Web Application Security Testing - Aware in BugDay Bangkok 2012

1,405 views
1,284 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,405
On SlideShare
0
From Embeds
0
Number of Embeds
496
Actions
Shares
0
Downloads
38
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Web Application Security Testing - Aware in BugDay Bangkok 2012

  1. 1. “Quality is the link to Success” Copyright © 2012 Aware Corporation Ltd.
  2. 2. Agenda • What kind of application security vulnerabilities should be tested? • Methodology for testing • Open source tools available • Prioritizing application security defects Copyright © 2012 Aware Corporation Ltd.
  3. 3. Testing Security inWeb Applications Copyright © 2012 Aware Corporation Ltd.
  4. 4. Case Studies Copyright © 2012 Aware Corporation Ltd.
  5. 5. Web ApplicationSecurity Testing Copyright © 2012 Aware Corporation Ltd.
  6. 6. Different Security Standards Copyright © 2012 Aware Corporation Ltd.
  7. 7. OWASP Top 10OWASP (Open Web Application Security Project) is an organization that provides unbiased andpractical, cost-effective information about computer and Internet applications. Project membersinclude a variety of security experts from around the world who share their knowledge ofvulnerabilities, threats, attacks and countermeasures. http://www.owasp.org Copyright © 2012 Aware Corporation Ltd.
  8. 8. OWASP Top 10 Testing Information Gathering Configuration Web Services Management Divided in 9 Sub CategoriesDenial of Authentication AndService 66 Controls Data Session Validation Management Business Authorization Logic Copyright © 2012 Aware Corporation Ltd.
  9. 9. Top Attacks • SQL Injection – SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. • Cross Site Scripting – Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users. • Authentication – Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions Copyright © 2012 Aware Corporation Ltd.
  10. 10. SQL Injection Account: SKU: 1. Application presents a Account: form to the attackerApplication Layer Knowledge Mgmt Communication HTTP Legacy Systems Administration Bus. Functions HTTP DB Table SKU: E-Commerce Web Services Transactions SQL response 2. Attacker sends an Directories  Accounts Databases request Finance   APPLICATION query   ATTACK  attack in the form data Custom Code 3. Application forwards "SELECT * FROM accounts WHERE attack to the database in Human Resrcs App Server acct=‘’ OR 1=1-- a SQL query ’" 4. Database runs query Billing Web Server Hardened OS containing attack andNetwork Layer Account Summary sends encrypted results Acct:5424-6066-2134-4334 back to application Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 5. Application decrypts Firewall Firewall Acct:4128-0004-1234-0293 data as normal and sends results to the user Copyright © 2012 Aware Corporation Ltd.
  11. 11. Cross Site Scripting 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Copyright © 2012 Aware Corporation Ltd.
  12. 12. Authentication Copyright © 2012 Aware Corporation Ltd.
  13. 13. Tools Overview Copyright © 2012 Aware Corporation Ltd.
  14. 14. Tools• Proxies – Burp Suite – Paros – WebScarab – Fiddler• FoxyProxy plugin• Open source scanners – Skipfish Copyright © 2012 Aware Corporation Ltd.
  15. 15. Burp Suite http://portswigger.net/proxy/ Copyright © 2012 Aware Corporation Ltd.
  16. 16. Foxy Proxy https://addons.mozilla.org/en-US/firefox/addon/2464/ Copyright © 2012 Aware Corporation Ltd.
  17. 17. Skip Fish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/ Copyright © 2012 Aware Corporation Ltd.
  18. 18. Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
  19. 19. Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
  20. 20. Tools Demonstration Copyright © 2012 Aware Corporation Ltd.
  21. 21. RISK• Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Risk = Likelihood * Impact Copyright © 2012 Aware Corporation Ltd.
  22. 22. Prioritizing RISK Copyright © 2012 Aware Corporation Ltd.
  23. 23. Threat Risk D amage potential R eproducibility E xploitability A ffected users D iscoverability Copyright © 2012 Aware Corporation Ltd.
  24. 24. Copyright © 2012 Aware Corporation Ltd.
  25. 25. Copyright © 2012 Aware Corporation Ltd.

×