Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security testing presentation

  • Login to see the comments

Security testing presentation

  1. 1. Boutique product development companyIt is amazing what you can accomplish when you have a client-centric team to deliver outstanding products.
  2. 2. Workshop Boutique product development companySikandar Ahmed | PresenterArooj Un Nisaamazing what you can accomplish when you have a client-centric team to deliver outstanding products. It is | Co-presenter
  3. 3. If you think technology can solve your security problems,then you dont understand the problems and you dontunderstand the technology. — Bruce Schneier Security Testing • What is Security Testing? • Top 10 Security Risks • Security Testing Types • Security Exposures Revealing —Practice • Security Tools Arooj | QA Mentor
  4. 4. Security TestingWhat is Security Testing? ―Security Testing‖ Tests the ability of the system/software to prevent unauthorized access to the resources and data Arooj | QA Mentor
  5. 5. Security TestingWhat it Covers? Security Testing needs to cover the six basic security concepts: • Confidentiality • Integrity • Authentication • Authorization • Availability • Non-repudiation Arooj | QA Mentor
  6. 6. Security TestingTop Ten Security Risks • SQL Injections • Cross Site Scripting (XSS) • Broken Authentication and Session Management • Insecure Direct Object References • Security Misconfiguration • Insecure Cryptographic Storage • Failure to Restrict URL Access • Insufficient Transport Layer Protection • Invalidated Redirects and Forwards Arooj | QA Mentor
  7. 7. Security TestingTypes: Black Box and White Box Hacking In Black Box Hacking, you try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and While in White-Box Hacking, responses to guess server you have access to the source behavior. code and can use automated or Watcher can be used for the manual analysis to identify bugs. black box hacking. Gruyere in which through the source code you can find the bugs. Arooj | QA Mentor
  8. 8. Security TestingSecurity Exposure Revealing-Practice Want to beat the hackers at their own game ??Meet Me: I am GruyereReach me: Am here at Google Code Labs Arooj | QA Mentor
  9. 9. Security TestingGruyere: PracticeLearn • How hackers find security vulnerabilities! • How hackers exploit web applications! • How to stop them! How web application vulnerabilities can be exploited and how to defend against these attacks?• How an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF)?• How to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution? Arooj | QA Mentor
  10. 10. Security TestingCross Site Scripting XSS • Cross-site scripting (XSS) is a vulnerability that permits an attacker to inject code (typically HTML or JavaScript) into contents of a website not under the attackers control • When a victim views such a page, the injected code executes in the victims browser. • Types of XSS: • Reflected • Stored Sikandar Ahmed| QA Mentor
  11. 11. Security TestingXSS Types• In a reflected XSS attack, the attack is in the request itself (frequently the URL) and the vulnerability occurs when the server inserts the attack in the response verbatim or incorrectly escaped or sanitized• The victim triggers the attack by browsing to a malicious URL created by the attacker• In a stored XSS attack, the attacker stores the attack in the application (e.g., in a snippet) and the victim triggers the attack by browsing to a page on the server that renders the attack, by not properly escaping or sanitizing the stored data Sikandar Ahmed| QA Mentor
  12. 12. Security TestingXSS Attack Sikandar Ahmed| QA Mentor
  13. 13. Security TestingSQL Injection • SQL injection vulnerabilities allow attackers to inject arbitrary scripts into SQL queries • When a SQL query is executed it can either read or write data, so it can be used to read your entire database as well as overwrite it, as described in the classic Bobby Tables XKCD comic • If you use SQL, the most important advice is to avoid building queries by string concatenation, use API calls instead Sikandar Ahmed| QA Mentor
  14. 14. Security TestingHow To Exploit SQL Injection Attack? The SQL Injection attack allows external users to read details from the database • In a well designed system this will only include data that is available to the public anyway • In a poorly designed system this may allow external users to discover other users passwords Sikandar Ahmed| QA Mentor
  15. 15. Security TestingClient State Manipulation• When a user interacts with a web application, they do it indirectly through a browser• When the user clicks a button or submits a form, the browser sends a request back to the web server. Because the browser runs on a machine that can be controlled by an attacker, the application must not trust any data sent by the browser• It might seem that not trusting any user data would make it impossible to write a web application but thats not the case• If the user submits a form that says they wish to purchase an item, its OK to trust that data• But if the submitted form also includes the price of the item, thats something that cannot be trusted Sikandar Ahmed| QA Mentor
  16. 16. Security TestingCross Site Request Forgery XSRF • Also known as a One-Click Attack or Session Riding or CSRF (Sea-Surf ) • XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. • Unlike XSS, which exploits the trust a user has fro a particular site, XSRF exploits the trust a site has in a user‘s browser Sikandar Ahmed| QA Mentor
  17. 17. Security TestingCross Site Script Inclusion (XSSI) • When a browser makes requests to a site, it always sends along any cookies it has for that site, regardless of where the request comes from • Additionally, web servers generally cannot distinguish between a request initiated by a deliberate user action (e.g., user clicking on "Submit" button) versus a request made by the browser without user action (e.g., request for an embedded image in a page) • Therefore, if a site receives a request to perform some action (like deleting a mail, changing contact address), it cannot know whether this action was knowingly initiated by the user — even if the request contains authentication cookies. An attacker can use this fact to fool the server into performing actions the user did not intend to perform Sikandar Ahmed| QA Mentor
  18. 18. Security TestingPath Traversal • Most web applications serve static resources like images and CSS files. Frequently, applications simply serve all the files in a folder • If the application isnt careful, the user can use a path traversal attack to read files from other folders that they shouldnt have access to For example, in both Windows and Linux, .. represents the parent directory, so if you can inject ../ in a path you can "escape" to the parent directory • If an attacker knows the structure of your file system, then they can craft a URL that will traverse out of the installation directory to /etc Sikandar Ahmed| QA Mentor
  19. 19. Security TestingDenial of Service • A denial of service (DoS) attack is an attempt to make a server unable to service ordinary requests • A common form of DoS attack is sending more requests to a server than it can handle. The server spends all its time servicing the attackers requests that it has very little time to service legitimate requests • Hackers can also prevent a server from servicing requests by taking advantage of server bugs, such as sending requests that crash a server, make it run out of memory, or otherwise cause it fail serving legitimate requests in some way Sikandar Ahmed| QA Mentor
  20. 20. Security TestingDoS Attack Sikandar Ahmed| QA Mentor
  21. 21. Security TestingConfiguration Vulnerabilities • Applications are often installed with default settings • A particularly issue with third party software where an attacker has easy access to a copy of the same application or framework you are running • Hackers know the default account names and passwords. Configuration vulnerabilities also include features that increase attack surface • A common example is a feature that is on by default but you are not using, so you didnt configure it and the default configuration is vulnerable • It also includes debug features like status pages or dumping stack traces on failures Sikandar Ahmed| QA Mentor
  22. 22. Security TestingAJAX vulnerabilities • Bad AJAX code allows attackers to modify parts of your application in ways that you might not expect • In traditional client development, there is a clear separation between the application and the data it displays. Thats not true in web applications as the next two attacks will make clear Sikandar Ahmed| QA Mentor
  23. 23. Security TestingSecurity Testing Tools • Havij– http://itsecteam.com/products/havij-advanced-sql-injection Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page • WebSecurify (www.websecurify.com), Websecurify is an integrated web security testing environment, which can be used to identify web vulnerabilities by using advanced browser automation, discovery and fuzzing technologies • Watcher(http://websecuritytool.codeplex.com/), Watcher is a runtime passive-analysis tool for HTTP-based Web applications. Being passive means it wont damage production systems, its completely safe to use in Cloud computing, shared hosting, and dedicated hosting environments Watcher detects Web-application security issues as well as operational configuration issues Sikandar Ahmed| QA Mentor
  24. 24. Security TestingSecurity Testing Tools • Wapiti(http://wapiti.sourceforge.net/), File Handling Errors (Local and remote include/require, fopen, readfile...)Wapiti allows you to audit the security of your web applications It performs "black-box" scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data • FlawFinder (http://www.dwheeler.com/flawfinder/), searches through C/C++ source code looking for potential security flaws. It is designed in Python and produces a list of ‗‗hits‘‘ (potential security flaws), sorted by risk; the riskiest hits are shown first • Honeyd (http://www.honeyd.org/), Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses Sikandar Ahmed| QA Mentor
  25. 25. Security TestingSecurity Testing Tools • Brakeman(http://brakemanscanner.org/), Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications • It statically analyzes Rails application code to find security issues at any stage of development • If you happen to use the Hudson/Jenkins continuous integration tool, there is a Brakeman plugin for it • Its requirement is Rails 3 Sikandar Ahmed| QA Mentor
  26. 26. Security TestingServer Security--Linux • Set the complex root password • Install Fail2ban • Require public key authentication • Lock Down SSH • Set Up a Firewall • Enable Automatic Security Updates • Install Logwatch To Keep An Eye On Things Sikandar Ahmed| QA Mentor
  27. 27. Security TestingReferences • http://google-gruyere.appspot.com • https://www.owasp.org/index.php/Top_10_2010-Main • http://www.softwaretestingmentor.com/types-of-testing/security-testing/ • http://vishnuvalentino.com/tips-and-trick/penetration-testing-pros-and-cons/ • http://www.toolsjournal.com/testing-lists/item/217-10-free-and-opensource-tools- for-security-testing • http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for- linux-servers Sikandar Ahmed| QA Mentor

×