Web Application Security Testing - Aware in BugDay Bangkok 2012

Agenda • What kind of application security vulnerabilities should be tested? • Methodology for testing • Open source tools available • Prioritizing application security defects Copyright © 2012 Aware Corporation Ltd.

OWASP Top 10OWASP (Open Web Application Security Project) is an organization that provides unbiased andpractical, cost-effective information about computer and Internet applications. Project membersinclude a variety of security experts from around the world who share their knowledge ofvulnerabilities, threats, attacks and countermeasures. http://www.owasp.org Copyright © 2012 Aware Corporation Ltd.

OWASP Top 10 Testing Information Gathering Configuration Web Services Management Divided in 9 Sub CategoriesDenial of Authentication AndService 66 Controls Data Session Validation Management Business Authorization Logic Copyright © 2012 Aware Corporation Ltd.

Top Attacks • SQL Injection – SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. • Cross Site Scripting – Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users. • Authentication – Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions Copyright © 2012 Aware Corporation Ltd.

SQL Injection Account: SKU: 1. Application presents a Account: form to the attackerApplication Layer Knowledge Mgmt Communication HTTP Legacy Systems Administration Bus. Functions HTTP DB Table SKU: E-Commerce Web Services Transactions SQL response 2. Attacker sends an Directories  Accounts Databases request Finance   APPLICATION query   ATTACK  attack in the form data Custom Code 3. Application forwards "SELECT * FROM accounts WHERE attack to the database in Human Resrcs App Server acct=‘’ OR 1=1-- a SQL query ’" 4. Database runs query Billing Web Server Hardened OS containing attack andNetwork Layer Account Summary sends encrypted results Acct:5424-6066-2134-4334 back to application Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 5. Application decrypts Firewall Firewall Acct:4128-0004-1234-0293 data as normal and sends results to the user Copyright © 2012 Aware Corporation Ltd.

Cross Site Scripting 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Copyright © 2012 Aware Corporation Ltd.

Skip Fish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/ Copyright © 2012 Aware Corporation Ltd.

Web Application Security Testing - Aware in BugDay Bangkok 2012

by Prathan D.

Accessibility

Categories

Upload Details

Usage Rights

1 Embed 407

Statistics

Web Application Security Testing - Aware in BugDay Bangkok 2012 Presentation Transcript