2. Agenda
• Our objective & how we did
• Our findings & suggestions
• Demonstration
• About UDomain
• Q & A
3. Our Objective
As an independent consultant in
providing a series of vulnerabilities
scanning, penetration tests and
reviews for ten K12 school’s
website security.
Identifying potential areas
for further improvement
to protect school’s
sensitive data and good
will.
4. What we do?
Automated Scan Manuel Review Debriefing Meeting
Verify the can result,
eliminate false-
positives and then
execute manual
business logic test.
Application
walkthrough and
threat analysis will
also be conducted
during this stage.
Report and analysis for
the automated scan
and manual scanning
result with
recommendations.
Step 3Step 2Step 1
Configure and execute
automated scan,
followed by test plan
development. Risk
assessment will take
place during the test
plan development.
5. Seven phrases to perform testing
Penetration Test Methodologies
Information
Gathering
Threat
Modeling
Vulnerability
Analysis
Exploitation
Post
Exploitation
Reporting
Rescan
Support Reference:
OWASP TOP 10
The Penetration Testing Execution Standard
Common Vulnerability Scoring System (CVSS)
6. Main Testing Tools
*More testing tools may be
used depending on the
scope of work
OWASP-ZAP
Nikto
Dirsearch
7. Tester Qualification
Certified Ethical Hacker Offensive Security
Certified Expert
GIAC Web Application
Penetration Tester
Certified Information Systems
Security Professional
Offensive Security
Certified Professional
8. Our Findings
20,000+PERSONAL
DATA RECORD
Including public, intranet, internal
applications of ten schools
29WEBSITES
By using more than one
scanning tools and
manual penetration test
99HOURS OF SCANNING
170+CRITICAL
VULNERABILITIES
Including email, name, HKID etc
12. Top Security Impact Vulnerabilities
We found plain text database
login credential in the back up
file that may lead to unauthorize
login.
Back Up File Impact
Allow an attacker to compromise
the application, access or modify
data, or exploit latent vulnerabilities
in the underlying database.
SQL Injection
These outdated software or
operation systems cannot no longer
update to the latest patch that is
vulnerable to exploit
Unsupported Software / OS Version
Allows anyone who can read the
file access to the password-
protected resource.
Password In Plaintext
15. Our Suggestions
Reliable Vendor Solutions
Software and application vendors should
offer OS or patch update for use to fix
their software and application
vulnerabilities.
Regular Scanning
Yearly or half-year vulnerability
scanning and penetration test is
recommended
Regular Patch Operation Systems
Regular review and update the
hardware and application operation
systems to the latest patch, in order to
avoid vulnerable malware and exploits.
More info: Information Security in Schools - Recommended Practice (Jan 2019)
https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/Information-Security/information-security-in-school.html
18. Type of Sql Injection
• UNION(ex:join other result in current result)
• Time-Based(ex:wait 5 second if the result is correct)
• Error-Based(ex:display error page When the result is
not correct)
• Boolean-Based(ex:print 1 if the result is correct)
19. What is CloudFlare
• A commercial content delivery network with
integrated distributed denial of service (DDoS)
defence
• Web Application Firewall with signature Based rules
– “Union ALL select …”
– “DATABASE()”
20. Is it Enough?
And
3732=IF(ORD(MID(IFNULL(CAST(DATABASE
() AS CHAR),0x20)),1,1))<60
Show result If the 1st character of current
database name ascii code smaller than 11
If false
And
3732=IF(ORD(MID(IFNULL(CAST(DATABASE
() AS CHAR),0x20)),1,1))>60
Show result If the 1st character of current
database name ascii code greater than 60
3732=IF(ORD(MID(IFNULL(CAST(DATABASE
() AS CHAR),0x20)),1,1))>90
Show result If the 1st character of current
database name ascii code greater than 90
21. Example
• Database name:udcms
• The 1st character of udcms is u,ord() result, 75
• If 75<60?no
• If 75>60?yes
• if 75<90?yes
• if 75<75?No
• if 75>75?No
• If 75=75?yes
25. Our Services
Cybersecurity Internet Service Hosting Domain
DDoS protection
Penetration test
Firewall
SSL-Certificate
CDN
VPN
Live-streaming
Email marketing
Web, email and app
Cloud server
Dedicated server
Colocation
Hosting 40,000 webs
.hk registrar
Domain advisor
Brand alert
1000+ domain types
DNS Panel
26. Our Qualification
Registrar of .hk Domain
One of the first HKIRC-recognized Registrars
HK Government Public Cloud Services Provider
First HK web hosting company recognized by the Office
of the Government Chief Information Officer (OGCIO)
OFCA Services-based Operator Licensee
Permitted to provide Authorized International Value-
Added Network Services (IVANS)
29. Summary
People ProcessTechnology
• Multiple machine
scanning tools
• Over 20 years Domain
and Web Knowledge
• Project Experience in
Different Sectors
• Training and
Certification
• OWASP TOP 10
• The Penetration Testing
Execution Standard
• AgilePM
30. Your Managed Security Service Partner
Penetration
Test
Firewall & DDoS
Protection
7x24 Technical
Support
Dedicated Security
Specialists
High Availability
Ring Network
34. Proposed Project Plan
Week 1 Automated
Scan
• We will configure and execute automated scan, followed by test plan development. Risk assessment will
take place during the test plan development.
Week 2-3 Manual
Review
• We will verify the can result, eliminate false-positives and then execute manual business logic test.
Application walkthrough and threat analysis will also be conducted during this stage.
• Search for potential sensitive information related to you through various search engines
39. Manual Review (Penetration Test)
• Enrich the information in machine scanning
• Verify the findings in machine scanning
• Look through each page to find security issue
• Look for logical flaws
45. Case Reference I
• An NGO partnering with the Hong Kong Government, provides quality
social welfare service through their 3,000 operating units in Hong Kong.
• Engagement in Penetration Test:
a Website before launch in Hong Kong
Re-tested several times
46. Case Reference II
• A 20-year-old Secondary School in Hong Kong
• Engagement in Penetration Test:
an Internal CMS system with email function
a public-facing website