"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks

•Download as PPT, PDF•

1 like•964 views

Lohika_Odessa_TechTalks

for Lohika Odessa QA TechTalks - March 26, 2015

Education

WEB applications security testing
Semenov Kirill
COST engineer

• Basic principles of security discredit
• Server side vulnerability
• Client side vulnerability
• SOAP API and JSON API
Agenda

• Security testing essentials
• WEB applications security
• HTTP overview
Basic principles of security discredit
Part I

Security testing essentials
Basic principles of security
discredit
Particle NOT

Security testing essentials
Basic principles of security
discredit

Basic principles of security
discredit
WEB applications security
Network
What can be attacked?
Client Server

Basic principles of security
discredit
WEB applications security Organizations

Basic principles of security
discredit
WEB applications security Instruments

Basic principles of security
discredit
HTTP
WEB Server +
Logics Server
WEB Server +
Logics Server
DBMSDBMS OSOS
SQL • commands
• files
BrowserBrowser
(X)HTTP(S)

Basic principles of security
discredit
HTTP

Server side vulnerability
Part II
• A1 – Injection:
– SQL injection
– File injection
– Code injection
• A2 – Broken Session Management
• A4 – Insecure Direct Object Reference
• A8 – Cross-Site Request Forgery (CSRF)

Server side vulnerability
A1 - Injection
What happens on a Server?

Server side vulnerability
A1 - Injection
Main types of Injections

Server side vulnerability
A1 - Injection
SQL Injection Types

Server side vulnerability
A1 - Injection
How it works - UNION injection

Server side vulnerability
A1 - Injection
How it works – Blind injection

Server side vulnerability
A1 - Injection
How to protect?

Server side vulnerability
A1 - Injection
How to attack?

Server side vulnerability
A1 - Injection
File Injection

Server side vulnerability
A1 - Injection
Code & Command Injection

Server side vulnerability
A2 – Authentication and Session Management

Server side vulnerability
A4 – Insecure Direct Object Reference

Client side vulnerability
A8 – Cross Site Request Forgery
XSS
Trap
Victim
CSRF
Site1
Site2
Trap
Victim

Client side vulnerability
A8 – Cross Site Request Forgery

Client side vulnerability
Part III
• A3 – Cross-Site Scripting (XSS)
o stored
o reflected
• A10 – Unvalidated Redirects

Client side vulnerability
What happens on Client (Browser)?
XSS

Client side vulnerability
A3 - XSS
XSS - execute malicious Java Script code
inside authorized user session, who has
higher privileges than attacker

Client side vulnerability
A3 - XSS
WEB Server
+ Logics
Server
WEB Server
+ Logics
Server
DBMSDBMS OSOS
SQL • commands
• files
(X)HTTP(S)
BrowserBrowser
WEB Server +
Logics Server
WEB Server +
Logics Server
DBMSDBMS OSOS
SQL • commands
• files
BrowserBrowser
(X)HTTP(S)
User
data
Stored Reflected

A3 - XSS
How to attack?
Client side vulnerability

A3 - XSS
How to protect?
Client side vulnerability

Client side vulnerability
A10 – Unvalidated redirects
http://gmail.com/redirect.jsp?url=http://gmeil.com
Same interface
TrapVictim
Valid host Invalid host

SOAP API & JSON API
SOAP UI
• SoapUI is a free and open source cross-platform Functional Testing solution
• http://www.soapui.org/about-soapui/what-is-soapui-.html

What's hot

Continuous Security Testing in a Devops World #OWASPHelsinki

Stephen de Vries

Know Your Security Model

Mikhail Shcherbakov

Continuous Security Testing with Devops - OWASP EU 2014

Stephen de Vries

Rest assured

Yaniv Rodenski

This paper discusses the research outcomes on implementing a runtime application patching algorithm on an insecurely-coded application to protect it against code injection vulnerabilities and other logical issues related to web applications, and will introduce the next generation web application defending technology dubbed as Runtime Application Self-Protection (RASP) that defends against web attacks by working inside your web application. RASP relies on runtime patching to inject security into web apps implicitly without introducing additional code changes. The talk concludes with the challenges in this new technology and gives you an insight on future of runtime protection.

Injecting Security into Web apps at Runtime Whitepaper

Ajin Abraham

Workshop : Application Security

Priyanka Aash

Implementing application security using the .net framework

Lalit Kale

Application Security Workshop

Priyanka Aash

What's hot (8)

Continuous Security Testing in a Devops World #OWASPHelsinki

Know Your Security Model

Continuous Security Testing with Devops - OWASP EU 2014

Rest assured

Injecting Security into Web apps at Runtime Whitepaper

Workshop : Application Security

Implementing application security using the .net framework

Application Security Workshop

Similar to "WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks

Web hackingtools 2015

ColdFusionConference

Web hackingtools 2015

devObjective

Web hackingtools cf-summit2014

ColdFusionConference

The path of secure software by Katy Anton

DevSecCon

Security professionals and full-stack engineers will learn how to defend against distributed denial of service (DDoS) attacks and web application exploits by using automation to monitor activity, configure rate limiting, and deploy network filtering rules. This session will show you how to use Lambda functions to automate event response and integrate with your security operations tools. You will become an expert in advanced techniques to help you protect and monitor your AWS networks and resources using services such as Amazon Virtual Private Cloud, Amazon Web Application Firewall, Amazon Shield, and more. You will also learn how to monitor and gain deep visibility into your AWS environment by using highly-scaled solutions such as AWS CloudTrail and AWS CloudWatch.

SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense

Amazon Web Services

OWASP top 10-2013

tmd800

Using & Abusing APIs: An Examination of the API Attack Surface

CA API Management

SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense

Amazon Web Services

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Alexandre Morgaut

Altitude SF 2017: Security at the edge

Fastly

What keeps IT managers awake at night? Worrying whether their website is protected against security vulnerabilities and exploits. In this presentation, Ash Prasad, Director of Engineering at DNN, gives IT managers suggestions on how to secure their .NET websites. Ash shares the tools and techniques he employs to harden the security of websites. If you’re managing .NET websites, this presentation will arm you with tips you can apply right away.

How to Harden the Security of Your .NET Website

DNN

Secure SDLC for Software

Shreeraj Shah

Realities of Security in the Cloud

Alert Logic

Web Application Penetration Test

martinvoelk

Best Practices for Security at Scale

Amazon Web Services

Most software developers have heard about OWASP Top Ten, describing the 10 most critical security vulnerabilities that should be avoided in web applications. However, in order to prevent them, developers must be aware of the proactive controls that should be incorporated from early stages of software development lifecycle. This talk briefly discusses the OWASP Top Ten Proactive Controls and then maps them to the respective OWASP Vulnerabilities that each of them addresses.

Owasp top-ten-mapping-2015-05-lwc

Katy Anton

Vulnerabilities in modern web applications

Niyas Nazar

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

Alert Logic

CSS17: Houston - Protecting Web Apps

Alert Logic

Web Server Technologies II: Web Applications & Server Maintenance

Port80 Software

Similar to "WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks (20)

Web hackingtools 2015

Web hackingtools cf-summit2014

The path of secure software by Katy Anton

SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense

OWASP top 10-2013

Using & Abusing APIs: An Examination of the API Attack Surface

SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense

Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe

Altitude SF 2017: Security at the edge

How to Harden the Security of Your .NET Website

Secure SDLC for Software

Realities of Security in the Cloud

Web Application Penetration Test

Best Practices for Security at Scale

Owasp top-ten-mapping-2015-05-lwc

Vulnerabilities in modern web applications

Css sf azure_8-9-17-protecting_web_apps_stephen coty_al

CSS17: Houston - Protecting Web Apps

Web Server Technologies II: Web Applications & Server Maintenance

More from Lohika_Odessa_TechTalks

OAuth2 Authorization Server Under the Hood

Lohika_Odessa_TechTalks

Microservice architecture is widespread our days. It comes with a lot of benefits and challenges to solve. Main goal of this talk is to go through troubleshooting and debugging in the distributed micro-service world. Topic would cover: main aspects of the logging,  monitoring, distributed tracing, debugging services on the cluster. About speaker: Andrеy Kolodnitskiy is Staff engineer in the Lohika and his primary focus is around distributed systems, microservices and JVM based languages. Majority of time engineers spend debugging and fixing the issues. This talk will be dedicated to best practicies and tools Andrеys team uses on its project which do help to find issues more efficiently.

Debugging Microservices - key challenges and techniques - Microservices Odesa...

Lohika_Odessa_TechTalks

Wide adoption of Microservice Architecture presents a whole new set of challenges for us as developers. Some of them are well-known and understood. About others we do not think until they strike us out of the blue and we spend a lot of sleepless nights trying to figure them out. And communication between services in distributed system is one of the latter. During this Microservice Architecture Odesa #TechTalk we will talk about how to prevent your microservices from becoming a modern-world Tower of Babel. We will discuss how to select appropriate communication mechanisms for most common cases in a distributed system, how should we define API contracts for each of them and what tools are available for us to keep them consistent and evolve them over time. We will touch following topics:  REST vs RPC vs Messaging and how not to get lost with your options.  Contract First development and how it can save time in multi-team environment.  SwaggerHub as a single Point of truth for REST API  Best practices for gRPC contracts and how to deal with changes in them. About speaker: Andrii Barsukov is Senior .NET developer at Lohika, with 5+ years of commercial experience in development of microservice applications. Currently participating in development of microservice-based financial system, which includes 20+ microservices developed by 10 separate development teams. And some of the challenges that we faced during its development I'd like to share.

Design and Evolution of APIs in Microservice Architecture

Lohika_Odessa_TechTalks

На JavaScript Odesa #TechTalks мы поговорили о микрофронтендах как о современном архитектурном стиле проектирования для фронтенд разработки, который облегчает поддержку и деплой обновлений для крупных проектов. Также мы обсудили: Что такое микрофронтенды? Как использовать их с старым проектом? Монорепа vs мультирепа и почему? О спикере: Максим Белкин, Senior Software Engineer с 10-летним опытом коммерческой разработки веб-приложений. У Максима большой опыт в создании одностраничных приложений с использованием современных фреймворков и инструментов, а также большой опыт в области серверной разработки и создания REST API. Он также обладает глубокими знаниями в области объектно-ориентированной разработки, алгоритмов, кодирования и шаблонов тестирования и имеет опыт в гибкой разработке программного обеспечения, включая роли SCRUM Master и Team Lead.

Micro-frontends – is it a new normal?

Lohika_Odessa_TechTalks

There are a lot of things in multi-threading world, which we, as engineers, have to consider while developing applications. During Golang Odesa #TechTalks we will talk about three main problems – data races, race conditions, and deadlocks. Also, we will discuss how to avoid fantom bugs and do not shoot yourself in the foot while developing Golang applications About speaker: Oleksandr Karlov is Golang Team Lead at Lohika. Currently, Oleksandr is working on SLO project, which helps engineers to control reliability of their services. Before that he worked on CDN and statistics platform.

Multithreading in go

Lohika_Odessa_TechTalks

Druid is one useful and popular tool in the Big Data world. It is this OLAP system that allows you to efficiently process, store and query data. Which confirms the demand for Druid among tools in the Big Data processing environment. With Vladimir Iordanov we will talk about how Druid works, what it consists of and what its capabilities are. Vladimir will introduce us to the Druid components, talk about the cluster architecture, how data processing is going on.

Druid - Interactive Analytics At Scale

Lohika_Odessa_TechTalks

Jenkins до сих пор один из лидеров CI/CD продуктов. Поэтому стоит понимать, что он может и как этим правильно пользоваться. К тому же, этот проект всё ещё обновляется и нам желательно следить за новыми возможностями, которые он нам даёт. В этот раз мы поговорим: – о Jenkins pipelines and shared libraries – какими они бывают, как и когда их надо использовать,. – отличиях scripted и declarative вариантов. – когда необходимо использовать shared library – как легко настроить и начать пользоваться Jenkins в Kubernetes с использованием Jenkins configuration as code. Доклад будет актуален для: DevOps engineers, Configuration managers, Developers who are tired of their jobs and they decided to make some Jenkins) О спикере: Дмитрий Кулешов – DevOps Engineer с 10-летним опытом работы в области информационных технологий.

DevOps Odessa #TechTalks 21.01.2020

Lohika_Odessa_TechTalks

Я поделюсь с вами опытом разработки конвейерных скриптов Jenkins для организации процессов непрерывной интеграции и развертывания микросервисов. Акцент будет сделан на применении средств Jenkins для разделяемых библиотек. Я продемонстрирую подходы к созданию модульных, тестируемых и повторно используемых компонентов для сборки и развертывания. Доклад будет полезен каждому, кто так или иначе связан с автоматизацией непрерывной интеграции и развертывания ПО, будь то разработчик или же DevOps

Jenkins' shared libraries in action

Lohika_Odessa_TechTalks

Доклад будет интересен тем, кто хочет воспользоваться одним из самых популярных инструментов для мониторинга с минимальными затратами времени и усилий, и без предыдущего опыта внедрения систем мониторинга . Мы рассмотрим конкретный случай внедрения на проекте "с нуля", расширение базового функционала и обсудим возможные "подводные камни" дальнейшей поддержки

Prometheus: infrastructure and application monitoring in kubernetes cluster

Lohika_Odessa_TechTalks

Тема доклада «React и его архитектурная периферия» React - мощнейшая библиотека для создания технических интерфейсов, но порой одного реакта не достаточно для полноценной и гибкой разработки. Мы будем обсуждать и сравнивать разные подходы для разработки современных React приложений. В программе: React&Redux, React&Meteor, React&Relay, React&MobX, React&PRPL

Architectural peripherals of react by Vadym Zhiltsov

Lohika_Odessa_TechTalks

React native by example by Vadim Ruban

Lohika_Odessa_TechTalks

Aws lambda by Leonid Amigud

Lohika_Odessa_TechTalks

“In my presentation I’ll try to list the first steps that you should make on a new project in your new role. Also we will review different types of projects and challenges that you may have. I hope that my experience and suggestions, I’m about to share, will help you dive into management role quickly and painlessly. “ This presentation will be useful for everyone who wants to be a manager, to grow in this direction and who is absolutely sure that one day he or she will be promoted. It might be useful for everyone who has been promoted recently and still feels that he/she doesn’t have enough experience with different projects.

Congratulations, you have been promoted to a manager role. You`ve got new pro...

Lohika_Odessa_TechTalks

“The core of every successful project is motivated and professional team, but what can be done when the comfort zone has been reached and nothing makes your team work with the same enthusiasm? In this session, we would like to discuss with you the cause of the syndrome "weary professional“ , why it is bad and which non-standard approaches can be used for solving this problem. Presentation will be particularly useful for those who are somehow connected with the management staff or aspire to be Team Leaders.

"Don't touch me and give me my money" or how motivate people who can but don...

Lohika_Odessa_TechTalks

Docker based Architecture by Denys Serdiuk

Lohika_Odessa_TechTalks

SparkSpark in the Big Data dark by Sergey Levandovskiy

Lohika_Odessa_TechTalks

Burnout and how to avoid it in your team. Responsible person's issue by Andre...

Lohika_Odessa_TechTalks

Performance evaluation process as a way to empower your employees and help th...

Lohika_Odessa_TechTalks

Selenium with py test by Alexandr Vasyliev for Lohika Odessa Python TechTalks

Lohika_Odessa_TechTalks

" Performance testing for Automation QA - why and how " by Andrey Kovalenko f...

Lohika_Odessa_TechTalks

More from Lohika_Odessa_TechTalks (20)

OAuth2 Authorization Server Under the Hood

Debugging Microservices - key challenges and techniques - Microservices Odesa...

Design and Evolution of APIs in Microservice Architecture

Micro-frontends – is it a new normal?

Multithreading in go

Druid - Interactive Analytics At Scale

DevOps Odessa #TechTalks 21.01.2020

Jenkins' shared libraries in action

Prometheus: infrastructure and application monitoring in kubernetes cluster

Architectural peripherals of react by Vadym Zhiltsov

React native by example by Vadim Ruban

Aws lambda by Leonid Amigud

Congratulations, you have been promoted to a manager role. You`ve got new pro...

"Don't touch me and give me my money" or how motivate people who can but don...

Docker based Architecture by Denys Serdiuk

SparkSpark in the Big Data dark by Sergey Levandovskiy

Burnout and how to avoid it in your team. Responsible person's issue by Andre...

Performance evaluation process as a way to empower your employees and help th...

Selenium with py test by Alexandr Vasyliev for Lohika Odessa Python TechTalks

" Performance testing for Automation QA - why and how " by Andrey Kovalenko f...

Recently uploaded

General Principles of Intellectual Property: Concepts of Intellectual Proper...

Poonam Aher Patil

A Transgenic animal is one that carries a foreign gene that has been deliberately inserted into its genome. The foreign gene are inserted into the germ line of the animal, so it can be transmitted to the progeny. Transgenic animals are animals that are genetically altered to have traits that mimic symptoms of specific human pathologies. They provide genetic model of various human disease which are important in understanding disease and development of new target.

Role Of Transgenic Animal In Target Validation-1.pptx

NikitaBankoti2

Unit-IV; Professional Sales Representative (PSR).pptx

VishalSingh1417

Unit-V; Pricing (Pharma Marketing Management).pptx

VishalSingh1417

Z Score,T Score, Percential Rank and Box Plot Graph

Thiyagu K

Micro-Scholarship, What it is, How can it help me.pdf

Poh-Sun Goh

Basic Civil Engineering notes first year Notes Building notes Selection of site for Building Layout of a Building What is Burjis, Mutam Building Bye laws Basic Concept of sunlight ventilation in building National Building Code of India Set back or building line Types of Buildings Floor Space Index (F.S.I) Institutional Vs Educational Building Components & function Sills, Lintels, Cantilever Doors, Windows and Ventilators Types of Foundation AND THEIR USES Plinth Area Shallow and Deep Foundation Super Built-up & carpet area Floor Area Ratio (F.A.R) RCC Reinforced Cement Concrete RCC VS PCC

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx

Denish Jangid

Activity 01 - Artificial Culture (1).pdf

ciinovamais

Unit-IV- Pharma. Marketing Channels.pptx

VishalSingh1417

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...

christianmathematics

Class 11th Physics NEET formula sheet pdf

AyushMahapatra5

Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II

Shubhangi Sonawane

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

Nguyen Thanh Tu Collection

Web & Social Media Analytics Previous Year Question Paper.pdf

Jayanti Pande

ICT role in 21st century education and it's challenges.

MaryamAhmad92

2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx

MaritesTamaniVerdade

Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes

Celine George

Mehran University Newsletter Vol-X, Issue-I, 2024

Mehran University of Engineering & Technology, Jamshoro

1029 - Danh muc Sach Giao Khoa 10 . pdf

QucHHunhnh

This PowerPoint helps students to consider the concept of infinity.

christianmathematics

Recently uploaded (20)

General Principles of Intellectual Property: Concepts of Intellectual Proper...

Role Of Transgenic Animal In Target Validation-1.pptx

Unit-IV; Professional Sales Representative (PSR).pptx

Unit-V; Pricing (Pharma Marketing Management).pptx

Z Score,T Score, Percential Rank and Box Plot Graph

Micro-Scholarship, What it is, How can it help me.pdf

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx

Activity 01 - Artificial Culture (1).pdf

Unit-IV- Pharma. Marketing Channels.pptx

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...

Class 11th Physics NEET formula sheet pdf

Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II

TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...

Web & Social Media Analytics Previous Year Question Paper.pdf

ICT role in 21st century education and it's challenges.

2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx

Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes

Mehran University Newsletter Vol-X, Issue-I, 2024

1029 - Danh muc Sach Giao Khoa 10 . pdf

This PowerPoint helps students to consider the concept of infinity.

"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks

1. WEB applications security testing Semenov Kirill COST engineer

2. • Basic principles of security discredit • Server side vulnerability • Client side vulnerability • SOAP API and JSON API Agenda

3. • Security testing essentials • WEB applications security • HTTP overview Basic principles of security discredit Part I

4. Security testing essentials Basic principles of security discredit Particle NOT

5. Security testing essentials Basic principles of security discredit

6. Basic principles of security discredit WEB applications security Network What can be attacked? Client Server

7. Basic principles of security discredit WEB applications security Organizations

8. Basic principles of security discredit WEB applications security Instruments

9. Basic principles of security discredit HTTP WEB Server + Logics Server WEB Server + Logics Server DBMSDBMS OSOS SQL • commands • files BrowserBrowser (X)HTTP(S)

10. Basic principles of security discredit HTTP

11. Basic principles of security discredit HTTP

12. Server side vulnerability Part II • A1 – Injection: – SQL injection – File injection – Code injection • A2 – Broken Session Management • A4 – Insecure Direct Object Reference • A8 – Cross-Site Request Forgery (CSRF)

13. Server side vulnerability A1 - Injection What happens on a Server?

14. Server side vulnerability A1 - Injection Main types of Injections

15. Server side vulnerability A1 - Injection SQL Injection Types

16. Server side vulnerability A1 - Injection How it works - UNION injection

17. Server side vulnerability A1 - Injection How it works – Blind injection

18. Server side vulnerability A1 - Injection How to protect?

19. Server side vulnerability A1 - Injection How to attack?

20. Server side vulnerability A1 - Injection File Injection

21. Server side vulnerability A1 - Injection Code & Command Injection

22. Server side vulnerability A2 – Authentication and Session Management

23. Server side vulnerability A4 – Insecure Direct Object Reference

24. Client side vulnerability A8 – Cross Site Request Forgery XSS Trap Victim CSRF Site1 Site2 Trap Victim

25. Client side vulnerability A8 – Cross Site Request Forgery

26. Client side vulnerability Part III • A3 – Cross-Site Scripting (XSS) o stored o reflected • A10 – Unvalidated Redirects

27. Client side vulnerability What happens on Client (Browser)? XSS

28. Client side vulnerability A3 - XSS XSS - execute malicious Java Script code inside authorized user session, who has higher privileges than attacker

29. Client side vulnerability A3 - XSS WEB Server + Logics Server WEB Server + Logics Server DBMSDBMS OSOS SQL • commands • files (X)HTTP(S) BrowserBrowser WEB Server + Logics Server WEB Server + Logics Server DBMSDBMS OSOS SQL • commands • files BrowserBrowser (X)HTTP(S) User data Stored Reflected

30. Client side vulnerability A3 - XSS

31. A3 - XSS How to attack? Client side vulnerability

32. A3 - XSS How to protect? Client side vulnerability

33. Client side vulnerability A3 - XSS Q&A

34. Client side vulnerability A10 – Unvalidated redirects http://gmail.com/redirect.jsp?url=http://gmeil.com Same interface TrapVictim Valid host Invalid host

35. SOAP API & JSON API Part IV

36. SOAP API & JSON API Architecture

37. SOAP API & JSON API SOAP UI • SoapUI is a free and open source cross-platform Functional Testing solution • http://www.soapui.org/about-soapui/what-is-soapui-.html

38. SOAP API & JSON API Q&A

39. Thank You!

Editor's Notes

Иными словами: Нарушение функциональности: НЕвозможность получения санкционированного доступа к функциям и данным системы Нарушение защищенности: возможность получения НЕсанкционированного доступа к данным и функциям
1) Fuzzing-proxy, f.e. Fiddler (intercepting proxy). Fuzzing - перебор всех возможных векторов атаки Manual security code review (debugger) 2) White box-code scanners (HP Fortify) 3) Комбинейшн-ввод вредоносных данных извне (i,.e. блек бокс)+отслеживание обработки приложением этих данных (вайт бокс) 4) Black box-fuzzers (HP Web inspect)
XHTTP-Extended HTTP – все запросы и ответы отправляются исключительно в headers. Остальные данные передаются через XML. Все функции HTTP типа TLS, аутентификации и др. oстаются неизменными
Методы защиты-одни из многих. Простые для проверки. Говорим о них так как время ограничено, соответственно рассматриваем только какие-то конкретные ПОСТ в ГЕТ-уязвимость работает только для простых параметров, не работает для XML JSON и любой другой формы данных Происходит в силу SOAP/REST-работают с XML JSON а не просто с HTML Валидаторы должны быть на обеих сторонах-клиента и сервера. Например, может показывать клиенту что что-то делать нельзя, но по факту это делать можно. Если обошли ограничения на клиенте, сервер не должен пропускать этот обход. (отправили с клиента вредоносное, но сервер ее все равно не принял)
Clear request Headers – Slow POST - http://habrahabr.ru/post/116056/
Код иньекция– компилируемые языки . По сути ломает машину , которая хостит веб-серер(ис) Xpath-говорит иксемелю откуда брать данные. Контролируя икспас можно указывать серверу какие данные выбирать, например для сравнения.
Special symbols-Можно создать White list-список только разрешенных символов, которые можно использовать. Validators + Parametrized query=defense in depth-несколько уровней защиты Parametrized query example: $request = sql_prepare(&apos;insert into table(name) values(:1)&apos;); sql_execute($request, Array(&apos;Вася&apos;)); Так мы отдельно задаем запрос, вместо данных подставляя в него номера связываемых переменных (:1, :2,...)
К удобству пользования фиддлером-можно посмотреть время отклика страницы до тысячной секунды.
Code injection-слишком круто для создания просто файлика на машине которая хостит веб-серис. Так как код иньекция тотально деструктивна в целом.
Пример-доступ к важному файлу осуществляется по ссылке.допустим видит ее только админ, но если ее получит не админ, он так же само может пройти по ней
crossdomain.xml-A cross-domain policy file is an XML document that grants a web client permission to handle data across domains clientaccesspolicy.xml-то же самое
А10-доверительбный сайт-внутри ссылки редирект на левый сайт-кража логин\пароль-редирект на доверительный сайт. Юзер ниче не заметил, креды украли. Запрещать редиректы на сторонние сайты На клиента существует множество атак, но мы рассматриваем ОВАСП топ 10, где на КС всего несколько атак
Special symbols-html encoding кодировка всех символов, с помощью которых можно сделать теги. Можно создать white list-список только разрешенных тегов, которые можно использовать.
Хтмл инсайд-во все формы, которые рефлектяться пользователю.все что контролируется пользователем и выводится на страничке.
Юзер проходит по ссылке, содержащей невалидный редирект, попадает на вредоносный сайт с тем же интерфейсом и вводит личные данные. Затем редиректиться обратно на доверительный сайт.пользователь ничего не заметил, данные украдены
SOAP — Simple Object Access Protocol REST-Representational State Transfer SOAP-может использовать другие протоколы, например SMTP. На практике это реализуется достаточно сложно http://habrahabr.ru/post/75248/ - SOAP vs REST
OWASP SS vulnerabilities Programming language helps to automate routine tasks

"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks

Recommended

Recommended

More Related Content

What's hot

What's hot (8)

Similar to "WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks

Similar to "WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks (20)

More from Lohika_Odessa_TechTalks

More from Lohika_Odessa_TechTalks (20)

Recently uploaded

Recently uploaded (20)

"WEB applications security testing" by Kirill Semenov for Lohika Odessa QA TechTalks

Editor's Notes