Your SlideShare is downloading. ×
0
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
OWASP Testing
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

OWASP Testing

3,523

Published on

Creative Commons Attribution-NonCommercial-ShareAlike License

Creative Commons Attribution-NonCommercial-ShareAlike License

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,523
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OWASP Testing a cura di Francesco Iovine Università degli Studi di Roma "Tor Vergata" Facoltà di Ingegneria Corso di Sicurezza Informatica e Internet 14 Giugno 2012 http://www.flickr.com/photos/purpleslog/2880224058/
  • 2. Testing Techniques
  • 3. http://www.flickr.com/photos/fargazzi/4110399904/
  • 4. Manual Inspections & Reviews - Analyzing documentation - Performing interviews with the designers or system owners - Reviewing the documentation, secure coding policies, security requirements, and architectural designs
  • 5. Manual Inspections & Reviews Advantages - Requires no supporting technology - Can be applied to a variety of situations - Flexible - Promotes teamwork - Early in the SDLC
  • 6. Manual Inspections & Reviews Disadvantages - Can be time consuming - Supporting material not always available - Requires significant human thought and skill to be effective!
  • 7. Threat Modeling - Decomposing the application - Defining and classifying the assets - Exploring potential vulnerabilities - Exploring potential threats - Creating mitigation strategies
  • 8. Threat Modeling Advantages - Practical attackers view of the system - Flexible - Early in the SDLC Disadvantages - Relatively new technique - Good threat models don’t automatically mean good software
  • 9. http://www.flickr.com/photos/fraserspeirs/3394902061/
  • 10. Code Review “if you want to know what’s really going on, go straight to the source."
  • 11. Code Review Advantages - Completeness and effectiveness - Accuracy - Fast (for competent reviewers)
  • 12. Code Review Disadvantages - Requires highly skilled security developers - Can miss issues in compiled libraries - Cannot detect run-time errors easily - The source code actually deployed might differ from the one being analyzed
  • 13. Penetration Testing - Also commonly known as black box testing or ethical hacking. - Testing a running application remotely to find security vulnerabilities - No need to know the inner workings of the application itself
  • 14. Penetration Testing Advantages - Can be fast (and therefore cheap) - Requires a relatively lower skill-set than source code review - Tests the code that is actually being exposed Disadvantages - Too late in the SDLC - Front impact testing only!
  • 15. Threat Modeling
  • 16. Threat Modeling 1 - Decompose the application 2 - Determine and rank threats 3 - Determine countermeasures and mitigation
  • 17. 1 - Decompose the application
  • 18. 1 - Decompose the application
  • 19. 2 - Determine and rank threats Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege
  • 20. 2 - Determine and rank threats
  • 21. 3 - Determine countermeasures and mitigation Authentication Authorization Configuration management Data Protection in Storage and Transit Data Validation / Parameter Validation Error Handling and Exception Management User and Session Management Auditing and Logging
  • 22. 3 - Determine countermeasures and mitigation Mitigation strategies 1. Do nothing 2. Inform about the risk 3. Mitigate the risk 4. Accept the risk 5. Transfer the risk
  • 23. Code Review
  • 24. Data ValidationLog Injection Java String pageName = getPageName(request.getRequestURI()); String action = getParameter("action"); String logline = pageName + "|" + action + "|" + ... ; profileLogger.log(logline);
  • 25. Data ValidationCross Site Scripting Riflesso Java String fromPage = request.getRequestURI() + "?"; Iterator<String> it = request.getParameterMap().keySet().iterator(); while(it.hasNext()) { String key = it.next(); String value = request.getParameter(key); fromPage += (key + "=" + StringEscapeUtils.escapeHtml(value) + "&"); }
  • 26. Data ValidationCross Site Scripting Riflesso JSP <div onclick="window.location.href=${sessionScope [scopedTarget.userData].fromPage}"> </div>https://Host/nonExistent.htm?”>aa=valoreParametro
  • 27. Data ValidationOutput Encoding JSP <form action="op.htm?number=${param.number}" method="POST">
  • 28. Session ManagementContromisure Anti-Clickjacking HTML/CSS/Javascript <style> html{display : none ; } </style> <script> if( self == top ) { document.documentElement.style.display = block ; } else { top.location = self.location ; } </script> HTTP Header X-Frame-Options: SameOrigin X-Content-Security-Policy: allow *; options inline- script eval-script; frame-ancestors self;
  • 29. Penetration Testing
  • 30. Information GatheringTesting: Spiders, robots, and Crawlers (OWASP-IG-001)Search engine discovery/Reconnaissance (OWASP-IG-002)Identify application entry points (OWASP-IG-003)Testing for Web Application Fingerprint (OWASP-IG-004)Application Discovery (OWASP-IG-005)Analysis of Error Codes (OWASP-IG-006)
  • 31. Configuration ManagementSSL/TLS Testing (OWASP-CM-001)DB Listener Testing (OWASP-CM-002)Infrastructure configuration management testing (OWASP-CM-003)Application configuration management testing (OWASP-CM-004)Testing for File extensions handling (OWASP-CM-005)Old, backup and unreferenced files (OWASP-CM-006)Infrastructure and Application Admin Interfaces (OWASP-CM-007)Testing for HTTP Methods and XST (OWASP-CM-008)
  • 32. Authentication Testing Credentials transport over an encrypted channel (OWASP-AT-001)Testing for user enumeration (OWASP-AT-002)Default or guessable (dictionary) user account (OWASP-AT-003)Testing For Brute Force (OWASP-AT-004Testing for Bypassing authentication schema (OWASP-AT-005)Testing for Vulnerable remember password and pwd reset (OWASP-AT-006)Testing for Logout and Browser Cache Management (OWASP-AT-007)Testing for Captcha (OWASP-AT-008) Testing for Multiple factors Authentication (OWASP-AT-009)Testing for Race Conditions (OWASP-AT-010)
  • 33. Session Management Testing Testing for Session Management Schema (OWASP-SM-001) .Testing for Cookies attributes (OWASP-SM-002)Testing for Session Fixation (OWASP-SM_003)Testing for Exposed Session Variables (OWASP-SM-004)Testing for CSRF (OWASP-SM-005)
  • 34. Authorization testing Testing for path traversal (OWASP-AZ-001)Testing for bypassing authorization schema (OWASP-AZ-002)Testing for Privilege Escalation (OWASP-AZ-003)Business logic testing (OWASP-BL-001)
  • 35. Data Validation testing Testing for Reflected Cross Site Scripting (OWASP-DV-001)Testing for Stored Cross Site Scripting (OWASP-DV-002) .Testing for DOM based Cross Site Scripting (OWASP-DV-003)Testing for Cross Site Flashing (OWASP-DV-004)
  • 36. Data Validation testing SQL Injection (OWASP-DV-005)LDAP Injection (OWASP-DV-006)ORM Injection (OWASP-DV-007)XML Injection (OWASP-DV-008)SSI Injection (OWASP-DV-009)XPath Injection (OWASP-DV-010)IMAP/SMTP Injection (OWASP-DV-011)Code Injection (OWASP-DV-012)
  • 37. Data Validation testing OS Commanding (OWASP-DV-013)Buffer overflow Testing (OWASP-DV-014)Testing for HTTP Splitting/Smuggling (OWASP-DV-016)
  • 38. Denial of Service Testing Testing for SQL Wildcard Attacks (OWASP-DS-001)Locking Customer Accounts (OWASP-DS-002)Buffer Overflows (OWASP-DS-003)User Specified Object Allocation (OWASP-DS-004)User Input as a Loop Counter (OWASP-DS-005)Writing User Provided Data to Disk (OWASP-DS-006)Failure to Release Resources (OWASP-DS-007)Storing too Much Data in Session (OWASP-DS-008)
  • 39. Web Services Testing WS Information Gathering (OWASP-WS-001)Testing WSDL (OWASP-WS-002)XML Structural Testing (OWASP-WS-003)XML Content-level Testing (OWASP-WS-004)HTTP GET parameters/REST Testing (OWASP-WS-005)Naughty SOAP attachments (OWASP-WS-006)Replay Testing (OWASP-WS-007)
  • 40. AJAX Testing AJAX Vulnerabilities (OWASP-AJ-001)Testing For AJAX (OWASP-AJ-002)
  • 41. Testing Tips
  • 42. How to value the real risk Risk = Likelihood * Impact Likelihood Impact - Threat Agent Factors - Technical Impact Factors - Vulnerability Factors - Business Impact Factors
  • 43. How to write the report of thetesting I. Executive Summary II. Technical Management Overview III. Assessment Findings IV. Toolbox
  • 44. Riferimenti Threat Modeling" https://www.owasp.org/index.php/Application_Threat_Modeling Penetration Testing" https://www.owasp.org/index.php/Web_Application_Penetration_Testing Code Review" https://www.owasp.org/index.php/ OWASP_Code_Review_Guide_Table_of_Contents http://www.flickr.com/photos/purpleslog/2880224058/
  • 45. Progetto 1 http://www.flickr.com/photos/purpleslog/2880224058/
  • 46. Web Application SecurityViene richiesto di fornire un assessment della sicurezza di unapplicazione webutilizzando le tecniche indicateQuale linguaggio/framework per il codice?- Il più congeniale al gruppo di lavoroChe tipo di assessment?- focus sul testing- focus sul rischio- focus sullo sviluppo secondo le linee guida OWASP
  • 47. Web Application SecurityQuale applicazione?- OWASP Broken Web Application Projecthttps://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project- Vulnerable Web Applications for Learninghttp://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/- Una propria applicazione web sviluppata per altri progetti o scritta ad-hoc. - Nel caso si scelga unapplicazione web che abbia un front-end mobile, fornireun assessment di sicurezza per lintero sistema seguendo le linee guidadellOWASP Mobile Security Project.
  • 48. Riferimenti OWASP Top 10 Project" https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project OWASP Testing Guide" https://www.owasp.org/index.php/OWASP_Testing_Project OWASP Development Guide" https://www.owasp.org/index.php/OWASP_Guide_Project OWASP Mobile Security Project" https://www.owasp.org/index.php/OWASP_Mobile_Security_Project
  • 49. Credits Simone Onofri Marco Ramilli Cinzia Querques

×