On June 30th, two penetration testers of ATOS, Alex and Stephan, visited us. About 50 people joined the talk.
While Alex explained the backgrounds and methods to us, Stephan worked as the attacker. The took a simulated web shop as their example and were looking for weaknesses in it. The started with a cross-site-scripting attack in order to get the admin's session; combined with a cross-site-request-forgery, the web page was manipulated and some bugs were shown. They continued with attacks on the database using SQL injections.
Manual testing on simple weaknesses is an easy and mechanical job; hence, they showed the Burp Suite to us—a framework for such simple attacks. Be aware that the usage of such tools is a crime in Germany and therefore should never be used without authorization. Penetration tests are only done with the acknowledgement of the product's owner. Everybody who is interested in these tools can use DVWA, the Damn Vulnerable Web Application.
The next tool they showed was sqlmap. With this tool, Stephan was able to dump the whole database and also further information like files.
By using an upload functionality they were able to install a web shell to get access to the server.
In the end, Alex and Stephan gave as an idea of their daily work and told some interesting stories.