Web Application Security Testing


Published on

Introduction to Web Application Security Testing

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Application Security Testing

  1. 1. Ayoob Kalathingal - PMPDirector - Emstell Technology ConsultingAyoob.ok@emstell.comKuwait, India, United Kingdom, Saudi Arabia
  2. 2.  Understand the need for securing the application layer of web basedapplications. Understand the various web application vulnerabilities, impact and CounterMeasures Security testing.www.emstell.com
  3. 3.  Web applications have evolved from static pages to a more interactive set up.This interaction has started exposing the technical deficiencies of webapplications in the form of vulnerabilities. Dependency on the internet to carry out critical and sensitive businesstransactions has increased . Hence the stake involved is very high. “Over 50% of security attacks are targeted on web based applications” -Gartner Report” Competition is so high that enterprises can‟t ignore the risk associated withtheir vulnerable application. Loss incurred could vary from monetary lossesto loss of credibility. In certain cases it could mean end of business.www.emstell.com
  4. 4. Many Countries has come up with strict rules and regulations on InformationSecurity of business. IT Act 2011 in India PIPED Act – Canada (Personal Information Protection and Electronic Documents Act) U.S. Information Security Law, HIPAA – 1996 - Health Insurance Portability and Accountability ActBusiness Customers are increasingly aware of the systems security and isdemanding security and quality certifications in the systems ISO 27001 PCI DSS - Payment Card Industry Data Security Standardwww.emstell.com
  5. 5. Large number of applications coming to the hands of common man carrying outtransactions with personal and financial dataMore and more applications moving to cloud where multiple user or enterprisedata is stored in single server or data centers.“Application security is no more a Luxury, its Business”www.emstell.com
  6. 6.  Confidentiality – ensuring that information is accessible only to those authorized. Integrity – safeguarding the accuracy and completeness of information and processingmethods. Availability – ensuring that authorized users have access to information and associatedassets when required. Accountability – ensuring that authorized users use information in appropriate ways.www.emstell.com
  7. 7. WebServerDBAppServerFirewallPort 80 (Open)HTTP TrafficClientwww.emstell.com
  8. 8. SQL QuerySELECT user FROM UsersWHEREUsername = "& strname &" AND Password = "& strPassword &"„Query with valid inputSELECT user FROM UsersWHEREUsername = avis AND Password = aviswww.emstell.com
  9. 9. Query with tampered inputSELECT user FROM UsersWHEREUsername = avis;-- AND Password = "& strPassword &"www.emstell.com
  10. 10. Authorization Credential/SessionPrediction Insufficient SessionExpiration Session Fixation InsufficientAuthorizationAuthentication Brute Force Weak Password RecoveryPolicy InsufficientAuthenticationClient-Side Attacks Content Spoofing Cross Site ScriptingInformation Disclosure Directory Indexing Information Leakage Path Traversal Predictable ResourceLocationCommand Execution Buffer Overflow Format String Attack LDAP Injection OS Commanding SQL Injection SSI Injection X Path InjectionLogical Attacks Abuse of Functionality Denial of Service Insufficient Anti-Automation Insufficient ProcessValidationwww.emstell.com
  11. 11.  Non-availability (By bringing the database down) Breach of confidentiality (By viewing other user‟s records) Breach of integrity (By updating other user‟s records) Impersonation (By logging into accounts without a valid password) + Business Impactswww.emstell.com
  12. 12.  Strong and Secure systems, firewalls and antiviruses Proper Input validation Following standard coding practices Have strong password policy in place. Use of strong session ID generation algorithms Disable scripting in the web browser and disable input echoing Grant only necessary privileges for accounts that are used to connect to DB Implement/configure proper access control mechanisms on the web server. Application Security Testing and Fixing the vulnerabilities Educating the userswww.emstell.com
  13. 13. “Though the significant attacks over time where of Zero Day Attack nature, thisforms much a lesser count of the total attacks”Test based on the Target Users Vulnerability Assessments Penetration TestingManual - a team of securityexperts manually probe theapplication for common flaws.Automated - a tool is used fortesting the application for flaws.False Positiveswww.emstell.com
  14. 14. “The cost of quality is higher in the later stages of an application”Application security should be a part of the application development andshould be incorporated to the SDLC Process.Integrating security to the build.Educating the users, using the best of media and creative formats.www.emstell.com
  15. 15. Ref: www.owasp.orgwww.emstell.com
  16. 16. Emstell Technology Consulting, is a technology firm offering enterprise levelsoftware quality assurance and testing services and ERP Solutions in Educationsector.Our Media team deliver creative animated videos for educating users oncompany policies, explaining business and promotion.We deliver ERP Solutions in◦ Web Enabled School Management◦ Library Management Solution◦ Business Accounting and Inventorywww.emstell.com
  17. 17. Ayoob Kalathingal - PMPDirector - Emstell Technology ConsultingAyoob.ok@emstell.comKuwait, India, United Kingdom, Saudi Arabiawww.emstell.com