Security Testing


Published on

Published in: Technology
  • Be the first to comment

Security Testing

  1. 1. Security testing prepared by Tatiana Semenchenko Minsk 2013
  2. 2. Why invest in testing now instead of just responding to an attack after it happens?
  3. 3. Negatively impacts by an attack: Loss of customer confidence Harm to your brand Disturbance to your online means of revenue collection Web-site downtime, time loss and expenditures in repairing damage done (reinstalling services, restoring from backups) Cost associated with securing web applications against future attacks Related legal fees and implications for having such lax security measures in place
  4. 4. Security testing Security testing is a process to determine that an information system protects data and maintains functionality as intended.
  5. 5. Purposes of security testing Finding out loopholes that can cause loss of important information and allow any intruder enter into the system. Improving the current system and also ensuring that the system will work for longer time. Ensuring that people in your organization understand and obey security policies.
  6. 6. Security Concepts Confidentiality – not public access Authentication – passwords Authorization – permissions Integrity – no unwilled changes Availability – any time as need Non-repudiation – recipient cannot deny having received the message
  7. 7. Main definitions: Threat: "A potential violation of security" - ISO 7498-2 Impact: consequences for an organization or environment when an attack is realized, or weakness is present. Attack: a well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation. Vulnerability: is a weakness which allows an attacker to reduce a system's information assurance. Weakness: a type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software.
  8. 8. National Vulnerabilities Database CVE (Common Vulnerabilities and Exposures) /
  9. 9. Vulnerabilities Classification by SDLC Phase SDLC (Software Development Life Cycle) Phase of SDLC Categories of Vulnerabilities Example Designing Design vulnerabilities TCP/IP vulnerabilities Implementation Implementation vulnerabilities buffer overflow Operation Configuration vulnerabilities Password less then 6 symbols
  10. 10. SQL Injection SQL injection is a code injection technique, mostly known as an attack vector for websites but can be used to attack any type of SQL database.
  11. 11. SQL Injection (continuance) Attacker can login without entering ‘password’.
  12. 12. Сross Site Sсriрting Cross-site scripting (XSS) enables attackers to inject client-side script into Web pages viewed by other users. Non-Persistent XSS Attack Attack requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. Persistent XSS Attack Code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack.
  13. 13. Example 1 of CSS <html> <body> <h1>New Job Posting</h1> <h2> Job Description</h2> <hr/> Secure Web Developer Needed <body> <html> --------------------------------------------<html> <body> <h1>New Job Posting</h1> <h2> Job Description</h2> <hr/> Secure Web Developer Needed <script>/*something evil*/</script> <body> <html>
  14. 14. Example 2 of CSS <script>alert()</script> Overlay the Login screen with their own, allowing attacks to harvest Usernames and Passwords.
  15. 15. Social Engineering Social Engineering is a psychological manipulation of people into performing actions or divulging confidential information. Phishing is a social engineering technique of fraudulently obtaining private information. What to look for in a phishing email Generic greeting Forged link (for ex. http instead of https) Requests personal information Sense of urgency
  16. 16. Vulnerabilities 2011-2012
  17. 17. Specific vulnerabilities for websites on different programming languages 2011-2012 PHP ASP.NET JAVA Cross-Site Request Forgery 73 % 35 % 35 % SQL Injection 61 % 22 % - Cross-Site Scripting 43 % 39 % - Insufficient Anti-Automation 42 % 35 % - Path Traversal 42% - Application Misconfiguration - 17 % 29 % Insufficient Authorization - - 41 % Insufficient Authentication - - 29 % OS Commanding - - 29 %
  18. 18. Vulnerabilities 2011-2012
  19. 19. Security testing cycle Risk assessment - creating a threat model Security auditing - using the threat model to probe the system design Vulnerability scanning - using software to probe the system implementation. Penetration testing - trying to hack into the system, either externally or internally. Operational testing - some or all of the above after the system is in production.
  20. 20. Vulnerability scanning Network Scanning Software identifies weak networking device settings (e.g., vulnerable ports left open, default passwords) Web Application Scanning software identifies weak web application settings, failure to implement patches to known web application vulnerabilities etc. Database Scanning Software identifies similar weaknesses in database management systems and database applications. One list of Scanning Software and Vendors can be found at:
  21. 21. Penetration testing Network Outside (Internet) / Inside (Intranet) Information for tester Black-box / White-box Information for Staff Black Hat / White Hat Cпециальное ПО — программы, реализующие обнаруженные уязвимости, т. н. «эксплойты». Metasploit Framework - распространенный программный продукт c открытым исходным кодом.
  22. 22. Fuzzing Fuzz testing or fuzzing is a software testing technique, often automated or semiautomated, that involves providing invalid, unexpected, or random data to the inputs of a computer program. Can be useful in generating data for Code-Injections.
  23. 23. ‘Security Test Plan’ A security evaluation should be performed for the software. Security requirements should be established for the software development and/or operations and maintenance (O&M) processes. Each software review, or audit should include an evaluation of the security requirements. A configuration management and corrective action process is in place to provide security for the existing software. Any proposed changes should do not inadvertently create security violations or vulnerabilities. Physical security for the software should be adequate.
  24. 24. Check List for Security testing • • • 1. Try to directly access bookmarked web page without login to the system. 2. Verify that system should restrict you to download the file without sign in on the system. 3. Verify that previous accessed pages should not accessible after log out i.e. Sign out and then press the Back button to access the page accessed before. • 4. Check the valid and invalid passwords, password rules say cannot be less than 6 characters, user id and password cannot be the same etc. • 5. Verified that important i.e. sensitive information such as passwords, ID numbers, credit card numbers, etc should not get displayed in the input box when typing. They should be encrypted and in asterix format. • 6 .Check Is bookmarking disabled on secure pages? Bookmarking Should be disabled on secure pages. • 7. Check Is Right Click, View, Source disabled? Source code should not be visible to user. • 8. Is there an alternative way to access secure pages for browsers under version 3.0, since SSL is not compatible with those browsers? • 9. Check does your server lock out an individual who has tried to access your site multiple times with invalid login/password information? • 10. Verify the timeout condition, after timeout user should not able to navigate through the site. • 11. Check Are you prevented from doing direct searches by editing content in the URL? • 12. Verify that relevant information should be written to the log files and that information should be traceable. • 13. In SSL verify that the encryption is done correctly and check the integrity of the information. • 14. Verify that restricted page should not be accessible by user after session time out. • 15. ID / password authentication, the same account on different machines cannot log on at the same time. So at a time only one user can login to the system with a user id. • 16. ID / password authentication methods entered the wrong password several times and check if the account gets locked. • 17. Add or modify important information (passwords, ID numbers, credit card number, etc.). Check if it gets reflected immediately or caching the old values. • 18. Verify that Error Message does not contain malicious info so that hacker will use this information to hack web site.
  25. 25. Security testing Security testing is a process to determine that an information system protects data and maintains functionality as intended. Main security concepts: Confidentiality Integrity Availability Main security testing methods: Vulnerability scanning Penetration testing
  26. 26. Links: 1. 2. 3. 4. 5. 6. 7.