Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The bare minimum that you should know about web application security testing in 2016

536 views

Published on

Published in: Internet
  • Be the first to comment

The bare minimum that you should know about web application security testing in 2016

  1. 1. The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0
  2. 2. Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
  3. 3. GET https://[redacted].com/orchestration_1111/gdc/Batter yStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&Time From=2014-09-27T09:15:21
  4. 4. GET https://[redacted].com/orchestration_1111/gdc/Batter yStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&Time From=2014-09-27T09:15:21
  5. 5. Source: https://youtu.be/Nt33m7G_42Q
  6. 6. http://1drv.ms/1xNOWV7 http://bit.ly/Wn2Xdz https://goo.gl/Ir2vAQ Source: https://freedom-to-tinker.com/blog/vitaly/gone-in-six-characters-short-urls- considered-harmful-for-cloud-services/
  7. 7. This topic is HUGE Doing this from my experiences...
  8. 8. Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next
  9. 9. Small companies don’t have $$$ to spend on all the latest tools, like BurpSuite, etc. There are excellent tools. The tools don’t replace thinking.
  10. 10. "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem Source: https://news.ycombinator.com/item?id=11323849
  11. 11. Source: http://www.amanhardikar.com/mindmaps/webapptest.html
  12. 12. This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.
  13. 13. The Tools STRIDE (identification) DREAD (classification) OWASP Top 10 (attack vectors) Wireshark / tcpdump (network analysis) OWASP ZAP (application analysis) MS Threat Modeling (communication)
  14. 14. STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Elevation of Privilege Source:
  15. 15. Source:c https://www.owasp.org/index.php/Application_Threat_Modeling Type Security Control Spoofing Authentication Tampering Integrity Repudiation Non-Repudiation Information disclosure Confidentiality Denial of service Availability Elevation of privilege Authorization
  16. 16. DREAD Damage Reproducibility Exploitability Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
  17. 17. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Developer point of view…. DREAD Parameter Ratin g Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8
  18. 18. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Tester point of view… DREAD Parameter Ratin g Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 10 Easily exploitable by automated tools found on the Internet. Affected Users 10 Affects critical administrative users Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 10
  19. 19. STRIDE / DREAD Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  20. 20. OWASP Top 10 Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  21. 21. OWASP TOP 10 A1: Injection http://example.com/app/accountVi ew?id=' A2: Broken Authentication and Session Management http://example.com/sale/saleitem s?sessionid=268544541&dest=Hawai i A3: Cross Site Scripting (XSS) <script>alert('test');</script> A4: Insecure Direct Object References http://example.com/app/accountIn fo?acct=notmyacct A5: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
  22. 22. OWASP TOP 10 A6: Sensitive Data Exposure SSL not being used Heartbleed Bad programming (Obamacare) A7: Missing Function Level Access Control Access areas where you shouldn’t be able to access A8: Cross-Site Request Forgery <img src="http://example.com/app/tran sferFunds?amount=1500&destinatio nAccount=attackersAcct#" width="0" height="0" /> A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Unvalidated redirects and forwards http://www.example.com/redirect. jsp?url=evil.com Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
  23. 23. Vulnerability Tool A1: Injection SQLMap or ZAP A2: Broken Authentication and Session Management ZAP A3: Cross Site Scripting (XSS) ZAP A4: Insecure Direct Object References ZAP A5: Security Misconfiguration OpenVAS A6: Sensitive Data Exposure Your brain… A7: Missing Function Level Access Control OpenVAS A8: Cross-Site Request Forgery ZAP A9: Using Components with known vulnerability OpenVAS A10: Unvalidated redirects and forwards ZAP
  24. 24. Demos: Setup Virtualbox running “OWASP Broken Web Apps” This VM has LOTS of broken web applications that are designed to learn from.
  25. 25. What is Wireshark Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc
  26. 26. Source: http://www.aboutdebian.com/mailfram.gif
  27. 27. Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems
  28. 28. Wireshark: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  29. 29. Wireshark Demo
  30. 30. TCPDump: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  31. 31. Why use tcpdump? Use this when you can’t use Wireshark Great for servers
  32. 32. Example tcpdump -lnni eth0 -w dump -s 65535 host web01 and port 80
  33. 33. TCPDump Demo
  34. 34. What is OWASP ZAP? Find security vulnerabilities in your web applications Can be used both manually and in an automated manner
  35. 35. Why use ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode
  36. 36. OWASP ZAP Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  37. 37. OWASP ZAP Demo
  38. 38. What is SQLMap? SQL injection tool Takes a lot of the exploits available and automates them
  39. 39. SQLMap Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  40. 40. SQLMap Demo
  41. 41. Threat Modeling - What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics
  42. 42. Threat Modeling - Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model
  43. 43. Threat Modeling: Communicating it… Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  44. 44. Threat Modeling Step 1: Enumerate – Product functionality – Technologies used – Processes – Listening ports – Process to port mappings – Users processes that running – 3rd party applications / installations
  45. 45. Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat- modeling-you-apps.aspx
  46. 46. MS Threat Risk Modeling Tool Demo
  47. 47. Threat Modeling
  48. 48. Threat Modeling Can be done at various stages of the SDLC Source: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study
  49. 49. Other really good tools nmap netstat nslookup ps browser dev tools
  50. 50. All these tools, help to answer the question Is your application secure?
  51. 51. Where to go next?
  52. 52. Full disclosure
  53. 53. Read!
  54. 54. OWASP Testing Guide
  55. 55. Bug bounties
  56. 56. To conclude…
  57. 57. Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding vectors is important
  58. 58. Thanks!
  59. 59. References • Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with- samesite-cookie-attribute/ • Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security- ninjas-opensource • Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application- a-case-study • Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx • Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities • Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat- modelling-by-example • The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/

×