SlideShare a Scribd company logo

Testing the OWASP Top 10

andytinkham
andytinkham

OWASP has identified the top 10 security risks for web applications. How do we as testers look for these problems in our application? This presentation discusses some ideas. Presentation that fellow Magenicon Zach Bergman and I did at the Twin Cities Quality Assurance Association meeting in January.

Technology
1 of 31
Download to read offline
Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com
» Magenic: Leading consultancy providing custom application development, testing and QA services » Andy » 17 years of testing experience, focusing on automation, performance & other technical testing » Principal Consultant at Magenic, leading all our technical testing activities » Zach » 3 years of testing experience, focusing on security & test automation » Consultant at Magenic, driving internal security growth & initiatives
» Testing focused on 3 aspects of a system » Authentication – determining an entity is who they claim to be » Authorization – determining whether an entity is allowed to use a requested action or resource » Accounting – documenting what occurs in the system Authentication Authorization Accounting
» Talk about the most prevalent security vulnerabilities » Structure that talk using the OWASP Top 10 list » Andy will describe issue » Zach will demonstrate issue and talk about techniques to identify it » Cover some very basic testing techniques to find these » Only begin to scratch the surface of security testing
» Open Web Application Security Project » Non-profit organization focused on improving the security of software » Around since 2001 » Not affiliated with any technology company » Provide a variety of free tools, education, and information around application security » Local chapter: https://www.owasp.org/index.php/Minneapolis_St_Paul Next meeting: 1/21/2013, Gunnar Peterson, “Mobile AppSec – How iOS and Android Apps fail and what to do to protect them”
• Most critical web application security flaws • Occur frequently • Easy to find • Easy to exploit 10. Unvalidated Redirects and Forwards 5. Cross-Site Request Forgery 9. Insufficient Transport Layer Protection 4. Insecure Direct Object References 8. Failure to Restrict URL Access 3. Broken Authentication & Session Management 7. Insecure Cryptographic Storage 2. Cross-Site Scripting 6. Security Misconfiguration 1. Injection
» Security is a big deal » 77 million user accounts compromised on Sony PlayStation network » $1 trillion dollars worth of intellectual property stolen in 2008 (McAfee) » Symantec estimates the global price tag of consumer cybercrime to be $110 billion with 18 victims every second » 90% of businesses suffered some sort of hack in last 12 months (Research Ponemon/Juniper Networks, June 2011) » 83% of websites have had a high, critical or urgent issue (WhiteHat Security, 2009) » Poor security can lead to » Unwanted information disclosure » Compromised data » Financial and Reputational Costs » Legal Issues (HIPAA, other industry information security governance)
» Burp Suite (http://www.portswigger.net/burp/) » Awesome Cookie Manager (Chrome App Store) » BodgeIt Store (http://code.google.com/p/bodgeit/) » REST Console (Chrome App Store)
» Use of an app’s built-in redirect to access an unintended location » http://yoursite.com/redirect.php?url=http://yoursite.com/admin.php » http://yoursite.com/redirect.php?url=http://badsite.com » Users can be convinced to give information thinking they’re giving it to you » Example Exploitability: Average Prevalence: Uncommon Detectability: Easy Impact: Moderate Testing Technique: Look for redirect functions throughout application in URL or request parameters
» Unencrypted data traversing networks can be seen, manipulated, and used without user knowledge » The session information from browser » User personally-identifiable information Exploitability: Difficult Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: See if HTTPS and TLS 1.1+ is being used on appropriate secure pages
Request over HTTP Request over HTTPS (SSL)
» Typically happens when assumptions are made regarding users’ knowledge of the app’s layout/functionality – security by obscurity » http://www.mysite.com/MySecretAdminConsole.php » http://www.mysite.com/ManagerReports » Hidden or Unlisted resources » Only show the user functionality they can use Exploitability: Easy Prevalence: Uncommon Detectability: Average Impact: Moderate Testing Technique: Look for exposed URLs. If unlisted, check if URLs may be accessed with wrong authentication
» Apps may not secure sensitive data with appropriate cryptography or may not store the artifacts around the cryptography securely » Inside or Outside of the physical data storage » Stored plaintext » Weak algorithm used » Unrestricted access to decrypt function » Private keys accessible Exploitability: Difficult Prevalence: Uncommon Detectability: Difficult Impact: Severe Testing Technique: Look for sensitive data in plaintext. Look for encryption in transit. (#9)
» Default settings of platform being used » Configuration » Default usernames/passwords » Default error messages » Debugger sessions open » Lack of updates being applied Exploitability: Easy Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for custom error messages. Look for debugger session being allowed.
» 200 - OK » 401 - Unauthorized » 403 - Forbidden
» Targets user’s session information in order to act as the user » http://www.store.com/AddToCart.aspx?itemID=1234 » http://www.blog.com/ChangePassword.php?NewPass=password » Attacker takes advantage of user’s currently stored sessions » In other tabs of browser » In browser if cookies haven’t been cleared after closing Exploitability: Average Prevalence: Widespread Detectability: Easy Impact: Moderate Testing Technique: Look for actions, which can be completed by visiting a URL.
» The image is right here: » <img src=“http://10.30.46.15/bodgeit/basket.jsp?productid=17&price=4.1&qu antity=1” >
» Some application resources are accessible without going through access control » http://www.mysite.com/Report00032 » http://www.mysite.com/files/BugsToFix.pdf » Manipulate requests to access resources » hƩp://www.mysite.com/Report00032 → http://www.mysite.com/Report00033 » http://www.mysite.com/MyAccount.php?user=bob → Exploitability: Easy http://www.mysite.com/MyAccount.php?user=joan Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for references to objects, and attempt to access other similar objects.
» Poorly implemented protections can still be insecure, leading to additional vulnerabilities » Sessions should expire » Logout should revoke the user’s session » Login should revoke any active sessions for same user » User shouldn’t be able to manipulate or guess session » Key actions should revoke certain session permissions Exploitability: Average » Session fixation Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that sessions are actually revoked following key actions.
» Untrusted input is not cleaned prior to being passed back to the browser » Can involve rendered HTML, JavaScript or any other web content Exploitability: Average Prevalence: Very Widespread Detectability: Easy Impact: Moderate Testing Technique: Verify that input is being validated or escaped so that it does not execute.
» Untrusted input is not cleaned prior to being used by the application » Users may inject their own code into » The App » SQL Queries » XPath Queries » Operating System » Browser/DOM » Anywhere data is combined into executable statements Exploitability: Easy Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that input is being validated so that it is not executed server-side.
» SELECT Username FROM Users WHERE Password = ‘our input here’ » SELECT Username FROM Users WHERE Password = ‘a’ or ‘b’=‘b’
» Security is a big deal » As testers, we can begin to look for obvious issues in the course of our normal work » OWASP Top 10 lists 10 most prevalent web security issues & is a good starting point » All of these security issues require deeper analysis beyond these techniques
» OWASP Top 10 document (http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf) » Troy Hunt’s OWASP Top 10 for .NET Developers eBook (https://asafaweb.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf) » The Web Application Hacker’s Handbook, 2nd Ed. Dafydd Stuttard and Marcus Pinto
Contact us: AndyT@magenic.com ZachB@magenic.com

Recommended

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 

Recommended

How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
NetWitness
NetWitnessNetWitness
NetWitnessTechBiz Forense Digital
 
Threats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisThreats, Threat Modeling and Analysis
Threats, Threat Modeling and AnalysisIan G
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Penetration and hacking training brief
Penetration and hacking training briefPenetration and hacking training brief
Penetration and hacking training briefBill Nelson
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work GuideEduardo Chavarro
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Wojciech Podgórski
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitn|u - The Open Security Community
 
Malware detection
Malware detectionMalware detection
Malware detectionssuser1eca7d
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cyclepenetration Tester
 
Whitelist Tutorial 1
Whitelist Tutorial 1Whitelist Tutorial 1
Whitelist Tutorial 1tafinley
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for SecurityGabrielle Knowles
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 ProjectMuhammad Shehata
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot EssentialsAnton Chuvakin
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Јаѓќеѕн Јажѕшаф
 

More Related Content

What's hot

IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramDigit Oktavianto
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work GuideEduardo Chavarro
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testingecmee
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Wojciech Podgórski
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiStonesoft
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitn|u - The Open Security Community
 
Whitelist Tutorial 1
Whitelist Tutorial 1Whitelist Tutorial 1
Whitelist Tutorial 1tafinley
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept*****Dominic A Ienco
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Osama Salah
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security AwarenessDigit Oktavianto
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 

What's hot (20)

IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
Practical Incident Response - Work Guide
Practical Incident Response - Work GuidePractical Incident Response - Work Guide
Practical Incident Response - Work Guide
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
 
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
Artificial Intelligence Methods in Virus Detection & Recognition - Introducti...
 
Anti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewskiAnti evasion and evader - klaus majewski
Anti evasion and evader - klaus majewski
 
Evading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploitEvading & Bypassing Anti-Malware applications using metasploit
Evading & Bypassing Anti-Malware applications using metasploit
 
Malware detection
Malware detectionMalware detection
Malware detection
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Whitelist Tutorial 1
Whitelist Tutorial 1Whitelist Tutorial 1
Whitelist Tutorial 1
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Splunk for Security
Splunk for SecuritySplunk for Security
Splunk for Security
 
targeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-septtargeted-data-breach-bulletin-sept
targeted-data-breach-bulletin-sept
 
Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...Application Whitelisting - Complementing Threat centric with Trust centric se...
Application Whitelisting - Complementing Threat centric with Trust centric se...
 
OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testing
 
Honeypot Essentials
Honeypot EssentialsHoneypot Essentials
Honeypot Essentials
 

Similar to Testing the OWASP Top 10

NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie MAXfocus
 
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-VirusDefending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-VirusLumension
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar henelpj
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Delivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd HaughlandDelivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd HaughlandMAXfocus
 
Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul FenwickDelivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul FenwickMAXfocus
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningSecurityMetrics
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochQA or the Highway
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxvamshimatangi
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...Andris Soroka
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Mohammed Abdul Lateef
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingMuhammad Khizer Javed
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRaffael Marty
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security BasicsMohan Jadhav
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Security Innovation
 

Similar to Testing the OWASP Top 10 (20)

NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie Delivering Security with GFI MAX - Mark Petrie
Delivering Security with GFI MAX - Mark Petrie
 
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-VirusDefending Your Corporate Endpoints How to Go Beyond Anti-Virus
Defending Your Corporate Endpoints How to Go Beyond Anti-Virus
 
Eliz seminar
Eliz seminar Eliz seminar
Eliz seminar
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Delivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd HaughlandDelivering Security Within the MAX Remote Management Platform - Todd Haughland
Delivering Security Within the MAX Remote Management Platform - Todd Haughland
 
Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul FenwickDelivering Security with the MAX RemoteManagement Platform - Paul Fenwick
Delivering Security with the MAX RemoteManagement Platform - Paul Fenwick
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
The 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan KochThe 5 Layers of Security Testing by Alan Koch
The 5 Layers of Security Testing by Alan Koch
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptx
 
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
DSS ITSEC CONFERENCE - Lumension Security - Intelligent application whiteli...
 
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
Traditional Reconnaissance and Attacks, Malicious Software, Defense in Depth,...
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
Basics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty HuntingBasics of getting Into Bug Bounty Hunting
Basics of getting Into Bug Bounty Hunting
 
RSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event AnalysisRSA 2006 - Visual Security Event Analysis
RSA 2006 - Visual Security Event Analysis
 
Metasploit
MetasploitMetasploit
Metasploit
 
Information Technology Security Basics
Information Technology Security BasicsInformation Technology Security Basics
Information Technology Security Basics
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Testing the OWASP Top 10

  • 1. Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com
  • 2. » Magenic: Leading consultancy providing custom application development, testing and QA services » Andy » 17 years of testing experience, focusing on automation, performance & other technical testing » Principal Consultant at Magenic, leading all our technical testing activities » Zach » 3 years of testing experience, focusing on security & test automation » Consultant at Magenic, driving internal security growth & initiatives
  • 3. » Testing focused on 3 aspects of a system » Authentication – determining an entity is who they claim to be » Authorization – determining whether an entity is allowed to use a requested action or resource » Accounting – documenting what occurs in the system Authentication Authorization Accounting
  • 4. » Talk about the most prevalent security vulnerabilities » Structure that talk using the OWASP Top 10 list » Andy will describe issue » Zach will demonstrate issue and talk about techniques to identify it » Cover some very basic testing techniques to find these » Only begin to scratch the surface of security testing
  • 5. » Open Web Application Security Project » Non-profit organization focused on improving the security of software » Around since 2001 » Not affiliated with any technology company » Provide a variety of free tools, education, and information around application security » Local chapter: https://www.owasp.org/index.php/Minneapolis_St_Paul Next meeting: 1/21/2013, Gunnar Peterson, “Mobile AppSec – How iOS and Android Apps fail and what to do to protect them”
  • 6. Most critical web application security flaws • Occur frequently • Easy to find • Easy to exploit 10. Unvalidated Redirects and Forwards 5. Cross-Site Request Forgery 9. Insufficient Transport Layer Protection 4. Insecure Direct Object References 8. Failure to Restrict URL Access 3. Broken Authentication & Session Management 7. Insecure Cryptographic Storage 2. Cross-Site Scripting 6. Security Misconfiguration 1. Injection
  • 7. » Security is a big deal » 77 million user accounts compromised on Sony PlayStation network » $1 trillion dollars worth of intellectual property stolen in 2008 (McAfee) » Symantec estimates the global price tag of consumer cybercrime to be $110 billion with 18 victims every second » 90% of businesses suffered some sort of hack in last 12 months (Research Ponemon/Juniper Networks, June 2011) » 83% of websites have had a high, critical or urgent issue (WhiteHat Security, 2009) » Poor security can lead to » Unwanted information disclosure » Compromised data » Financial and Reputational Costs » Legal Issues (HIPAA, other industry information security governance)
  • 8. » Burp Suite (http://www.portswigger.net/burp/) » Awesome Cookie Manager (Chrome App Store) » BodgeIt Store (http://code.google.com/p/bodgeit/) » REST Console (Chrome App Store)
  • 9. » Use of an app’s built-in redirect to access an unintended location » http://yoursite.com/redirect.php?url=http://yoursite.com/admin.php » http://yoursite.com/redirect.php?url=http://badsite.com » Users can be convinced to give information thinking they’re giving it to you » Example Exploitability: Average Prevalence: Uncommon Detectability: Easy Impact: Moderate Testing Technique: Look for redirect functions throughout application in URL or request parameters
  • 10. » Unencrypted data traversing networks can be seen, manipulated, and used without user knowledge » The session information from browser » User personally-identifiable information Exploitability: Difficult Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: See if HTTPS and TLS 1.1+ is being used on appropriate secure pages
  • 11. Request over HTTP Request over HTTPS (SSL)
  • 12. » Typically happens when assumptions are made regarding users’ knowledge of the app’s layout/functionality – security by obscurity » http://www.mysite.com/MySecretAdminConsole.php » http://www.mysite.com/ManagerReports » Hidden or Unlisted resources » Only show the user functionality they can use Exploitability: Easy Prevalence: Uncommon Detectability: Average Impact: Moderate Testing Technique: Look for exposed URLs. If unlisted, check if URLs may be accessed with wrong authentication
  • 13. » Apps may not secure sensitive data with appropriate cryptography or may not store the artifacts around the cryptography securely » Inside or Outside of the physical data storage » Stored plaintext » Weak algorithm used » Unrestricted access to decrypt function » Private keys accessible Exploitability: Difficult Prevalence: Uncommon Detectability: Difficult Impact: Severe Testing Technique: Look for sensitive data in plaintext. Look for encryption in transit. (#9)
  • 14. » Default settings of platform being used » Configuration » Default usernames/passwords » Default error messages » Debugger sessions open » Lack of updates being applied Exploitability: Easy Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for custom error messages. Look for debugger session being allowed.
  • 15.
  • 16.
  • 17. » 200 - OK » 401 - Unauthorized » 403 - Forbidden
  • 18. » Targets user’s session information in order to act as the user » http://www.store.com/AddToCart.aspx?itemID=1234 » http://www.blog.com/ChangePassword.php?NewPass=password » Attacker takes advantage of user’s currently stored sessions » In other tabs of browser » In browser if cookies haven’t been cleared after closing Exploitability: Average Prevalence: Widespread Detectability: Easy Impact: Moderate Testing Technique: Look for actions, which can be completed by visiting a URL.
  • 19.
  • 20. » The image is right here: » <img src=“http://10.30.46.15/bodgeit/basket.jsp?productid=17&price=4.1&qu antity=1” >
  • 21. » Some application resources are accessible without going through access control » http://www.mysite.com/Report00032 » http://www.mysite.com/files/BugsToFix.pdf » Manipulate requests to access resources » hƩp://www.mysite.com/Report00032 → http://www.mysite.com/Report00033 » http://www.mysite.com/MyAccount.php?user=bob → Exploitability: Easy http://www.mysite.com/MyAccount.php?user=joan Prevalence: Common Detectability: Easy Impact: Moderate Testing Technique: Look for references to objects, and attempt to access other similar objects.
  • 22. » Poorly implemented protections can still be insecure, leading to additional vulnerabilities » Sessions should expire » Logout should revoke the user’s session » Login should revoke any active sessions for same user » User shouldn’t be able to manipulate or guess session » Key actions should revoke certain session permissions Exploitability: Average » Session fixation Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that sessions are actually revoked following key actions.
  • 23. » Untrusted input is not cleaned prior to being passed back to the browser » Can involve rendered HTML, JavaScript or any other web content Exploitability: Average Prevalence: Very Widespread Detectability: Easy Impact: Moderate Testing Technique: Verify that input is being validated or escaped so that it does not execute.
  • 24.
  • 25. » Untrusted input is not cleaned prior to being used by the application » Users may inject their own code into » The App » SQL Queries » XPath Queries » Operating System » Browser/DOM » Anywhere data is combined into executable statements Exploitability: Easy Prevalence: Common Detectability: Average Impact: Severe Testing Technique: Verify that input is being validated so that it is not executed server-side.
  • 26.
  • 27.
  • 28. » SELECT Username FROM Users WHERE Password = ‘our input here’ » SELECT Username FROM Users WHERE Password = ‘a’ or ‘b’=‘b’
  • 29. » Security is a big deal » As testers, we can begin to look for obvious issues in the course of our normal work » OWASP Top 10 lists 10 most prevalent web security issues & is a good starting point » All of these security issues require deeper analysis beyond these techniques
  • 30. » OWASP Top 10 document (http://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202010.pdf) » Troy Hunt’s OWASP Top 10 for .NET Developers eBook (https://asafaweb.com/OWASP%20Top%2010%20for%20.NET%20developers.pdf) » The Web Application Hacker’s Handbook, 2nd Ed. Dafydd Stuttard and Marcus Pinto