• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web Application Security Testing - Aware in BugDay Bangkok 2012
 

Web Application Security Testing - Aware in BugDay Bangkok 2012

on

  • 1,379 views

 

Statistics

Views

Total Views
1,379
Views on SlideShare
907
Embed Views
472

Actions

Likes
1
Downloads
31
Comments
0

1 Embed 472

http://www.welovebug.com 472

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Web Application Security Testing - Aware in BugDay Bangkok 2012 Web Application Security Testing - Aware in BugDay Bangkok 2012 Presentation Transcript

    • “Quality is the link to Success” Copyright © 2012 Aware Corporation Ltd.
    • Agenda • What kind of application security vulnerabilities should be tested? • Methodology for testing • Open source tools available • Prioritizing application security defects Copyright © 2012 Aware Corporation Ltd.
    • Testing Security inWeb Applications Copyright © 2012 Aware Corporation Ltd.
    • Case Studies Copyright © 2012 Aware Corporation Ltd.
    • Web ApplicationSecurity Testing Copyright © 2012 Aware Corporation Ltd.
    • Different Security Standards Copyright © 2012 Aware Corporation Ltd.
    • OWASP Top 10OWASP (Open Web Application Security Project) is an organization that provides unbiased andpractical, cost-effective information about computer and Internet applications. Project membersinclude a variety of security experts from around the world who share their knowledge ofvulnerabilities, threats, attacks and countermeasures. http://www.owasp.org Copyright © 2012 Aware Corporation Ltd.
    • OWASP Top 10 Testing Information Gathering Configuration Web Services Management Divided in 9 Sub CategoriesDenial of Authentication AndService 66 Controls Data Session Validation Management Business Authorization Logic Copyright © 2012 Aware Corporation Ltd.
    • Top Attacks • SQL Injection – SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. • Cross Site Scripting – Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users. • Authentication – Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions Copyright © 2012 Aware Corporation Ltd.
    • SQL Injection Account: SKU: 1. Application presents a Account: form to the attackerApplication Layer Knowledge Mgmt Communication HTTP Legacy Systems Administration Bus. Functions HTTP DB Table SKU: E-Commerce Web Services Transactions SQL response 2. Attacker sends an Directories  Accounts Databases request Finance   APPLICATION query   ATTACK  attack in the form data Custom Code 3. Application forwards "SELECT * FROM accounts WHERE attack to the database in Human Resrcs App Server acct=‘’ OR 1=1-- a SQL query ’" 4. Database runs query Billing Web Server Hardened OS containing attack andNetwork Layer Account Summary sends encrypted results Acct:5424-6066-2134-4334 back to application Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 5. Application decrypts Firewall Firewall Acct:4128-0004-1234-0293 data as normal and sends results to the user Copyright © 2012 Aware Corporation Ltd.
    • Cross Site Scripting 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Copyright © 2012 Aware Corporation Ltd.
    • Authentication Copyright © 2012 Aware Corporation Ltd.
    • Tools Overview Copyright © 2012 Aware Corporation Ltd.
    • Tools• Proxies – Burp Suite – Paros – WebScarab – Fiddler• FoxyProxy plugin• Open source scanners – Skipfish Copyright © 2012 Aware Corporation Ltd.
    • Burp Suite http://portswigger.net/proxy/ Copyright © 2012 Aware Corporation Ltd.
    • Foxy Proxy https://addons.mozilla.org/en-US/firefox/addon/2464/ Copyright © 2012 Aware Corporation Ltd.
    • Skip Fish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/ Copyright © 2012 Aware Corporation Ltd.
    • Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
    • Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
    • Tools Demonstration Copyright © 2012 Aware Corporation Ltd.
    • RISK• Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Risk = Likelihood * Impact Copyright © 2012 Aware Corporation Ltd.
    • Prioritizing RISK Copyright © 2012 Aware Corporation Ltd.
    • Threat Risk D amage potential R eproducibility E xploitability A ffected users D iscoverability Copyright © 2012 Aware Corporation Ltd.
    • Copyright © 2012 Aware Corporation Ltd.
    • Copyright © 2012 Aware Corporation Ltd.