E-SPIN COMPANY PROFILE · resellers (VARs), system integrators (SIs), independent software vendors (ISVs) and IT outsourcing (ITO) providers; public sector agencies from federal to

Enterprise Solution Professionals on Information and Network

Enterprise IT Solutions (Hardware, Software, Services)

Shared Service and Outsourcing

Technology Products Distribution and Trading

E-SPIN COMPANY PROFILE

E-SPIN COMPANY PROFILE

who we are

what we do

E-SPIN stand for Enterprise Solution Professionals on Information and Network.

anadreP ,B3/8 UJP nalaJ ,2-12 ta detacol retrauqdaeH .5002 ni dehsilbatse ynapmoc dleh yletavirp si DHB NDS NIPS-E

Business Centre, Damansara Perdana, 47820 Petaling Jaya, Selangor, Malaysia.

Vision: to be leading enterprise solution provider in deliver enabling solution for customer to remain competitveness in

their respective marketplace.

E-SPIN is a leading enterprise IT solutions and outsourcing service provider with a unique approach to enterprise solution

offers a comprehensive best of the breed solutions from respective technology partners, combined with experienced in house

solutions consulting, network and system integration, web development and application integration, product training, skill

certification, project management, maintenance support, and managed outsourcing services to deliver end-to-end value

adding solutions for corporate, enterprise, government and reseller business customers.

Mission: To deliver end-to-end value-adding solutions in Share Service and Outsourcing (SSO); Information

Communication Technologies (ICT) Solutions in combination of hardware, software and services; Web

Design and Portal Development, Application Development and Integration.

Consulting based on client current situation and requirement.

Solutions development and plan presentment

Project hardware, software and service sourcing and procurement.

Project management and implementation serviive

System requirement analysis and design.

Prototype and mockup development.

Acceptance test, quality assurance, penetration test.

Training, certification and skill transfer.

Project hardware, software and service maintenance support.

Managed outsourcing.Solution Buying Facilitation, Consultancy

Network and System Integration, Distribution

Web Development and Application Integration

Managed Service and Outsourcing

E-SPIN SDN BHD ALL RIGHT RESERVEDc

Since 2005, E-SPIN has successfully works with organizations throughout Malaysia, then regionally and now globally in every industry, in the public and private sectors, and of every size, from start up to the listed corporation. Our customers include banks and other financial services firms; manufacturers; trading and service providers; media, entertainment and broadcasters; telecommunications and data center providers; transportation and logistics companies; oil, gas, chemical and utilities companies; pharmaceutical, medicine, health care and hospitals; educational institutions; technology value added resellers (VARs), system integrators (SIs), independent software vendors (ISVs) and IT outsourcing (ITO) providers; public sector agencies from federal to state government to military agencies on various E-SPIN solutions and service portfolios.

Below is a sampling of our clients and customers from different industry and sector.

who we serve

E-SPIN SDN BHD ALL RIGHT RESERVEDc E-SPIN SDN BHD ALL RIGHT RESERVEDc

BUSINESS APPLICATION AND TECHNOLOGY TRANSFORMATION

AVAILABILITY , STORAGE AND BUSINESS CONTINUITY

SECURITY, RISK AND COMPIANCE MANAGEMENT

END-TO-END VALUE ADDING SOLUTIONS AND OUTSOURCING

Business Domain


��

Web Application Security Scanner

• Is your website hackable?

• 70% of the websites are at serious risk of being hacked

• Web applications attack accounts for up to 70% of all

cyber attacks

Website security is possibly the most overlooked aspect of securing the enterprise and should be a priority in any organization. Hackers are concentrating their efforts on web applications such as shopping carts, login pages, forms, dynamic contents and etc.

Web applications are accessible 24 hours a day, 7 days a week and control valuable data since they often have direct access to the backend database such as customer database, credit card details and etc.

Firewalls, SSL and locked-down servers are futile against web application hacking

Any defense at network security level will provide no protection against web application attacks since they are launched on port 80 - which has to remain open. In addition, web applications are often tailor-made therefore tested less than off-the-shelf software and are more likely to have undiscovered vulnerabilities.

How Does Hacking Work?

Acunetix Web Vulnerability Scanner

To safeguard your enterprise’s web applications from hackers,

E-Spin represented Acunetix Web Vulnerability Scanner is the solution you needed!

E-Spin represented Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing.

In short, this powerful tool allows you to scan and automatically checks your web applications for SQL Injection, Cross Site Scripting (XSS) & other web vulnerabilities.

Acunetix History

Acunetix has pioneered the web application security scanning technology: Its engineers have focused on web security as early as 1997 and developed an engineering lead in web site analysis and vulnerability detection.

How Acunetix Works?

Acunetix WVS has the ability to scan for vulnerability in web applications, provide fixing recommendations and reporting tool to ensure web applications are less hackable or exploitable from hackers. The software will perform typical work of a hacker by trying to scan and execute various hacking methods(non-destructive methods) to exploit the web applications. As a result, it will list down all the success attempts and in what scenario in order to enable developers to record which applications are exploitable and facilitate them to close the application vulnerability.

All in all, Acunetix WVS is a software that provides automatic or manual way to search for software vulnerability within web applications and reports it as well as recommend ways to fix the problem.

Acunetix WVS Key Features

1. AcuSensor Technology

-New technology that allows you to identify more vulnerabilities than a traditional black box scanner whilst generating less false positives.

-Faster locating and fixing of vulnerabilities, whilst providing more information about each vulnerability. For instance, source code line number, stack trace and affected SQL query.

-Check for web application configuration. Example misconfiguration of web.config or php.ini

2. In depth checking for SQL Injection, XSS and Other Vulnerabilities

-Known Static Methods : -Unknown Dynamic Methods:

-Specific Web Applications known exploits -SQL Injection

-Directory enumeration -Cross Site Scripting (XSS)

-Known web server exploits -Directory and Link Traversal

-Known web technology exploits (e.g php) -File Inclusion

-Known network service exploits (e.g DNS, FTP) -Source Code Disclosure

3. Port Scanner and Network Alerts

-Scan web server for open port

-Also run network alert checks against network services running on open ports such as DNS cache poisoning, SNMP weak community strings, weak SSH ciphers, etc.

4. Detailed Reports

-able to generate different official and technical report (can customize report)to meet different users requirement: from executive summary, vulnerability report, compliance (HIPPA, PCI, OWASP, SOX, WASC) pre and post comparison report, statistical reports, etc.

5. Advanced Penetration Tools

-Allow penetration testers to tune web application security checks

HTTP Editor:- construct HTTP/HTTPS requests and analyze the web server response

HTTP Sniffer:- intercept, log and modify all HTTP/HTTPS traffic and reveal all data sent by web application

HTTP Fuzzer:- perform sophisticated testing for buffer overflows and input validation

Blind SQL Injector:- automated database data extraction tool that is perfect for making manual test that allows further testing for SQL Injections.

6. Scan Ajax and Web 2.0 Technologies

- The Client Script Analyzer (CSA) engine allows comprehensive scan of the latest and most complex Ajax/Web 2.0 for vulnerabilities

7. Test Password Protected Areas and Web Forms

-With automatic HTML form filler, it enables to fill in web forms and authenticate against web logins. The form filling process is stored and the sequence will be used when scanning.

8. Analyze Website against the Google Hacking Database

-Google Hacking Database (GHDB) is a database queries used by hackers to identify sensitive data on your website such as portal logon pages.

-Acunetix launches GHDB onto your website and identify loopholes before the hackers do

Benefits to Organization

• IT Security Greatly Enhanced.

-Acunetix’s unmatched automated and flexible manual scan capabilities provide comprehensive or selective area scan

-Able to have truly secure web application in place which has been tested against various hacking attack to avoid unnecessary exploitation that will jeopardize the organization’s image

• Time Saving

- By using automated scanning, it off loads the ongoing routine scanning tasks (if administrator allowed to do so based on company configuration), hence administrator can focus his time to perform value added service like interpret the report and communicate the report finding.

-In addition, administrator will be flexible enough to conduct a manual specific scan (based on methods) in order to confirm whether the vulnerabilities have been fixed.

• Reports

-With Acunetix capable of generating various reports, IT security staff is empowered to be proactive in managing security measures and ongoing compliance audit and monitoring

-Based on the true and transparent report on all web applications vulnerabilities, IT security staff are able to communicate those findings to respective parties for fixing, reporting and compliance purposes

• Compliance

-Able to meet various legal and regulatory compliance

SYSTEM REQUIREMENTS:

-Windows XP, Vista, 2000, 2003 and 2008 server, Windows 7

-Internet Explorer 6 or higher

-250 MB of hard disk space

-1GB of RAM

Screenshot(s)

In Depth checking for SQL Injection iew of remote desktops

Acusensor Technology: Identifying more vulnerabilities

Screenshot(s)

Port Scanner and Network Alert

Detailed Report

Screenshot(s)

Advanced Penetration Tools

Analyze site against Google Hacking Database

��

�� !�� "��#$�%�"&�%��'��(��)��%��*�+'�,-..�+��$-..�+�!��'��)��/��0/((��!��

%�"�1�

� �� !�� "��

� �� !��#��

� ��#��$��%!�� &'��'��(��)��

� ��%!��$� ��%!�� !�� "��

� ��%!��$� ��!�� *��+�

� ��!��$� �!�� ,�� -��

��"�.��

�� -��

�� -��

/�(��

�� )��0��(��&��

� �!��$� �� 2��/�'�%��"��!��

• ,�� -��• 0��)�� -��• � ��1��(��2��

� ��$�#�� 3�� 2�

� #��$�%� !�� 2��/�'�%��"��!��#��&�

• 4�� '��56� ��• ��7��)��

� %� !��$�%�%�� *��+�

� %�%��$�8�8!�� *��"�

• *�� +��-�� (��2�� 7��)�� +�• 0��)��2�� 2��

� 8�8!��$�!�� "�'��(��)��2��5��

�

� �

�

%�"�3�

� ��!�� "��

� �� !��#�� "�'��(��)��

� ��#��$� ��#�� *��)��'��*��

• ��7��(�� • ��2�� (�� • ��7��2��)�� 2�� (��• 0��)��2��0��(��

� ��#��$� ��%!�� *��+�

� ��%!��$� �%!�� *��)��'�*��4��*��

*��)��'�� +��*��

� �%!��$� �� *��)��'�5��67��8��

• ,��(��/��.��• 9-�� 5��• 6��9-�� • 9-� ��:3�:��• 0��)��2��*��:3�,�;� ��

� ��$�#�� 3�� 2�

� #��$�%� !�� *��)��'�2**�� *��

• 0��7�� /��.��'��• 9��"�.��• 6��"�.��7��"��

� %� !��$�%�%�� *��+�

� %�%��$�8�8!�� *��)��'�2**��((��*��

• 9��2��/��))��• /��))��6��• 0��/��))��6��• 9��/��"�.��(��2��• 0��)��2��/��))��

� %�8!��$�8�8!�� *��)��'�2**��4�99��*��

• 0��"�� )�,��• 4��2��/��"�.��• 0��5��4��• 0��6�77��6��

� 8�8!��$�!�� "�'��(��)��2��5��

�

� �

�

%�"�:�

� ��!�� "��

� �� !��#�� "�'��(��)��

� ��#��$� ��#�� *��)��'��*��*��

• ��2��2��)��(��(��2��/��/��3�)��2�� '��'�� +�

• ��/��2�� • ��/��3�6��2��

� ��#��$� ��%!�� *��+�

� ��%!��$� �%!�� *��)��'��+��*��

• ��7��2��))�� (��#�� )��))��• 0��"��• ��7��2��"��0��

� �%!��$� �� *��)��'�� ;��

• ��'� �� • ��'� ��9��• /��9��9-��

� ��$�#�� 3�� 2�

� #��$�%� !�� *��)��'�*��

• "��0��• 5�'��"��• 9-� ��'��"��• ��"��• � ��0��"��• �� "��• 0�� "��• 4��"��<�� 0�� 0�� • �2��"��(��• ��5��

� %� !��$�%�%�� *��+�

� %�%��$�8�8!�� *��)��'��++��7��

• /�� 2�)�� '��+��• �2��0�� • 0��3��&��

*��)��'��

• 0�� 2��

� 8�8!��$�!�� "�'��(��)��2��5��

�

� �

�

%�"�<�

� ��!�� "��

� �� !��#�� "�'��(��)��

� ��#��$� ��#�� *��)��'�!�� "� ��

• ��-��• ��• 9��2��5�� • �� )��2��2��02� +�� • �� )��

� ��#��$� ��%!�� *��+�

� ��%!��$� �%!�� *��)��'�!�� "� ��#��&�

• ��9-��• 5�)��2��"�.��2��• ��7��2��"��5�)��• ��,��

� �%!��$� �� *��

• 0��+�:��"��

� ��$�#�� 3�� 2�

� #��$�%� !�� "�(��+��(��%;��;�

• ��)�(��5�'��<�'��2�� +��

� %� !��$�%�%�� *��+�

� %�%��$�8�8!�� "�(��+��(��%;��;�#��&�

• ��)�(��5�'��<�'��2�� +��

� 8�8!��$�!�� "�'��(��)��2��5��

�

� �

�

%�"�$�

� ��!�� "��

� �� !��#�� "�'��(��)��

� ��#��$� ��#�� "�(��+��"��;�

• /�� '��(��)��2�� )�� )��7��• �� =��(��+�� • *�� +��-��• /�� • �� 0��

� ��#��$� ��%!�� *��+�

� ��%!��$� �%!�� "�(��+��"��;�#��&�

• ��,��• ,� ��)��)��'�� 2�� '��

2�� )��(��+�)��>�� '��)��?��)� ��)�� 7��)��

� �%!��$� �� "�(��+��"��;�#��&�

• +��(��(��2�2��-�� • ��)��2��)��'��@��'��'��• �� 2�� -��2��)��• � �� 2�� 2�� 2��

��))�� '��(��2��2��)��(��+�• ��)��2��7�� .��

��2��(��+�

� ��$�#�� 3�� 2�

� #��$�%� !�� 2��/�'�� 0�� "��"��=��

0��)�� (��@�(��

��7��2��(��2��'��

� %� !��$�%�%�� *��+�

� %�%��$�8�8!�� 2��/�'�� 0�� "��"��=��#��&�

• "��2��2��)��.��• ,��2��'��• 5��'��

� 8�8!��$�!�� "�'��(��)��2��5��

��

%��=��(��"�� +�"� ��>��+��-� �� +��+�"��+�"�� ;�� (�� ((�� >��;��(��((�-�

4�� +�� %�-� 52%-� �� #?.:&� @@3A� 3A??�� +�� (�B��-��+� �� (� �� -��-��+�(��+��(��+��-��

Enterprise Solution Professionals on Information and Network

E-SPIN COMPANY PROFILEWeb App Penetration Testing and Ethical Hacking (6MD Course)

E- Business & Web Solutions

IT Solutions (Hardware, Software, Services)

Business Process & Technology Outsourcing


Web App Penetration Testing and Ethical Hacking

Assess Your Web Apps in Depth

Web applications are a major point of vulnerability in

organizations today. Web app holes have resulted in the theft

of millions of credit cards, major financial and reputational

damage for hundreds of enterprises, and even the compromise

of thousands of browsing machines that visited Web sites

altered by attackers.

In this intermediate to advanced level class, you’ll learn the

art of exploiting Web applications so you can find flaws in

your enterprise’s Web apps before the bad guys do. Through

detailed, hands-on exercises and training from a seasoned

professional, you will be taught the four-step process for Web

application penetration testing.

You will inject SQL into back-end databases, learning how

attackers exhilarate sensitive data. You will utilize Cross-

Site Scripting attacks to dominate a target infrastructure in

our unique hands-on laboratory environment. And you will

explore various other Web app vulnerabilities in depth with

tried-and-true techniques for finding them using a structured

testing regimen. You will learn the tools and methods of the

attacker, so that you can be a powerful defender.

On day one, we will study the attacker’s view of the Web as well

as learn an attack methodology and how the pen-tester uses

JavaScript within the test. On day two, we will study the art of

reconnaissance, specifically targeted to Web applications.

We will also examine the mapping phase as we interact with a

real application to determine its internal structure. During day

three we will continue our test by starting the discovery phase

using the information we gathered on day two.

We will focus on application/server-side discovery. On day four

we will continue discovery, focusing on client-side portions of

the application, such as Flash objects and Java applets. On day

five, we will move into the final stage of exploitation. Students

will use advanced exploitation methods to gain further access

within the application. Day six will be a Capture the Flag

event where the students will be able to use the methodology

and techniques explored during class to find and exploit the

vulnerabilities within an intranet site.

Throughout the class, you will learn the context behind the

attacks so that you intuitively understand the real-life applications

of our exploitation. In the end, you will be able to assess your

own organization’s Web applications to find some of the most

common and damaging Web application vulnerabilities today.

By knowing your enemy, you can defeat your enemy. General

security practitioners, as well as Web site designers, architects,

and developers, will benefit from learning the practical art of

Web application penetration testing in this class.



Understanding the attacker’s perspective is key to successful Web

application penetration testing. We will begin by thoroughly

examining Web technology, including protocols, languages,

clients, and server architectures, from the attacker’s perspective.

In this portion of the class we will also examine different

authentication systems, including Basic, Digest, Forms, and

Windows Integrated authentication, and discuss how servers

use them and how attackers abuse them.

Following this, we will discuss the four steps that make up

our process for conducting Web application penetration tests:

reconnaissance, mapping, discovery and exploitation. During

the next few days, we will delve into each of these steps more

deeply.

On the second day we will start the actual penetration testing

process, beginning with the reconnaissance and mapping phases.

Reconnaissance includes gathering publicly available information

regarding the target application and organization, identifying

the machines which support our target application, and building

a profile of each server, including operating system, specific

software, and configuration. Our discussion will be augmented by

practical, hands-on exercises in which we conduct reconnaissance

against an in-class target.

In the mapping phase, we will build a map or diagram of the

application. In order to do this, we identify the components,

analyze the relationship between them, and determine how the

pieces work together. We will specifically consider how the session

management system works within an application. This will help

us identify potential vulnerabilities during the next sections.

In this section, we will continue to explore our methodology with

the discovery phase. We will build upon the information started

yesterday, exploring methods to find and verify vulnerabilities

within the application. The students will also begin to explore

the interactions between the various vulnerabilities.

After we cover vulnerabilities, we will explore the different user

interfaces that Web apps expose to clients. This will include an

exploration of various automated and manual tools, such as w3af,

Burp Suite, and the SamuraiWTF pen-testing environment.

Throughout the discovery phase, we will explore both manual

and automated methods of discovering vulnerabilities within

applications and discuss the circumstances under which each

is appropriate.

Overview of the Web from a penetration tester’s

perspective

Exploring the various servers and clients

Discussion of the various Web architectures

Discover how session state works

Discussion of the different types of vulnerabilities

Define a Web application test scope and process

Define types of penetration testing

Discover the infrastructure within the application

Identify the machines and operating systems

SSL configurations and weaknesses

Explore virtual hosting and its impact on testing

Learn methods to identify load balancers

Software configuration discovery

Explore external information sources

Google hacking

Learn tools to spider a Web site

Scripting to automate Web requests and spidering

Application flow charting

Relationship analysis within an application

JavaScript for the attacker

Learn methods to discover various vulnerabilities

Information leakage

Username harvesting

Command injection

SQL injection

Blind SQL injection

Cross-Site Scripting (XSS)

Cross-Site Request Forgery

Session issues

Topics Covered

Topics Covered

Topics Covered

For the first day, we will review the fundamental principles of each

phase and discuss how we will use them together as a cyclical attack

process. Next, we will cover the types of penetration testing and

what pieces need to be part of the report. As the final part of

the day, we will explore and learn JavaScript from an attacker’s

perspective.

Day 1 The Attacker’s View of the Web

Day 2 Reconnaissance and Mapping

Day 3 Server-Side Discovery



On day four students will start exploring client side portions of

the Web site. We will cover methods to discover vulnerabilities

within client-side code, such as Java applets and Flash objects. We

will learn how to use tools to decompile the objects and applets

to find vulnerabilities. Tools such as Flare and JAD will be used

during hands-on exercises. This will include a detailed discussion of

Web Services and AJAX in which we will explore how AJAX and

Web service technology enlarge the attack surface that penetration

testers leverage. We will also explore the how AJAX and Web

services are affected by the vulnerabilities already explored.

Students will also be able to understand the ways that these

client-side components can be used to attack other portions of

the network and Web application. Students will also be using

various tools and methods to discover ways to interact with Web

applications bypassing these client-side controls.

Students will also work through sections on both Python and

PHP. These sections focus on the use of these languages during a

penetration test and from the view of an attacker.

On the fifth day we will launch actual exploits against real-world

applications. In this component, we will build upon the previous three

steps, expanding our foothold within the application and extending

that to the network on which it resides. As penetration testers,

we will specifically focus on ways that we can leverage previously

discovered vulnerabilities to gain further access, highlighting the

cyclical nature of our four-step attack methodology.

During our exploitation, we will use tools such as the Burp Suite

and Paros Proxy to assist us in crafting exploits against real-world

applications like Wordpress and AWStats. We will launch an SQL

injection attack against Wordpress, intercepting real transactions

and modifying them. We will use Cross-Site Scripting attacks

against phpMyAdmin and phpBB to steal cookies and sessions

from other users. We are also going to explore the use of attack

frameworks, such as AttackAPI and BeEF. We will discuss how

the frameworks can assist us in our testing process, gaining access

to browser history, port scanning internal networks, and searching

for other vulnerable Web applications through zombie browsers.

Learn methods to discover various vulnerabilities

Information leakage & Username harvesting

Command injection

SQL injection & Blind SQL injection

Cross-Site Scripting (XSS) & Cross-Site Request

Forgery

Learn methods to decompile client-side code

Flash & Java

Explore malicious applets and objects

Discovery vulnerabilities in Web application through

their client components

Understand methods for attacking Web services

Understand methods for testing Web 2.0 and AJAX

based sites

Learn how AJAX and Web services change penetration

tests

Learn the attacker’s perspective on Python and PHP

The use of these languages during our attack

The ability to expand the tools we are using

Explore methods to zombify browsers

Discuss using zombies to port scan or attack internal networks

Explore attack frameworks

AttackAPI

XSS-Proxy & BeEF

Walk through an entire attack scenario

Exploit the various vulnerabilities discovered

Leverage the attacks to gain access to the system

Learn how to pivot our attacks through a Web application

Understand methods of interacting with a server through

SQL injection

Exploit applications to steal cookies

Execute commands through Web application vulnerabilities

Topics Covered

Topics Covered

Day 4 Client-Side Discovery

Day 5 Exploitation

Day 6 Capture the Flag

We will also explore multiple exploit attacks. This is where the

student will build complex attack series to gain much greater access

within the Web applications. By fully uncovering vulnerabilities

within applications using the same resources as attackers, we can

provide organizations with the best assessment possible.

During day six of the class students will be placed on a network and

given the opportunity to complete an entire penetration test. The

goal of this capture the flag event is for the students to explore the

techniques, tools, and methodology they have learned over the last

five days. They will be able to use these ideas and methods against

a realistic intranet application. At the end of the day, they will

provide a verbal report of the findings and methodology they

followed to complete the test. Students will be provided with a

virtual machine that contains the SamuraiWTF Web penetration

testing environment. They will be able to use this both in the class

and after leaving and returning to their normal jobs.

Documents

E-SPIN COMPANY PROFILE · resellers (VARs), system integrators (SIs), independent software vendors (ISVs) and IT outsourcing (ITO) providers; public sector agencies from federal to