SlideShare a Scribd company logo

Jouri Dufour - How About Security Testing - EuroSTAR 2013

TEST Huddle
TEST Huddle

EuroSTAR Software Testing Conference 2013 presentation on How About Security Testing by Jouri Dufour. See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/

Technology
1 of 42
Download to read offline
How About Security Testing? Jouri Dufour, CTG www.eurostarconferences.com @esconfs #esconfs
How About Cybercrime?
Our BUSINESS LIFE is online.
“If A happens, then B must be the case, so I will do C.” BUT WHAT IF X OCCURS?
01 Fooling a password change function
Password change function Administrator N Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
Password change function Administrator N FLAW Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
Password change function Administrator N Existing password parameter ? Y User Password change request ATTACK Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Try removing in turn each request parameter Be sure to delete the actual parameter name as well as its value Attack only one parameter at a time Follow a multistage process through to completion
02 Proceeding to checkout
Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality  The assumption  The attack
Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information FLAW The functionality  The assumption  The attack
Retail application Add items to shopping basket Finalize order ATTACK Enter payment information Enter delivery information The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Attempt to submit requests out of the expected sequence Be sure to fully understand the access mechanisms to distinct stages Try to violate the developers’ assumptions Use any interesting error messages and debug output to fine-tune your attacks
The application may enforce strict access control only on the initial stages of the process
03 Beating a business limit
ERP application Bank account 2 Bank account 1 Less than €10.000 ? Y N The functionality  The assumption  The attack
ERP application Bank account 2 Bank account 1 Less than €10.000 ? FLAW Y N The functionality  The assumption  The attack
ERP application Bank account 2 Bank account 1 €20.000 Less than €10.000 ? Y N -€20.000 The functionality  The assumption  The attack
Many applications use numeric limits and beating such limits may have serious business consequences
RECOMMENDED HACK STEPS Try entering negative values Sometimes several steps need to be repeated to bring the application in a vulnerable state
04 Cheating on bulk discounts
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% The functionality  The assumption  The attack
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% FLAW The functionality  The assumption  The attack
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% ATTACK The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Find out if adjustments are made on a one-time basis Try to manipulate the application’s behavior to get adjustments that don’t correspond to the original intended criteria
05 Escaping from escaping
Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline FLAW The functionality  The assumption  The attack
Web application Operating system command ATTACK User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
Web application COMMAND INJECTION Operating system command Foo;ls Sanitization using the backslash character ; | & < > ` space newline Foo;ls The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Attempt to insert relevant metacharacters into the data you control Always try placing a backslash immediately before each such character
This same defect can be found in some defenses against cross-site scripting attacks
Yesterday Today Tomorrow Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Integrated Application Security Testing (IAST) + =
001:0123450123456789 331017012345678960123456789202468 00:00 Time Victims
HOW ABOUT SECURITY TESTING? Fooling a password change function Proceeding to checkout Beating a business limit Cheating on bulk discounts Escaping from escaping Speaker: Jouri Dufour www.ctg.com jouri.dufour@ctg.com

Recommended

User Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeUser Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeAjeet Singh
 
Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Ajeet Singh
 
Chapter 9
Chapter 9Chapter 9
Chapter 9application developer
 
Do’s and don’ts of api testing
Do’s and don’ts of api testingDo’s and don’ts of api testing
Do’s and don’ts of api testingwebomates
 
Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013TEST Huddle
 
Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012TEST Huddle
 
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013TEST Huddle
 
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...TEST Huddle
 

Recommended

User Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeUser Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeAjeet Singh
 
Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Ajeet Singh
 
Chapter 9
Chapter 9Chapter 9
Chapter 9application developer
 
Do’s and don’ts of api testing
Do’s and don’ts of api testingDo’s and don’ts of api testing
Do’s and don’ts of api testingwebomates
 
Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013TEST Huddle
 
Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012TEST Huddle
 
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013TEST Huddle
 
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...TEST Huddle
 
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...TEST Huddle
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...TEST Huddle
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013TEST Huddle
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingTEST Huddle
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013TEST Huddle
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012TEST Huddle
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...TEST Huddle
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013TEST Huddle
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...TEST Huddle
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...TEST Huddle
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013TEST Huddle
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013TEST Huddle
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012TEST Huddle
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013TEST Huddle
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013TEST Huddle
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013TEST Huddle
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013TEST Huddle
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013TEST Huddle
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013TEST Huddle
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013TEST Huddle
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 

More Related Content

Viewers also liked

Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...TEST Huddle
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...TEST Huddle
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013TEST Huddle
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingTEST Huddle
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013TEST Huddle
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012TEST Huddle
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...TEST Huddle
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013TEST Huddle
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...TEST Huddle
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...TEST Huddle
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013TEST Huddle
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013TEST Huddle
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012TEST Huddle
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013TEST Huddle
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013TEST Huddle
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013TEST Huddle
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013TEST Huddle
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013TEST Huddle
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013TEST Huddle
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013TEST Huddle
 

Viewers also liked (20)

Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
 

Similar to Jouri Dufour - How About Security Testing - EuroSTAR 2013

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aopDror Helper
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validationzakieh alizadeh
 
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce Developers
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014David Scruggs
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaEdureka!
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
Architecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsArchitecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsMike Byrne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce Developers
 
DF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringDF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringLuis E. Luciani ☁
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformSalesforce Developers
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 
Serverless Cyber Ops for Government
Serverless Cyber Ops for GovernmentServerless Cyber Ops for Government
Serverless Cyber Ops for GovernmentAmazon Web Services
 

Similar to Jouri Dufour - How About Security Testing - EuroSTAR 2013 (20)

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aop
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | Edureka
 
Top Testing Tips
Top Testing TipsTop Testing Tips
Top Testing Tips
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
 
Architecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsArchitecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting Concerns
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep Dive
 
DF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringDF19 South-East Florida Global Gathering
DF19 South-East Florida Global Gathering
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Serverless Cyber Ops for Government
Serverless Cyber Ops for GovernmentServerless Cyber Ops for Government
Serverless Cyber Ops for Government
 

More from TEST Huddle

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureTEST Huddle
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar TEST Huddle
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway TEST Huddle
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in ScrumTEST Huddle
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsTEST Huddle
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkTEST Huddle
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsTEST Huddle
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?TEST Huddle
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of UsTEST Huddle
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)TEST Huddle
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesTEST Huddle
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?TEST Huddle
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageTEST Huddle
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersTEST Huddle
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?TEST Huddle
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfullyTEST Huddle
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey TEST Huddle
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsTEST Huddle
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your RoleTEST Huddle
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0TEST Huddle
 

More from TEST Huddle (20)

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- Accenture
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in Scrum
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional Tests
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test Work
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New Heights
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of Us
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger Enterprises
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test Coverage
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for Testers
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfully
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using Heuristics
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your Role
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Jouri Dufour - How About Security Testing - EuroSTAR 2013

  • 1. How About Security Testing? Jouri Dufour, CTG www.eurostarconferences.com @esconfs #esconfs
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. Our BUSINESS LIFE is online.
  • 9.
  • 10. “If A happens, then B must be the case, so I will do C.” BUT WHAT IF X OCCURS?
  • 11. 01 Fooling a password change function
  • 12. Password change function Administrator N Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 13. Password change function Administrator N FLAW Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 14. Password change function Administrator N Existing password parameter ? Y User Password change request ATTACK Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 15. RECOMMENDED HACK STEPS Try removing in turn each request parameter Be sure to delete the actual parameter name as well as its value Attack only one parameter at a time Follow a multistage process through to completion
  • 16. 02 Proceeding to checkout
  • 17. Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality  The assumption  The attack
  • 18. Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information FLAW The functionality  The assumption  The attack
  • 19. Retail application Add items to shopping basket Finalize order ATTACK Enter payment information Enter delivery information The functionality  The assumption  The attack
  • 20. RECOMMENDED HACK STEPS Attempt to submit requests out of the expected sequence Be sure to fully understand the access mechanisms to distinct stages Try to violate the developers’ assumptions Use any interesting error messages and debug output to fine-tune your attacks
  • 21. The application may enforce strict access control only on the initial stages of the process
  • 22. 03 Beating a business limit
  • 23. ERP application Bank account 2 Bank account 1 Less than €10.000 ? Y N The functionality  The assumption  The attack
  • 24. ERP application Bank account 2 Bank account 1 Less than €10.000 ? FLAW Y N The functionality  The assumption  The attack
  • 25. ERP application Bank account 2 Bank account 1 €20.000 Less than €10.000 ? Y N -€20.000 The functionality  The assumption  The attack
  • 26. Many applications use numeric limits and beating such limits may have serious business consequences
  • 27. RECOMMENDED HACK STEPS Try entering negative values Sometimes several steps need to be repeated to bring the application in a vulnerable state
  • 28. 04 Cheating on bulk discounts
  • 29. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% The functionality  The assumption  The attack
  • 30. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% FLAW The functionality  The assumption  The attack
  • 31. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% ATTACK The functionality  The assumption  The attack
  • 32. RECOMMENDED HACK STEPS Find out if adjustments are made on a one-time basis Try to manipulate the application’s behavior to get adjustments that don’t correspond to the original intended criteria
  • 33. 05 Escaping from escaping
  • 34. Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
  • 35. Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline FLAW The functionality  The assumption  The attack
  • 36. Web application Operating system command ATTACK User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
  • 37. Web application COMMAND INJECTION Operating system command Foo;ls Sanitization using the backslash character ; | & < > ` space newline Foo;ls The functionality  The assumption  The attack
  • 38. RECOMMENDED HACK STEPS Attempt to insert relevant metacharacters into the data you control Always try placing a backslash immediately before each such character
  • 39. This same defect can be found in some defenses against cross-site scripting attacks
  • 40. Yesterday Today Tomorrow Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Integrated Application Security Testing (IAST) + =
  • 42. HOW ABOUT SECURITY TESTING? Fooling a password change function Proceeding to checkout Beating a business limit Cheating on bulk discounts Escaping from escaping Speaker: Jouri Dufour www.ctg.com jouri.dufour@ctg.com