Introduction to Apache Zookeeper, HashiCorp Consul, CoreOS Etcd.
  • Attacking these configuration management systems.
  • Owning the entire application stack using pivoted attacks through DCMS.
  • Attacking and Scanning using tools like Garfield.

Module 9: Distributed File Systems

  • Introduction to Hadoop.
  • Basic misconfigurations for Hadoop.
  • Analysing the threat model for Hadoop.
  • Attacks and remote code executions on Hadoop.
  • Securing Hadoop Instances.

Module 10: Mesos and Marathon (Distributed Deployment/Resource Management)

  • Introduction to Mesosphere.
  • Fingerprinting Mesos and Marathon.
  • Common Misconfigurations.
  • Hacking entire application stack through Mesos and Marathon.
  • Securing Mesos instances.

Module 11: Message Brokers

  • Introduction to RabbitMQ and Kafka.
  • Common misconfigurations.
  • Attacking and extracting juicy information from Message brokers.