The QA Analyst's Hacker's Landmark Tour v3.0


Published on

This talk is geared towards QA Analysts who want to start to understand the mindset of the 'hacker', and start thinking about web application security testing concepts.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Close your eyes, and imagine you’re in Paris for the first time.You wake up in your hotel room in the early morning, and are preparing to take everything inHow will you plan your next few days in Paris?The answer is that you will likely plan your trip very carefully and deliberately, making sure you hit the high points, tourist locations, and landmarksWeb application software testing is just like this … let’s talk about why.
  • Attackers target specific things…“Social Reach” – ways to communicate with othersUse your site’s identity to SPAMUse your site’s reputation to SPAMManipulate “friends” networksManipulate “professional” networks“Application I/O” – each input is a possible way to push malicious data into the applicationCross-site scripting {{ DEMO XSS }}CSRF – cross-site request forgeriesSQL Injection“Commerce”Product for free?Manipulate other people’s data/carts“Authentication”If you can break authentication … the game is all but lostAuthentication often only security measure (AuthN)Most likely little authorization (AuthZ)“Data Access”Points where queries are made to a data storeCross-application data retrieval (mash-ups)Encryption, algorithms, etc (especially if stored locally…){{ THE DATA IS THE ULTIMATE TARGET }}
  • The QA Analyst's Hacker's Landmark Tour v3.0

    1. 1. Tour-based Testing:The Hacker's Landmark Tour <br />Rafal Los<br />SME Web App Security<br />v3 - 2010<br />
    2. 2. A Quick abstract<br />Growing application complexity, coupled with the exploding increase in application surface area, has resulted in new quality challenges for testers. Some test teams are adopting a tour-based testing methodology because it’s incredibly good at breaking down testing into manageable chunks. However, hackers are paying close attention to systems and developing new targeted attacks to stay one step ahead. Rafal Los takes you inside the hacker’s world, identifying the landmarks hackers target within applications and showing you how to identify the defects they seek out. Learn what “landmarks” are(1), how to identify them from functional specifications(2), and how to tailor negative testing strategies to different landmark categories(3). Test teams, already choked for time and resources and now saddled with security testing, will learn how to pinpoint the defect—from the mountains of vulnerabilities often uncovered in security testing—that could compromise the entire application. <br />
    3. 3. CLOSE YOUR EYES<br />
    4. 4. The Basics<br />Modern application complexity is increasing<br />“Web 2.0”: creating complex applications<br />High complexity == High risk<br />“Too big to fully test” is a common complaint<br />“Too complex to fully test” too!<br />
    5. 5. Why landmark testing<br />Why does landmark-based testing make sense?<br />Testing Optimization<br />Testers’ limited resources<br />Time<br />CPU cycles<br />Manpower<br />
    6. 6. Dirty little secret<br />“Isn’t security testing …security’s job?”<br />Actually…no.<br />Testers bring application knowledge traditional security testing lacks.<br />
    7. 7. Disclosure of Limitations<br />Every process and methodology has limitations<br />Tour-based testing is subjective<br />Testers are notsecurity experts (or hackers)<br />A cooperativeapproach is required<br />
    8. 8. What is a landmark?<br />
    9. 9. Identifying landmarks<br />Just pretend you’re a tourist!<br />Landmarks are “points of significance”-<br />Draw your attention<br />Invite deeper investigation<br />
    10. 10. Identifying landmarks<br />Hackers look for landmarks a little differently – but with the same principles as common tourists<br />
    11. 11. 5 Key Landmarks<br />
    12. 12. Social reach<br />Attackers know they are more likely to be successful in a client-targeted attack if they can send it to you from a trusted source.<br />You trustyour friends …right?<br />Links sent in tweets [or FaceBook messages] from your friends<br />A company you trust says “this is our latest FREE product!”<br />Google/Bing ads for fake Anti-Virus rampant…<br />
    13. 13. Application i/o<br />Attackers target the input/output points of an application because there are often weaknesses in the validation mechanisms<br />File upload [or download] functionality<br />Interaction with client systems (desktop)<br /><ul><li> Browser interaction/manipulation (evil bookmarks)
    14. 14. “Browser Helper Objects” or plug-ins</li></ul>Interaction with remote systems (servers)<br /><ul><li> Fetch remote data from foreign system
    15. 15. “Remote file includes”</li></li></ul><li>Commerce<br />Hackers aim to spend your money to get nice things for themselves<br />CSRF (Cross-Site Request Forgery) attacks exploit “simple”<br />Broken shopping carts expose credit card data<br />“Name your own price” …flawed shopping cart logic<br />Stealing (or receiving freely) your loyalty points!<br />
    16. 16. Authentication<br />Manipulating an authentication system to allow free access is almost as big a target as faking the authentication scheme<br />Bypassing authentication mechanisms<br />Privilege escalation (horizontal & vertical)<br />Faking authentication schemes (phishing for auth)<br />So many ways this could go wrong<br />
    17. 17. Data access<br />The ultimate goal for an attacker is to get some one-on-one quality time with your data-store<br />SQL Injection (#1 threat to online datastores)<br />Poorly coded client-side programs (Flash…)<br />RESTful web services<br />WebService endpoints …<br />
    18. 18. Ready to try this method out?<br />
    19. 19. Change in mindset<br />Can you think like a hacker?<br /> Take a look at the following web page.<br />
    20. 20.
    21. 21. Can you name 3 landmarks on that page?<br />A quick test…<br />
    22. 22. What draws your attention?<br />
    23. 23. What draws your attention?<br />Site search functionality is often unvalidated input<br />2 prime examples of hacker targets<br />
    24. 24. Let’s see some real life examples<br />
    25. 25. What jumps out at you?<br />
    26. 26. Did you see these landmarks?<br />
    27. 27. What jumps out at you?<br />
    28. 28. Did you see these landmarks?<br />
    29. 29. What jumps out at you?<br />
    30. 30. Did you see these landmarks?<br />
    31. 31. landmark testing IQ<br />How well did you do?<br />The Crossover<br />Attackers look for “exploitable functionality”<br />Functional testers understand “use cases”<br />
    32. 32. Deriving landmarks from functional specifications<br />
    33. 33. Purpose of functional specifications:<br />Lay out application functionality<br />Provide use-cases<br />Business map of application<br />Answer: “What does it do?”<br />Functional specifications<br />
    34. 34. QA testers don’t instinctively think like hackers…<br />Work from functional specifications<br />Hints for finding hacker landmarks:<br />Look for changes in privilege or trust<br />Look for application interaction points<br />Look for opportunistic data interaction<br />Follow the money (commerce)<br />Getting the clues<br />
    35. 35. Additional tidbits<br />Functional specifications define the what not the howof applications<br /><ul><li>Prioritize the what (importance)
    36. 36. Focus tools on priorities
    37. 37. Understand what then focustools on the how</li></ul>All clear? Or clear as …<br />
    38. 38. Tailoring (negative) testing strategies<br />
    39. 39. This is not a secret...<br />Security testing is overwhelming<br />Most QA teams never test for security defects<br />Security defect testing defaults to “kitchen sink” approach<br />Too many results, too much noise in current testing<br />Failure to test, increase in risk<br />Testing strategies must change<br />
    40. 40. Shift your mind to a hacker touring your site or application.<br />
    41. 41. Assess your current testing<br />Perform regular analysis of your testing strategy<br />– How does negative testing fit in?<br />Do you have the resources?<br />Are your teams equipped?<br />Can you think like a hacker?<br />
    42. 42. Build an application tourist map<br />Map the application<br /><ul><li>Highlight target landmarks
    43. 43. Highlight interesting functionality
    44. 44. Cross-reference “functional areas”</li></ul> with “interesting features”<br />
    45. 45. Review: 5 key landmarks<br />5 key areas attackers focus<br /> Commerce<br />Social Reach<br />Data Access<br /> Authentication<br />Application I/O<br />
    46. 46. Distill Application map<br />Interesting Landmarks<br />User registration<br />User login<br />Catalog search<br />Cart checkout<br />Account data entry<br />Functional requirements<br />Browse catalog<br />User registration<br />User login<br />Shopping cart<br />Account management<br />Pay bill online<br />Track shipping<br />Manage preferences<br />
    47. 47. Mix in security testing<br />Functional Testing<br />Landmark 1<br />Function A =<br />“User Registration”<br />Security Testing<br />Performance Testing<br />Analysis<br />
    48. 48. 3 pillars of quality<br />Each defect type is critical and equal<br />Does it function?<br />Does it perform?<br />Is it secure?<br />
    49. 49. Hacker’s TourLandmark Testing<br />
    50. 50. Be a T.A.D. more secure<br />Are you ready?<br />Think – change your mindset<br />Assess – assess your current testing<br />Do – start “hacker landmark” testing<br />
    51. 51. Rafal LosSecurity Evangelist – HP ASCDirect: (765) 247-2325Email: Rafal@hp.comTwitter:<br />