• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Quick App Security Testing

on

  • 1,443 views

 

Statistics

Views

Total Views
1,443
Views on SlideShare
1,438
Embed Views
5

Actions

Likes
1
Downloads
0
Comments
0

2 Embeds 5

http://www.linkedin.com 3
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Quick App Security Testing Quick App Security Testing Presentation Transcript

    • App Security Testing
    • Authentication Checks
      1. Login and Change Password pages on SSL?2. All sensitive pages (accepting SSN, Credit Card) over SSL?3. Strong Password Policy? (Joe Accounts/Blank Passwords/Max Password Age/Min Password Age, etc)4. Is Forgot Password page secure?5. Password Change forced on 1st login?6. Re-authenticate before moving to sensitive pages (Edit Account Info?)7. Prompts old password before changing password?8. Has "Remember Me" feature? If so, how's password stored?9. Warns before allowing "Remember Me"?10. Has CAPTCHA to prevent password guessing?11. Does show error msgs like "Invalid User/Invalid Password"?12. Can auth. be by-passed for privileged URL's?13. Is AutoComplete set to OFF?14. Is password re-submitted on 'Back/Refresh' of browser?15. SQL Injection in login?
    • Session Management
      1. Is session id random enough?2. Session Timeout present?3. Stored in what form? (persistent cookie/in-memory cookie)?4. Session Id expires on request tampering?5. Sensitive data in cookie?6. Can you see X user's data with Y's session id?7. Session expires at server-side on logout?8. Can logged out user's session be re-used?9. Is new session id generated on login?10. Is cookie over-written on logout?
    • SQL Injection Checks
      1. SQL Injection : '2. SQL Injection : ' OR 1=1 --3. SQL Injection : '; waitfor delay'00:00:05'--
    • XSS Checks
      1. XSS Javascript2. XSS Encoded3. XSS Cookie4. Is CSRF possible?
    • Input Validation Checks
      1. Use proxy to by-pass client side validation?2. Generate errors for information disclosure?3. Web Page source reveals sensitive application information4. HTTP Headers manipulation5. Viewstate manipulation6. GET and POST parameter manipulation
    • Secure Storage Checks
      1. Are passwords stored in clear text?2. Is sensitive information like Credit Card encrypted?3. What encryption algo used? Standard or Proprietary?4. Is connection string in clear text?5. Any passwords hard-coded in application?
    • Browser Checks
      1. Check browser history? Are sensitive pages cached?2. Is data cached by search engines or desktop search engine?3. Any hard-coded secrets in javascripts?4. Web Page code reveals sensitive comments?
    • File Checks
      1. Is file upload /download allowed?2. Can files be downloaded directly from URL?3. Can malicious files be uploaded?
    • Environment Checks
      1. Are default apps installed?2. Are default accounts enabled? Do they have strong passwords?3. Is firewall deployed?4. Is code obfuscated?5. Can detect server details using banner grabbing?6. Are forms bot resistant?
    • Tools
      Paros
      Burpsuite
      Webscarab
      GrendalScan
      Wireshark