Your SlideShare is downloading. ×
0
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Web Application Security Testing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web Application Security Testing

396

Published on

Introduction to Web Application Security Testing

Introduction to Web Application Security Testing

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
396
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Ayoob Kalathingal - PMPDirector - Emstell Technology ConsultingAyoob.ok@emstell.comKuwait, India, United Kingdom, Saudi Arabia
  • 2.  Understand the need for securing the application layer of web basedapplications. Understand the various web application vulnerabilities, impact and CounterMeasures Security testing.www.emstell.com
  • 3.  Web applications have evolved from static pages to a more interactive set up.This interaction has started exposing the technical deficiencies of webapplications in the form of vulnerabilities. Dependency on the internet to carry out critical and sensitive businesstransactions has increased . Hence the stake involved is very high. “Over 50% of security attacks are targeted on web based applications” -Gartner Report” Competition is so high that enterprises can‟t ignore the risk associated withtheir vulnerable application. Loss incurred could vary from monetary lossesto loss of credibility. In certain cases it could mean end of business.www.emstell.com
  • 4. Many Countries has come up with strict rules and regulations on InformationSecurity of business. IT Act 2011 in India PIPED Act – Canada (Personal Information Protection and Electronic Documents Act) U.S. Information Security Law, HIPAA – 1996 - Health Insurance Portability and Accountability ActBusiness Customers are increasingly aware of the systems security and isdemanding security and quality certifications in the systems ISO 27001 PCI DSS - Payment Card Industry Data Security Standardwww.emstell.com
  • 5. Large number of applications coming to the hands of common man carrying outtransactions with personal and financial dataMore and more applications moving to cloud where multiple user or enterprisedata is stored in single server or data centers.“Application security is no more a Luxury, its Business”www.emstell.com
  • 6.  Confidentiality – ensuring that information is accessible only to those authorized. Integrity – safeguarding the accuracy and completeness of information and processingmethods. Availability – ensuring that authorized users have access to information and associatedassets when required. Accountability – ensuring that authorized users use information in appropriate ways.www.emstell.com
  • 7. WebServerDBAppServerFirewallPort 80 (Open)HTTP TrafficClientwww.emstell.com
  • 8. SQL QuerySELECT user FROM UsersWHEREUsername = "& strname &" AND Password = "& strPassword &"„Query with valid inputSELECT user FROM UsersWHEREUsername = avis AND Password = aviswww.emstell.com
  • 9. Query with tampered inputSELECT user FROM UsersWHEREUsername = avis;-- AND Password = "& strPassword &"www.emstell.com
  • 10. Authorization Credential/SessionPrediction Insufficient SessionExpiration Session Fixation InsufficientAuthorizationAuthentication Brute Force Weak Password RecoveryPolicy InsufficientAuthenticationClient-Side Attacks Content Spoofing Cross Site ScriptingInformation Disclosure Directory Indexing Information Leakage Path Traversal Predictable ResourceLocationCommand Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection X Path InjectionLogical Attacks Abuse of Functionality Denial of Service Insufficient Anti-Automation Insufficient ProcessValidationwww.emstell.com
  • 11.  Non-availability (By bringing the database down) Breach of confidentiality (By viewing other user‟s records) Breach of integrity (By updating other user‟s records) Impersonation (By logging into accounts without a valid password) + Business Impactswww.emstell.com
  • 12.  Strong and Secure systems, firewalls and antiviruses Proper Input validation Following standard coding practices Have strong password policy in place. Use of strong session ID generation algorithms Disable scripting in the web browser and disable input echoing Grant only necessary privileges for accounts that are used to connect to DB Implement/configure proper access control mechanisms on the web server. Application Security Testing and Fixing the vulnerabilities Educating the userswww.emstell.com
  • 13. “Though the significant attacks over time where of Zero Day Attack nature, thisforms much a lesser count of the total attacks”Test based on the Target Users Vulnerability Assessments Penetration TestingManual - a team of securityexperts manually probe theapplication for common flaws.Automated - a tool is used fortesting the application for flaws.False Positiveswww.emstell.com
  • 14. “The cost of quality is higher in the later stages of an application”Application security should be a part of the application development andshould be incorporated to the SDLC Process.Integrating security to the build.Educating the users, using the best of media and creative formats.www.emstell.com
  • 15. Ref: www.owasp.orgwww.emstell.com
  • 16. Emstell Technology Consulting, is a technology firm offering enterprise levelsoftware quality assurance and testing services and ERP Solutions in Educationsector.Our Media team deliver creative animated videos for educating users oncompany policies, explaining business and promotion.We deliver ERP Solutions in◦ Web Enabled School Management◦ Library Management Solution◦ Business Accounting and Inventorywww.emstell.com
  • 17. Ayoob Kalathingal - PMPDirector - Emstell Technology ConsultingAyoob.ok@emstell.comKuwait, India, United Kingdom, Saudi Arabiawww.emstell.com

×