OWASP Testing


Published on

Creative Commons Attribution-NonCommercial-ShareAlike License

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

OWASP Testing

  1. 1. OWASP Testing a cura di Francesco Iovine Università degli Studi di Roma "Tor Vergata" Facoltà di Ingegneria Corso di Sicurezza Informatica e Internet 14 Giugno 2012 http://www.flickr.com/photos/purpleslog/2880224058/
  2. 2. Testing Techniques
  3. 3. http://www.flickr.com/photos/fargazzi/4110399904/
  4. 4. Manual Inspections & Reviews - Analyzing documentation - Performing interviews with the designers or system owners - Reviewing the documentation, secure coding policies, security requirements, and architectural designs
  5. 5. Manual Inspections & Reviews Advantages - Requires no supporting technology - Can be applied to a variety of situations - Flexible - Promotes teamwork - Early in the SDLC
  6. 6. Manual Inspections & Reviews Disadvantages - Can be time consuming - Supporting material not always available - Requires significant human thought and skill to be effective!
  7. 7. Threat Modeling - Decomposing the application - Defining and classifying the assets - Exploring potential vulnerabilities - Exploring potential threats - Creating mitigation strategies
  8. 8. Threat Modeling Advantages - Practical attackers view of the system - Flexible - Early in the SDLC Disadvantages - Relatively new technique - Good threat models don’t automatically mean good software
  9. 9. http://www.flickr.com/photos/fraserspeirs/3394902061/
  10. 10. Code Review “if you want to know what’s really going on, go straight to the source."
  11. 11. Code Review Advantages - Completeness and effectiveness - Accuracy - Fast (for competent reviewers)
  12. 12. Code Review Disadvantages - Requires highly skilled security developers - Can miss issues in compiled libraries - Cannot detect run-time errors easily - The source code actually deployed might differ from the one being analyzed
  13. 13. Penetration Testing - Also commonly known as black box testing or ethical hacking. - Testing a running application remotely to find security vulnerabilities - No need to know the inner workings of the application itself
  14. 14. Penetration Testing Advantages - Can be fast (and therefore cheap) - Requires a relatively lower skill-set than source code review - Tests the code that is actually being exposed Disadvantages - Too late in the SDLC - Front impact testing only!
  15. 15. Threat Modeling
  16. 16. Threat Modeling 1 - Decompose the application 2 - Determine and rank threats 3 - Determine countermeasures and mitigation
  17. 17. 1 - Decompose the application
  18. 18. 1 - Decompose the application
  19. 19. 2 - Determine and rank threats Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
  20. 20. 2 - Determine and rank threats
  21. 21. 3 - Determine countermeasures and mitigation Authentication Authorization Configuration management Data Protection in Storage and Transit Data Validation / Parameter Validation Error Handling and Exception Management User and Session Management Auditing and Logging
  22. 22. 3 - Determine countermeasures and mitigation Mitigation strategies 1. Do nothing 2. Inform about the risk 3. Mitigate the risk 4. Accept the risk 5. Transfer the risk
  23. 23. Code Review
  24. 24. Data ValidationLog Injection Java String pageName = getPageName(request.getRequestURI()); String action = getParameter("action"); String logline = pageName + "|" + action + "|" + ... ; profileLogger.log(logline);
  25. 25. Data ValidationCross Site Scripting Riflesso Java String fromPage = request.getRequestURI() + "?"; Iterator<String> it = request.getParameterMap().keySet().iterator(); while(it.hasNext()) { String key = it.next(); String value = request.getParameter(key); fromPage += (key + "=" + StringEscapeUtils.escapeHtml(value) + "&"); }
  26. 26. Data ValidationCross Site Scripting Riflesso JSP <div onclick="window.location.href=${sessionScope [scopedTarget.userData].fromPage}"> </div>https://Host/nonExistent.htm?”>aa=valoreParametro
  27. 27. Data ValidationOutput Encoding JSP <form action="op.htm?number=${param.number}" method="POST">
  28. 28. Session ManagementContromisure Anti-Clickjacking HTML/CSS/Javascript <style> html{display : none ; } </style> <script> if( self == top ) { document.documentElement.style.display = block ; } else { top.location = self.location ; } </script> HTTP Header X-Frame-Options: SameOrigin X-Content-Security-Policy: allow *; options inline- script eval-script; frame-ancestors self;
  29. 29. Penetration Testing
  30. 30. Information GatheringTesting: Spiders, robots, and Crawlers (OWASP-IG-001)Search engine discovery/Reconnaissance (OWASP-IG-002)Identify application entry points (OWASP-IG-003)Testing for Web Application Fingerprint (OWASP-IG-004)Application Discovery (OWASP-IG-005)Analysis of Error Codes (OWASP-IG-006)
  31. 31. Configuration ManagementSSL/TLS Testing (OWASP-CM-001)DB Listener Testing (OWASP-CM-002)Infrastructure configuration management testing (OWASP-CM-003)Application configuration management testing (OWASP-CM-004)Testing for File extensions handling (OWASP-CM-005)Old, backup and unreferenced files (OWASP-CM-006)Infrastructure and Application Admin Interfaces (OWASP-CM-007)Testing for HTTP Methods and XST (OWASP-CM-008)
  32. 32. Authentication Testing Credentials transport over an encrypted channel (OWASP-AT-001)Testing for user enumeration (OWASP-AT-002)Default or guessable (dictionary) user account (OWASP-AT-003)Testing For Brute Force (OWASP-AT-004Testing for Bypassing authentication schema (OWASP-AT-005)Testing for Vulnerable remember password and pwd reset (OWASP-AT-006)Testing for Logout and Browser Cache Management (OWASP-AT-007)Testing for Captcha (OWASP-AT-008) Testing for Multiple factors Authentication (OWASP-AT-009)Testing for Race Conditions (OWASP-AT-010)
  33. 33. Session Management Testing Testing for Session Management Schema (OWASP-SM-001) .Testing for Cookies attributes (OWASP-SM-002)Testing for Session Fixation (OWASP-SM_003)Testing for Exposed Session Variables (OWASP-SM-004)Testing for CSRF (OWASP-SM-005)
  34. 34. Authorization testing Testing for path traversal (OWASP-AZ-001)Testing for bypassing authorization schema (OWASP-AZ-002)Testing for Privilege Escalation (OWASP-AZ-003)Business logic testing (OWASP-BL-001)
  35. 35. Data Validation testing Testing for Reflected Cross Site Scripting (OWASP-DV-001)Testing for Stored Cross Site Scripting (OWASP-DV-002) .Testing for DOM based Cross Site Scripting (OWASP-DV-003)Testing for Cross Site Flashing (OWASP-DV-004)
  36. 36. Data Validation testing SQL Injection (OWASP-DV-005)LDAP Injection (OWASP-DV-006)ORM Injection (OWASP-DV-007)XML Injection (OWASP-DV-008)SSI Injection (OWASP-DV-009)XPath Injection (OWASP-DV-010)IMAP/SMTP Injection (OWASP-DV-011)Code Injection (OWASP-DV-012)
  37. 37. Data Validation testing OS Commanding (OWASP-DV-013)Buffer overflow Testing (OWASP-DV-014)Testing for HTTP Splitting/Smuggling (OWASP-DV-016)
  38. 38. Denial of Service Testing Testing for SQL Wildcard Attacks (OWASP-DS-001)Locking Customer Accounts (OWASP-DS-002)Buffer Overflows (OWASP-DS-003)User Specified Object Allocation (OWASP-DS-004)User Input as a Loop Counter (OWASP-DS-005)Writing User Provided Data to Disk (OWASP-DS-006)Failure to Release Resources (OWASP-DS-007)Storing too Much Data in Session (OWASP-DS-008)
  39. 39. Web Services Testing WS Information Gathering (OWASP-WS-001)Testing WSDL (OWASP-WS-002)XML Structural Testing (OWASP-WS-003)XML Content-level Testing (OWASP-WS-004)HTTP GET parameters/REST Testing (OWASP-WS-005)Naughty SOAP attachments (OWASP-WS-006)Replay Testing (OWASP-WS-007)
  40. 40. AJAX Testing AJAX Vulnerabilities (OWASP-AJ-001)Testing For AJAX (OWASP-AJ-002)
  41. 41. Testing Tips
  42. 42. How to value the real risk Risk = Likelihood * Impact Likelihood Impact - Threat Agent Factors - Technical Impact Factors - Vulnerability Factors - Business Impact Factors
  43. 43. How to write the report of thetesting I. Executive Summary II. Technical Management Overview III. Assessment Findings IV. Toolbox
  44. 44. Riferimenti Threat Modeling" https://www.owasp.org/index.php/Application_Threat_Modeling Penetration Testing" https://www.owasp.org/index.php/Web_Application_Penetration_Testing Code Review" https://www.owasp.org/index.php/ OWASP_Code_Review_Guide_Table_of_Contents http://www.flickr.com/photos/purpleslog/2880224058/
  45. 45. Progetto 1 http://www.flickr.com/photos/purpleslog/2880224058/
  46. 46. Web Application SecurityViene richiesto di fornire un assessment della sicurezza di unapplicazione webutilizzando le tecniche indicateQuale linguaggio/framework per il codice?- Il più congeniale al gruppo di lavoroChe tipo di assessment?- focus sul testing- focus sul rischio- focus sullo sviluppo secondo le linee guida OWASP
  47. 47. Web Application SecurityQuale applicazione?- OWASP Broken Web Application Projecthttps://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project- Vulnerable Web Applications for Learninghttp://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/- Una propria applicazione web sviluppata per altri progetti o scritta ad-hoc. - Nel caso si scelga unapplicazione web che abbia un front-end mobile, fornireun assessment di sicurezza per lintero sistema seguendo le linee guidadellOWASP Mobile Security Project.
  48. 48. Riferimenti OWASP Top 10 Project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Testing Guide" https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Development Guide" https://www.owasp.org/index.php/OWASP_Guide_Project OWASP Mobile Security Project" https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  49. 49. Credits Simone Onofri Marco Ramilli Cinzia Querques