By Mr. Eric Fan & Mr. Chris Chan UDomain

1. Experience Sharing on
School Pentest Project
Eric Fan & Chris Chan
UDomain

2. Agenda
• Our objective & how we did
• Our findings & suggestions
• Demonstration
• About UDomain
• Q & A

3. Our Objective
As an independent consultant in
providing a series of vulnerabilities
scanning, penetration tests and
reviews for ten K12 school’s
website security.
Identifying potential areas
for further improvement
to protect school’s
sensitive data and good
will.

4. What we do?
Automated Scan Manuel Review Debriefing Meeting
Verify the can result,
eliminate false-
positives and then
execute manual
business logic test.
Application
walkthrough and
threat analysis will
also be conducted
during this stage.
Report and analysis for
the automated scan
and manual scanning
result with
recommendations.
Step 3Step 2Step 1
Configure and execute
automated scan,
followed by test plan
development. Risk
assessment will take
place during the test
plan development.

5. Seven phrases to perform testing
Penetration Test Methodologies
Information
Gathering
Threat
Modeling
Vulnerability
Analysis
Exploitation
Post
Exploitation
Reporting
Rescan
Support Reference:
OWASP TOP 10
The Penetration Testing Execution Standard
Common Vulnerability Scoring System (CVSS)

6. Main Testing Tools
*More testing tools may be
used depending on the
scope of work
OWASP-ZAP
Nikto
Dirsearch

7. Tester Qualification
Certified Ethical Hacker Offensive Security
Certified Expert
GIAC Web Application
Penetration Tester
Certified Information Systems
Security Professional
Offensive Security
Certified Professional

8. Our Findings
20,000+PERSONAL
DATA RECORD
Including public, intranet, internal
applications of ten schools
29WEBSITES
By using more than one
scanning tools and
manual penetration test
99HOURS OF SCANNING
170+CRITICAL
VULNERABILITIES
Including email, name, HKID etc

9. Critical
10%
High
16%
Medium
34%
Low
40%
1,700+
Vulnerabilities
Vulnerability

10. Overall Findings
0
100
200
300
400
500
600
700
A B C D E F G H J K
No.ofVulnerability
School
Low
Medium
High
Critical

11. Critical Vulnerabilities
16
Password in
plaintext
65
XSS
105
SQL Injection
13
sslv2 ＆v3

12. Top Security Impact Vulnerabilities
We found plain text database
login credential in the back up
file that may lead to unauthorize
login.
Back Up File Impact
Allow an attacker to compromise
the application, access or modify
data, or exploit latent vulnerabilities
in the underlying database.
SQL Injection
These outdated software or
operation systems cannot no longer
update to the latest patch that is
vulnerable to exploit
Unsupported Software / OS Version
Allows anyone who can read the
file access to the password-
protected resource.
Password In Plaintext

13. SQL Injection
11*
Vendor
Solutions
12
School’s Own
Applications
7
Unsupported
Operation
Systems
* Same SQL injection vulnerability appears in all 10 school
from one vendor solution (both on cloud and on premise)

14. SSL Cert
Website with
SSL Cert
21%
Website without SSL Cert
79%

15. Our Suggestions
Reliable Vendor Solutions
Software and application vendors should
offer OS or patch update for use to fix
their software and application
vulnerabilities.
Regular Scanning
Yearly or half-year vulnerability
scanning and penetration test is
recommended
Regular Patch Operation Systems
Regular review and update the
hardware and application operation
systems to the latest patch, in order to
avoid vulnerable malware and exploits.
More info: Information Security in Schools - Recommended Practice (Jan 2019)
https://www.edb.gov.hk/en/edu-system/primary-secondary/applicable-to-primary-secondary/it-in-edu/Information-Security/information-security-in-school.html

16. Demonstrations

17. About UDomain

18. UDomain Group
UDomain
Founded in 1998
UDomain.hk
Web Host
Founded in 1998
Webhost.hk
New Sky
Founded in 1997
Newsky.net

19. Our Services
Cybersecurity Internet Service Hosting Domain
DDoS protection
Penetration test
Firewall
SSL-Certificate
CDN
VPN
Live-streaming
Email marketing
Web, email and app
Cloud server
Dedicated server
Colocation
Hosting 40,000 webs
.hk registrar
Domain advisor
Brand alert
1000+ domain types
DNS Panel

20. Our Qualification
Registrar of .hk Domain
One of the first HKIRC-recognized Registrars
HK Government Public Cloud Services Provider
First HK web hosting company recognized by the Office
of the Government Chief Information Officer (OGCIO)
OFCA Services-based Operator Licensee
Permitted to provide Authorized International Value-
Added Network Services (IVANS)

21. Awards

22. Events
Corporate Cyber Security Conference HK Cyber Security Drill

23. Summary
People ProcessTechnology
• Multiple machine
scanning tools
• Over 20 years Domain
and Web Knowledge
• Project Experience in
Different Sectors
• Training and
Certification
• OWASP TOP 10
• The Penetration Testing
Execution Standard
• AgilePM

24. Your Managed Security Service Partner
Penetration
Test
Firewall & DDoS
Protection
7x24 Technical
Support
Dedicated Security
Specialists
High Availability
Ring Network

25. Thank you!

26. Appendix

27. Proposed Assessment Plan

28. Proposed Project Plan
Week 1 Automated
Scan
• We will configure and execute automated scan, followed by test plan development. Risk assessment will
take place during the test plan development.
Week 2-3 Manual
Review
• We will verify the can result, eliminate false-positives and then execute manual business logic test.
Application walkthrough and threat analysis will also be conducted during this stage.
• Search for potential sensitive information related to you through various search engines

29. Machine Scanning
Manual
Penetration
Test
Review and
Recommendat
ion
Hybrid Testing (Machine & Manual)

30. Security Assessment Lifecycle
Automated Scan

31. Automated Scan
• Tools scanning for potential security issue
• Combine multiple tools to gather more information
• Include fuzzing in scanning

32. Security Assessment Lifecycle
Automated Scan
Manual Review

33. Manual Review (Penetration Test)
• Enrich the information in machine scanning
• Verify the findings in machine scanning
• Look through each page to find security issue
• Look for logical flaws

34. Security Assessment Lifecycle
Automated Scan
Manual Review
Report and
Recommendations

35. Report & Recommendations
Executive Summary
Testing Methodologies
Proof of Concept
Impact and Severity
Findings Details
Recommendations
Debriefing meeting

36. Sample Report

37. Retest
Compiling a Retest
checklist
Scanning for previously
found vulnerabilities after
fixing
Producing final retest
report

38. Case References

39. Case Reference I
• An NGO partnering with the Hong Kong Government, provides quality
social welfare service through their 3,000 operating units in Hong Kong.
• Engagement in Penetration Test:
 a Website before launch in Hong Kong
 Re-tested several times

40. Case Reference II
• A 20-year-old Secondary School in Hong Kong
• Engagement in Penetration Test:
 an Internal CMS system with email function
 a public-facing website