SlideShare a Scribd company logo

Jouri Dufour - How About Security Testing - EuroSTAR 2013

TEST Huddle
TEST Huddle

EuroSTAR Software Testing Conference 2013 presentation on How About Security Testing by Jouri Dufour. See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/

Technology
1 of 42
Download to read offline
How About Security Testing? Jouri Dufour, CTG www.eurostarconferences.com @esconfs #esconfs
How About Cybercrime?
Our BUSINESS LIFE is online.
“If A happens, then B must be the case, so I will do C.” BUT WHAT IF X OCCURS?
01 Fooling a password change function
Password change function Administrator N Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
Password change function Administrator N FLAW Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
Password change function Administrator N Existing password parameter ? Y User Password change request ATTACK Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Try removing in turn each request parameter Be sure to delete the actual parameter name as well as its value Attack only one parameter at a time Follow a multistage process through to completion
02 Proceeding to checkout
Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality  The assumption  The attack
Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information FLAW The functionality  The assumption  The attack
Retail application Add items to shopping basket Finalize order ATTACK Enter payment information Enter delivery information The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Attempt to submit requests out of the expected sequence Be sure to fully understand the access mechanisms to distinct stages Try to violate the developers’ assumptions Use any interesting error messages and debug output to fine-tune your attacks
The application may enforce strict access control only on the initial stages of the process
03 Beating a business limit
ERP application Bank account 2 Bank account 1 Less than €10.000 ? Y N The functionality  The assumption  The attack
ERP application Bank account 2 Bank account 1 Less than €10.000 ? FLAW Y N The functionality  The assumption  The attack
ERP application Bank account 2 Bank account 1 €20.000 Less than €10.000 ? Y N -€20.000 The functionality  The assumption  The attack
Many applications use numeric limits and beating such limits may have serious business consequences
RECOMMENDED HACK STEPS Try entering negative values Sometimes several steps need to be repeated to bring the application in a vulnerable state
04 Cheating on bulk discounts
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% The functionality  The assumption  The attack
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% FLAW The functionality  The assumption  The attack
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% ATTACK The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Find out if adjustments are made on a one-time basis Try to manipulate the application’s behavior to get adjustments that don’t correspond to the original intended criteria
05 Escaping from escaping
Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline FLAW The functionality  The assumption  The attack
Web application Operating system command ATTACK User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
Web application COMMAND INJECTION Operating system command Foo;ls Sanitization using the backslash character ; | & < > ` space newline Foo;ls The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Attempt to insert relevant metacharacters into the data you control Always try placing a backslash immediately before each such character
This same defect can be found in some defenses against cross-site scripting attacks
Yesterday Today Tomorrow Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Integrated Application Security Testing (IAST) + =
001:0123450123456789 331017012345678960123456789202468 00:00 Time Victims
HOW ABOUT SECURITY TESTING? Fooling a password change function Proceeding to checkout Beating a business limit Cheating on bulk discounts Escaping from escaping Speaker: Jouri Dufour www.ctg.com jouri.dufour@ctg.com

Recommended

User Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeUser Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeAjeet Singh
 
Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Ajeet Singh
 
Chapter 9
Chapter 9Chapter 9
Chapter 9application developer
 
Do’s and don’ts of api testing
Do’s and don’ts of api testingDo’s and don’ts of api testing
Do’s and don’ts of api testingwebomates
 
Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013TEST Huddle
 
Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012TEST Huddle
 
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013TEST Huddle
 
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...TEST Huddle
 

Recommended

User Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeUser Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeAjeet Singh
 
Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Ajeet Singh
 
Chapter 9
Chapter 9Chapter 9
Chapter 9application developer
 
Do’s and don’ts of api testing
Do’s and don’ts of api testingDo’s and don’ts of api testing
Do’s and don’ts of api testingwebomates
 
Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013TEST Huddle
 
Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012TEST Huddle
 
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013TEST Huddle
 
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...TEST Huddle
 
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...TEST Huddle
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...TEST Huddle
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013TEST Huddle
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingTEST Huddle
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013TEST Huddle
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012TEST Huddle
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...TEST Huddle
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013TEST Huddle
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...TEST Huddle
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...TEST Huddle
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013TEST Huddle
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013TEST Huddle
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012TEST Huddle
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013TEST Huddle
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013TEST Huddle
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013TEST Huddle
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013TEST Huddle
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013TEST Huddle
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013TEST Huddle
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013TEST Huddle
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 

More Related Content

Viewers also liked

Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...TEST Huddle
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...TEST Huddle
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013TEST Huddle
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingTEST Huddle
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013TEST Huddle
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012TEST Huddle
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...TEST Huddle
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013TEST Huddle
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...TEST Huddle
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...TEST Huddle
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013TEST Huddle
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013TEST Huddle
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012TEST Huddle
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013TEST Huddle
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013TEST Huddle
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013TEST Huddle
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013TEST Huddle
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013TEST Huddle
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013TEST Huddle
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013TEST Huddle
 

Viewers also liked (20)

Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
 

Similar to Jouri Dufour - How About Security Testing - EuroSTAR 2013

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationRafal Los
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aopDror Helper
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validationzakieh alizadeh
 
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce Developers
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014David Scruggs
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaEdureka!
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...Amazon Web Services
 
Architecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsArchitecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsMike Byrne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce Developers
 
DF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringDF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringLuis E. Luciani ☁
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformSalesforce Developers
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshopPayampardaz
 
Serverless Cyber Ops for Government
Serverless Cyber Ops for GovernmentServerless Cyber Ops for Government
Serverless Cyber Ops for GovernmentAmazon Web Services
 

Similar to Jouri Dufour - How About Security Testing - EuroSTAR 2013 (20)

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aop
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | Edureka
 
Top Testing Tips
Top Testing TipsTop Testing Tips
Top Testing Tips
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
 
Architecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsArchitecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting Concerns
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep Dive
 
DF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringDF19 South-East Florida Global Gathering
DF19 South-East Florida Global Gathering
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 
Serverless Cyber Ops for Government
Serverless Cyber Ops for GovernmentServerless Cyber Ops for Government
Serverless Cyber Ops for Government
 

More from TEST Huddle

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureTEST Huddle
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar TEST Huddle
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway TEST Huddle
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in ScrumTEST Huddle
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsTEST Huddle
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkTEST Huddle
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsTEST Huddle
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?TEST Huddle
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of UsTEST Huddle
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)TEST Huddle
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesTEST Huddle
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?TEST Huddle
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageTEST Huddle
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersTEST Huddle
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?TEST Huddle
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfullyTEST Huddle
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey TEST Huddle
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsTEST Huddle
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your RoleTEST Huddle
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0TEST Huddle
 

More from TEST Huddle (20)

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- Accenture
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in Scrum
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional Tests
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test Work
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New Heights
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of Us
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger Enterprises
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test Coverage
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for Testers
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfully
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using Heuristics
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your Role
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0
 

Recently uploaded

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 

Recently uploaded (20)

Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 

Jouri Dufour - How About Security Testing - EuroSTAR 2013

  • 1. How About Security Testing? Jouri Dufour, CTG www.eurostarconferences.com @esconfs #esconfs
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. Our BUSINESS LIFE is online.
  • 9.
  • 10. “If A happens, then B must be the case, so I will do C.” BUT WHAT IF X OCCURS?
  • 11. 01 Fooling a password change function
  • 12. Password change function Administrator N Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 13. Password change function Administrator N FLAW Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 14. Password change function Administrator N Existing password parameter ? Y User Password change request ATTACK Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 15. RECOMMENDED HACK STEPS Try removing in turn each request parameter Be sure to delete the actual parameter name as well as its value Attack only one parameter at a time Follow a multistage process through to completion
  • 16. 02 Proceeding to checkout
  • 17. Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality  The assumption  The attack
  • 18. Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information FLAW The functionality  The assumption  The attack
  • 19. Retail application Add items to shopping basket Finalize order ATTACK Enter payment information Enter delivery information The functionality  The assumption  The attack
  • 20. RECOMMENDED HACK STEPS Attempt to submit requests out of the expected sequence Be sure to fully understand the access mechanisms to distinct stages Try to violate the developers’ assumptions Use any interesting error messages and debug output to fine-tune your attacks
  • 21. The application may enforce strict access control only on the initial stages of the process
  • 22. 03 Beating a business limit
  • 23. ERP application Bank account 2 Bank account 1 Less than €10.000 ? Y N The functionality  The assumption  The attack
  • 24. ERP application Bank account 2 Bank account 1 Less than €10.000 ? FLAW Y N The functionality  The assumption  The attack
  • 25. ERP application Bank account 2 Bank account 1 €20.000 Less than €10.000 ? Y N -€20.000 The functionality  The assumption  The attack
  • 26. Many applications use numeric limits and beating such limits may have serious business consequences
  • 27. RECOMMENDED HACK STEPS Try entering negative values Sometimes several steps need to be repeated to bring the application in a vulnerable state
  • 28. 04 Cheating on bulk discounts
  • 29. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% The functionality  The assumption  The attack
  • 30. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% FLAW The functionality  The assumption  The attack
  • 31. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% ATTACK The functionality  The assumption  The attack
  • 32. RECOMMENDED HACK STEPS Find out if adjustments are made on a one-time basis Try to manipulate the application’s behavior to get adjustments that don’t correspond to the original intended criteria
  • 33. 05 Escaping from escaping
  • 34. Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
  • 35. Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline FLAW The functionality  The assumption  The attack
  • 36. Web application Operating system command ATTACK User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
  • 37. Web application COMMAND INJECTION Operating system command Foo;ls Sanitization using the backslash character ; | & < > ` space newline Foo;ls The functionality  The assumption  The attack
  • 38. RECOMMENDED HACK STEPS Attempt to insert relevant metacharacters into the data you control Always try placing a backslash immediately before each such character
  • 39. This same defect can be found in some defenses against cross-site scripting attacks
  • 40. Yesterday Today Tomorrow Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Integrated Application Security Testing (IAST) + =
  • 42. HOW ABOUT SECURITY TESTING? Fooling a password change function Proceeding to checkout Beating a business limit Cheating on bulk discounts Escaping from escaping Speaker: Jouri Dufour www.ctg.com jouri.dufour@ctg.com