Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Get Ready for Web Application Security Testing


Published on

Presented at Testing Professional Network in Auckland, New Zealand at 16 Feb 2010.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Get Ready for Web Application Security Testing

  1. 1. Alan Kan Technical Manager IBM Rational Software [email_address] Get Ready for Web Application Security Testing
  2. 2. Run Down <ul><li>The Security Landscape </li></ul><ul><li>What does it mean for Testing Professionals </li></ul><ul><li>A Few Top Attacks and How to Test for Them </li></ul><ul><li>What You Can Do to Prepare for Security Testing </li></ul>
  3. 6. The Web Ecosystem (Simplified)
  4. 9. LexisNexis Data Breach - Washington Post Feb 17, 2008 Malware — InformationWeek Feb 17,2008 Hacker breaks into Ecuador’s presidential website — Thaindian, Feb 11, 2008 Hacking Stage 6 — Wikipedia, Feb 9 2007 Hacker steals Davidson Cos client data - Falls Tribune, Feb 4 2008 RIAA wiped off the Net — TheRegister, Jan 20 2008 <ul><ul><li>Chinese hacker steals 18M identities </li></ul></ul><ul><li>-, Feb 10,2008 </li></ul><ul><li>Mac blogs defaced by XSS </li></ul><ul><ul><li>The Register, Feb 17, 2008 </li></ul></ul>Your Free MacWorld Expo Platinum Pass — CNet, Jan 14, 2008 Hacker takes down Pennsylvania gvmt — AP, Jan 6, 2008 Drive-by Pharming in the Wild — Symantec, Jan 21 2008 Italian Bank hit by XSS fraudsters — Netcraft, Jan 8 2008 Greek Ministry websites hit by hacker intrusion — eKathimerini, Jan 31,2008
  5. 10. <ul><li>“ JB Hi-Fi's websites in Australia and New Zealand were redirecting customers to malicious web pages over the weekend in a cyber attack ” </li></ul><ul><li> 01/12/2009 </li></ul><ul><li>“ Turkish defacers broke into the New Zealand based registrar …Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox ” </li></ul><ul><li> 21/04/2009 </li></ul><ul><li>“ Security Intelligence Service director Warren Tucker revealed government department websites had been attacked and information stolen ” </li></ul><ul><li> 12/09/2007 </li></ul><ul><li>“ A florist which does all of its business online has had its website targeted by hackers and customers' credit card details have been stolen” </li></ul><ul><li> 16/9/2007 </li></ul><ul><li>“ Computer hackers have cracked the defences of dozens of top government and business sector internet sites this year, raising concerns about the safety of consumers' financial and personal information” </li></ul><ul><li> 14/10/ 2007 </li></ul>What about in this part of the world?
  6. 13. Web Application Security is Neglected of all attacks on Information Security are directed to the Web Application Layer 75% of all Web Applications are vulnerable 2/3 Network Server Web Applications % of Attacks % of Dollars 75% 10% 25% 90% Security Spending
  7. 14. Run Down <ul><li>The Security Landscape </li></ul><ul><li>What does it mean for Testing Professionals </li></ul><ul><li>A Few Top Attacks and How to Test for Them </li></ul><ul><li>What You Can Do to Prepare for Security Testing </li></ul>
  8. 15. Secure Applications – Who is Responsible? <ul><li>System Administrator? </li></ul><ul><li>Network Administrator? </li></ul><ul><li>Security Professional? </li></ul><ul><li>Solution Architect? </li></ul><ul><li>Developers? </li></ul><ul><li>Testing Professional? </li></ul>
  9. 16. The Trend – Incorporate Security into Testing Developers SDLC Developers Developers Incorporate Security as part of Testing Ensure vulnerabilities are addressed before applications are put into production Build Coding QA Security Production
  10. 17. Security Testing Steps are not that different from usual <ul><li>Identify possible vulnerability </li></ul><ul><li>Prove vulnerability </li></ul><ul><li>Assess risk, scope, depth, severity and impact </li></ul><ul><li>Create repeatable tests </li></ul><ul><li>Test migitation, and fixes </li></ul>
  11. 18. Run Down <ul><li>The Security Landscape </li></ul><ul><li>What does it mean for Testing Professionals </li></ul><ul><li>A Few Top Attacks and How to Test for Them </li></ul><ul><li>What You Can Do to Prepare for Security Testing </li></ul>
  12. 19. OWASP and the OWASP Top 10 list <ul><li>Open Web Application Security Project – an open organization dedicated to fight insecure software </li></ul><ul><li>“The OWASP Top Ten document represents a broad consensus about what the most critical web application security flaws are” </li></ul>
  13. 21. 1 - Injection Flaws <ul><li>What is it? </li></ul><ul><ul><li>User-supplied data is sent to an interpreter as part of a command, query or data. </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>SQL Injection – Access/modify data in DB </li></ul></ul><ul><ul><li>SSI Injection – Execute commands on server and access sensitive data </li></ul></ul><ul><ul><li>LDAP Injection – Bypass authentication </li></ul></ul><ul><ul><li>… </li></ul></ul>
  14. 22. SQL Injection <ul><li>User input inserted into SQL Command: </li></ul><ul><ul><li>Get product details by id: Select * from products where id=‘ $REQUEST[“id”] ’; </li></ul></ul><ul><ul><li>Hack: send param id with value ‘ or ‘1’=‘1 </li></ul></ul><ul><ul><li>Resulting executed SQL: Select * from products where id=‘ ’ or ‘1’=‘1 ’ </li></ul></ul><ul><ul><li>All products returned </li></ul></ul>
  15. 23. SQL Injection Example I
  16. 24. SQL Injection Example II
  17. 25. SQL Injection Example - Exploit
  18. 26. SQL Injection Example - Outcome
  19. 27. Injection Flaws (SSI Injection Example) Creating commands from input
  20. 28. The return is the private SSL key of the server
  21. 29. 2. Cross-Site Scripting (XSS) <ul><li>What is it? </li></ul><ul><ul><li>Malicious script echoed back into HTML returned from a trusted site, and runs under trusted context </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>Session Tokens stolen (browser security circumvented) </li></ul></ul><ul><ul><li>Complete page content compromised </li></ul></ul><ul><ul><li>Future pages in browser compromised </li></ul></ul>
  22. 30. Cross Site Scripting – The Exploit Process User 1) Link to sent to user via E-mail or HTTP 2) User sends script embedded as data 3) Script/data returned, executed by browser 4) Script sends user’s cookie and session information without the user’s consent or knowledge 5) uses stolen session information to impersonate user
  23. 31. XSS Example I HTML code:
  24. 32. XSS Example II HTML code:
  25. 33. 4 - Insecure Direct Object Reference <ul><li>What is it? </li></ul><ul><ul><li>Part or all of a resource (file, table, etc.) name controlled by user input. </li></ul></ul><ul><li>What are the implications? </li></ul><ul><ul><li>Access to sensitive resources </li></ul></ul><ul><ul><li>Information Leakage, aids future hacks </li></ul></ul>
  26. 34. Insecure Direct Object Reference - Example
  27. 35. Insecure Direct Object Reference – Example Cont.
  28. 36. Insecure Direct Object Reference – Example Cont.
  29. 37. Run Down <ul><li>The Security Landscape </li></ul><ul><li>What does it mean for Testing Professionals </li></ul><ul><li>A Few Top Attacks and How to Test for Them </li></ul><ul><li>What You Can Do to Prepare for Security Testing </li></ul>
  30. 38. Get Educated on the Topic <ul><li>Beware of legal issues </li></ul><ul><li>Create a Sandpit envrionment </li></ul><ul><li>Know the latest trends – IBM X-Force Threat Reports </li></ul><ul><li>Study pass and current exploits – US Computer Emergency Readiness Team </li></ul><ul><li>Learn how to test for the vulnerabilities - OWASP Testing guide </li></ul><ul><li>Learn the syntax of operating system, databases, programming code </li></ul><ul><li>Experiemnet with Tools – Web Scarab </li></ul><ul><li>Experiment with Tools – IBM Rational AppScan http :// </li></ul>
  31. 39. How Does Automated Tool Work?
  32. 40. Get Tools – which ones? <ul><li>Automated vs Manual </li></ul><ul><ul><li>Do it a lot quicker in a shorter timeframe </li></ul></ul><ul><ul><li>Regression tests </li></ul></ul><ul><ul><li>Recommendations </li></ul></ul><ul><li>Security-specific vs general automated testing tool </li></ul><ul><ul><li>Time it takes to become a security expert </li></ul></ul><ul><ul><li>Time it takes to learn coding </li></ul></ul><ul><ul><li>Time it takes to create report templates </li></ul></ul><ul><ul><li>Fix recommendations </li></ul></ul><ul><ul><li>Hard to reach places – Malware, Flash </li></ul></ul><ul><ul><li>Still needs a human being to validate results </li></ul></ul><ul><li>Commercial vs Free tools </li></ul><ul><ul><li>It costs </li></ul></ul><ul><ul><li>Regular updates </li></ul></ul><ul><ul><li>Usability, Quality </li></ul></ul>
  33. 41. Tools <ul><li>Manual Testing </li></ul><ul><ul><li>OWASP WebScarab </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Firebug </li></ul></ul><ul><ul><ul><li>http :// </li></ul></ul></ul><ul><li>Automated Testing </li></ul><ul><ul><li>IBM Rational AppScan </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
  34. 42. © Copyright IBM Corporation 2010. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, the on-demand business logo, Rational, the Rational logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
  35. 43. IBM Rational AppScan <ul><li>The undisputed market leader </li></ul><ul><ul><li>Ranked #1 in Market Share by IDC </li></ul></ul><ul><ul><li>#1 in numerous industry “bake offs” </li></ul></ul><ul><li>Automatically scans web applications for vulnerabilities </li></ul><ul><ul><li>SQL Injection </li></ul></ul><ul><ul><li>Cross-site Scripting </li></ul></ul><ul><li>Provides clear recommendations on how to fix them </li></ul><ul><ul><li>i.e. Character sanitization </li></ul></ul>The Result? Improved security, lower costs, and the ability to meet PCI standards for application security