QAing the security way!

1. QAing the Security Way! Amit & Null vodQA, Pune 17th March 2018

2. “A system is secure if it behaves precisely in the manner intended - and does nothing more” - Ivan Arce

3. Amit Gundiyal Senior Consultant - Quality Analyst at ThoughtWorks, Inc 6+ years of experience (as Dev, QA & BA) About Me

4. Nalinikanth AKA Null About Me Senior Consultant - Quality Analyst at ThoughtWorks, Inc 5+ years of experience

5. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 5 Ground Rules ● Follow the speaker ○ Don’t get deviated. ○ If you are stuck call any of the volunteers. ● We will share you all the material don’t bother about that. ● Ask questions whenever you have - don’t wait. ● MOST IMPORTANT!

6. Information Technology Act 2000 Imprisonment upto 5 years and / or with fine upto ₹5,00,000 http://www.itlaw.in/ https://en.wikipedia.org/wiki/Information_Technology_Act,_2000

7. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 7 What to expect? ● Talk about QAing and Security. ● OWASP TOP 10 ● Hands on few OWASP threats. ● We will be using tools to do an attack, but will not go in depth on the tools.

8. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 8 Agenda ● What and Why of security ? ● QA role in testing security. ● OWASP TOP 10 ● Hands on security vulnerabilities

9. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 9 What and Why of Security Testing? In 2017 ● Verizon: 14 Millions of customer records exposed in security lapse. ● Verifone: the largest maker of point-of-sale credit card terminals used across world. ● Deloitte: Embarrassingly for the accounting firm who pride themselves on their Cyber Intelligence Centre, Deloitte fell victim to a cyber attack in March. ● Deep Root Analytics: A data analytics firm, to gather political information about U.S. voters. Chris Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root Analytics obtained–personal data for roughly 198 million American citizens. ● Virgin America: In a letter to employees, airline Virgin America revealed that a hacker had successfully entered their corporate network gaining access to login information and passwords used by employees to access the network. ● Equifax: one of the three largest credit agencies in the U.S., suffered a breach that may affect 143 million consumers.

10. As a QA

11. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 11 What a QA has? ● End to end knowledge. ● One who tests almost everything in the system. ● Implement security thinking. ● Add security analysis to stories. ● Identify where security can possibly go for toss. ● Test the stories if they are vulnerable. ● Help team build more security products What a QA can do?

12. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 12 QA could have stopped this https://www.exploit-db.com/exploits/6421/

13. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 13 Let's start with a story

14. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 14 OWASP ● Open Web Application Security Project (OWASP) ● Online community, which creates freely-available articles, tools, methodologies, documentation, and technologies in the field of web application security. ● Not-for-profit charitable organization. ● Focussed on improving the security of software. ● Currently has over 150+ active projects

15. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 15 OWASP Top 10 ● List the 10 most critical web application security risks. ● A powerful awareness document. ● Published at regular intervals. ● Approximately once in 3 years. ● Last published in 2017

16. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 16 OWASP Top 10 - 2013 vs 2017

17. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 17 Tools we are using today ● OWASP Mutillidae II - Application to attack ● Burp suite to intercept requests (we can use ZAP as well) ● Python to steal cookie

18. What causes most of the attacks?

19. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 19 User Input - Surface Area I don’t like user input and this is why I don’t

20. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 20 A7: Cross-site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can: ● hijack user sessions ● deface web sites ● redirect the user to malicious sites.

21. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 21 A7: How XSS works?

22. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 22 Types of XSS ● Reflected XSS ○ Reflected XSS occurs when user input is immediately returned by a web application in an error message, search result, etc. and without permanently storing the user provided data. ● Stored XSS ○ Stored XSS generally occurs when user input is stored on the target server, such as in a database, in a message forum, visitor log, comment field, etc.

23. XSS Hands-on!! 23

24. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 24 Where in Mutillidae II?

25. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 25 A1: Injection Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Types of Injection: ● SQL Injection - Anywhere input value is being executed as a database query. ● OS Command Injection - Anywhere input is being executed as a command. ● Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, XML and many more

26. Injection Hands-on!!

27. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 27 Where in Mutillidae II? For SQL Injections -

28. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 28 Where in Mutillidae II? For OS Command Injection -

29. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 29 A3 : Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Sometimes data pertaining to the configuration of systems is also leaked by error messages or forgotten debug pages.

30. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 30 A3 : Sensitive Data Exposure Scenario #1: An application encrypts credit card numbers in a database using automatic database encryption. However, this data is automatically decrypted when retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text. Scenario #2: A site doesn't use or enforce TLS for all pages, or if it supports weak encryption. An attacker simply monitors network traffic, strips or intercepts the TLS (like an open wireless network), and steals the user's session cookie.The attacker then replays this cookie and hijacks the user's (authenticated) session, accessing or modifying the user's private data. Instead of the above he could alter all transported data, e.g. the recipient of a money transfer. Scenario #3: The password database uses unsalted hashes to store everyone's passwords. A file upload flaw allows an attacker to retrieve the password database. All the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.

31. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 31 Where do we miss it ● Access to some unwanted files. ● Poor encryption mechanism. ● Not using HTTPS

32. Sensitive Data Exposure Hands-on!!

33. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 33 A2 : Broken Authentication

34. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 34 A2 : Broken Authentication

35. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 35 A2 : Broken Authentication Session management is a critical piece of application security. It is broader risk, and requires developers take care of protecting session id, user credential secure storage, session duration, and protecting critical session data in transit.

36. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 36 How A2 can happen? ● SQL Injection. ● Weak passwords and Password retrieval mechanisms ● Not handling session ids properly which leads to privilege escalation or elevation of privilege. ● Cookies (Unencrypted, not securing them properly)

37. Broken Authentication Hands-on!!

38. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 38 Set up Proxy on firefox!!

39. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 39 Set up your burp Proxy!!

41. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 41 A9 : Using components with known vulnerabilities Components such as libraries, frameworks & other modules, almost always run with privileges. Exploitation of a vulnerable component can cause serious data loss or server takeover. Apps using components with known vulnerabilities may undermine app defenses and enable a range of attacks.

42. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 42 Where ● Technology we use. ● Third party libraries ○ Programing languages/ frameworks ○ Node modules ○ Charting libraries ○ Many more... ● Any tools or softwares installed.

44. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 44 Where to check and how to protect? ● https://www.cvedetails.com/ Use dependency checkers.. ● https://www.owasp.org/index.php/OWASP_Dependency_Check ● https://github.com/nodesecurity/nsp

45. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 45 A4 : XML External Entity (XXE) Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack.

47. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 47 A8 : Insecure Deserialization Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.

49. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 49 A5 : Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users’ data, change access rights, etc.

50. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 50 A6 : Security Misconfiguration Web servers and applications can leak information and allow attackers to take control over systems using misconfigurations either arising out of weak defaults, hidden applications or via enhanced functionality that causes the app to become vulnerable.

53. ©ThoughtWorks, Inc. Do not copy. Do not distribute. 53 A10 : Insufficient Logging and Monitoring Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

54. ©ThoughtWorks, Inc. Do not copy. Do not distribute. ● What do you log? ● Where do you log? ● When do you log? ● Why do you log? ● Is this log sufficient? 54 A10 : Insufficient Logging and Monitoring

55. A system is secure if and only if it starts in a secure state and cannot enter an insecure state!!

56. ©ThoughtWorks, Inc. Do not copy. Do not distribute. References ● https://blog.sqreen.io/reflected-xss/ ● https://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html ● https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/ ● https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning ● http://www.information-age.com/10-cyber-security-trends-look-2017-123463680/ ● http://www.information-age.com/10-biggest-hacks-rocked-business-world-2017-123469857/ ● http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ ● https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html ● http://fortune.com/2017/06/22/cybersecurity-hacks-history/ ● https://en.wikipedia.org/wiki/List_of_data_breaches ● http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/ ● https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails

57. THANK YOU For questions or suggestions mailto: amit.gundiyal@thoughtworks.com nalinim@thoughtworks.com

QAing the security way!

QAing the security way!

Recommended

More Related Content

What's hot

What's hot(19)

Similar to QAing the security way!

Similar to QAing the security way!(20)

Recently uploaded

Recently uploaded(20)

QAing the security way!