Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
The bare minimum you should know
about web application security
testing in 2016
Ken De Souza
KWSQA, April 2016
V. 1.0
Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
GET
https://[redacted].com/orchestration_1111/gdc/Batter
yStatusRecordsRequest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNF...
GET
https://[redacted].com/orchestration_1111/gdc/Batter
yStatusRecordsRequest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNF...
Source: https://youtu.be/Nt33m7G_42Q
http://1drv.ms/1xNOWV7
http://bit.ly/Wn2Xdz
https://goo.gl/Ir2vAQ
Source: https://freedom-to-tinker.com/blog/vitaly/gone-i...
This topic is HUGE
Doing this from my experiences...
Common terminology
Learn something about the threats
Demos of tools
Explain the risks to stake holders
Where to go next
Small companies don’t have $$$ to spend on all
the latest tools, like BurpSuite, etc.
There are excellent tools.
The tools...
"security, just like disaster recovery, is a lifestyle,
not a checklist"
This is not a black and white problem
Source: htt...
Source: http://www.amanhardikar.com/mindmaps/webapptest.html
This is a practical / experience talk.
These are the tools I use on a daily(ish) basis
when I'm testing software.
Your mil...
The Tools
STRIDE (identification)
DREAD (classification)
OWASP Top 10 (attack vectors)
Wireshark / tcpdump (network analys...
STRIDE
Spoofing Tampering Repudiation
Information
Disclosure
DoS
Elevation of
Privilege
Source:
Source:c https://www.owasp.org/index.php/Application_Threat_Modeling
Type Security Control
Spoofing Authentication
Tamperi...
DREAD
Damage Reproducibility Exploitability
Affected users Discoverability
Source: https://msdn.microsoft.com/en-us/librar...
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view….
DREAD
Parameter
Ratin
g
Rational...
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view…
DREAD
Parameter
Ratin
g
Rationale
Da...
STRIDE / DREAD
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
OWASP Top 10
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
OWASP TOP 10
A1: Injection
http://example.com/app/accountVi
ew?id='
A2: Broken Authentication and
Session Management
http:...
OWASP TOP 10
A6: Sensitive Data Exposure
SSL not being used
Heartbleed
Bad programming (Obamacare)
A7: Missing Function Le...
Vulnerability Tool
A1: Injection SQLMap or ZAP
A2: Broken Authentication and Session
Management
ZAP
A3: Cross Site Scripti...
Demos: Setup
Virtualbox running “OWASP Broken Web Apps”
This VM has LOTS of broken web applications
that are designed to l...
What is Wireshark
Network packet / protocol analysis tool
Allows users to capture network traffic from any
interface, like...
Source: http://www.aboutdebian.com/mailfram.gif
Why use Wireshark?
It is a great tool to debug your environment
Help to examine potential security problems
Wireshark:
Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%2...
Wireshark Demo
TCPDump:
Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202...
Why use tcpdump?
Use this when you can’t use Wireshark
Great for servers
Example
tcpdump -lnni eth0 
-w dump -s 65535 host web01 
and port 80
TCPDump Demo
What is OWASP ZAP?
Find security vulnerabilities in your web
applications
Can be used both manually and in an automated
ma...
Why use ZAP?
Can be used to find many of the top 10 exploits
Can be quick integrated into you manual or
automated workflow...
OWASP ZAP
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
OWASP ZAP Demo
What is SQLMap?
SQL injection tool
Takes a lot of the exploits available and
automates them
SQLMap
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
SQLMap Demo
Threat Modeling - What is it?
A way to analyze and communicate security
related problems
This is a much larger topic than ...
Threat Modeling - Why do this?
To explain to management
To explain to customers
To explain to developers, architects, etc....
Threat Modeling:
Communicating it…
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
Threat Modeling
Step 1: Enumerate
– Product functionality
– Technologies used
– Processes
– Listening ports
– Process to p...
Threat Modeling
Step 2: Data flow with boundaries
Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-...
MS Threat Risk Modeling Tool Demo
Threat Modeling
Threat Modeling
Can be done at various stages of the SDLC
Source: http://www.slideshare.net/starbuck3000/threat-modeling-w...
Other really good tools
nmap
netstat
nslookup
ps
browser dev tools
All these tools, help to answer the question
Is your application secure?
Where to go next?
Full disclosure
Read!
OWASP Testing Guide
Bug bounties
To conclude…
Be aware and prepare yourself for the worst.
Coming up with a plan is important
Understanding vectors is important
Thanks!
References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csr...
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
The bare minimum that you should know about web application security testing in 2016
Upcoming SlideShare
Loading in …5
×

The bare minimum that you should know about web application security testing in 2016

515 views

Published on

Published in: Internet
  • Be the first to comment

The bare minimum that you should know about web application security testing in 2016

  1. 1. The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0
  2. 2. Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
  3. 3. GET https://[redacted].com/orchestration_1111/gdc/Batter yStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&Time From=2014-09-27T09:15:21
  4. 4. GET https://[redacted].com/orchestration_1111/gdc/Batter yStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&Time From=2014-09-27T09:15:21
  5. 5. Source: https://youtu.be/Nt33m7G_42Q
  6. 6. http://1drv.ms/1xNOWV7 http://bit.ly/Wn2Xdz https://goo.gl/Ir2vAQ Source: https://freedom-to-tinker.com/blog/vitaly/gone-in-six-characters-short-urls- considered-harmful-for-cloud-services/
  7. 7. This topic is HUGE Doing this from my experiences...
  8. 8. Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next
  9. 9. Small companies don’t have $$$ to spend on all the latest tools, like BurpSuite, etc. There are excellent tools. The tools don’t replace thinking.
  10. 10. "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem Source: https://news.ycombinator.com/item?id=11323849
  11. 11. Source: http://www.amanhardikar.com/mindmaps/webapptest.html
  12. 12. This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.
  13. 13. The Tools STRIDE (identification) DREAD (classification) OWASP Top 10 (attack vectors) Wireshark / tcpdump (network analysis) OWASP ZAP (application analysis) MS Threat Modeling (communication)
  14. 14. STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Elevation of Privilege Source:
  15. 15. Source:c https://www.owasp.org/index.php/Application_Threat_Modeling Type Security Control Spoofing Authentication Tampering Integrity Repudiation Non-Repudiation Information disclosure Confidentiality Denial of service Availability Elevation of privilege Authorization
  16. 16. DREAD Damage Reproducibility Exploitability Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
  17. 17. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Developer point of view…. DREAD Parameter Ratin g Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8
  18. 18. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Tester point of view… DREAD Parameter Ratin g Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 10 Easily exploitable by automated tools found on the Internet. Affected Users 10 Affects critical administrative users Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 10
  19. 19. STRIDE / DREAD Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  20. 20. OWASP Top 10 Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  21. 21. OWASP TOP 10 A1: Injection http://example.com/app/accountVi ew?id=' A2: Broken Authentication and Session Management http://example.com/sale/saleitem s?sessionid=268544541&dest=Hawai i A3: Cross Site Scripting (XSS) <script>alert('test');</script> A4: Insecure Direct Object References http://example.com/app/accountIn fo?acct=notmyacct A5: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
  22. 22. OWASP TOP 10 A6: Sensitive Data Exposure SSL not being used Heartbleed Bad programming (Obamacare) A7: Missing Function Level Access Control Access areas where you shouldn’t be able to access A8: Cross-Site Request Forgery <img src="http://example.com/app/tran sferFunds?amount=1500&destinatio nAccount=attackersAcct#" width="0" height="0" /> A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Unvalidated redirects and forwards http://www.example.com/redirect. jsp?url=evil.com Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
  23. 23. Vulnerability Tool A1: Injection SQLMap or ZAP A2: Broken Authentication and Session Management ZAP A3: Cross Site Scripting (XSS) ZAP A4: Insecure Direct Object References ZAP A5: Security Misconfiguration OpenVAS A6: Sensitive Data Exposure Your brain… A7: Missing Function Level Access Control OpenVAS A8: Cross-Site Request Forgery ZAP A9: Using Components with known vulnerability OpenVAS A10: Unvalidated redirects and forwards ZAP
  24. 24. Demos: Setup Virtualbox running “OWASP Broken Web Apps” This VM has LOTS of broken web applications that are designed to learn from.
  25. 25. What is Wireshark Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc
  26. 26. Source: http://www.aboutdebian.com/mailfram.gif
  27. 27. Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems
  28. 28. Wireshark: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  29. 29. Wireshark Demo
  30. 30. TCPDump: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  31. 31. Why use tcpdump? Use this when you can’t use Wireshark Great for servers
  32. 32. Example tcpdump -lnni eth0 -w dump -s 65535 host web01 and port 80
  33. 33. TCPDump Demo
  34. 34. What is OWASP ZAP? Find security vulnerabilities in your web applications Can be used both manually and in an automated manner
  35. 35. Why use ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode
  36. 36. OWASP ZAP Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  37. 37. OWASP ZAP Demo
  38. 38. What is SQLMap? SQL injection tool Takes a lot of the exploits available and automates them
  39. 39. SQLMap Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  40. 40. SQLMap Demo
  41. 41. Threat Modeling - What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics
  42. 42. Threat Modeling - Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model
  43. 43. Threat Modeling: Communicating it… Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  44. 44. Threat Modeling Step 1: Enumerate – Product functionality – Technologies used – Processes – Listening ports – Process to port mappings – Users processes that running – 3rd party applications / installations
  45. 45. Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat- modeling-you-apps.aspx
  46. 46. MS Threat Risk Modeling Tool Demo
  47. 47. Threat Modeling
  48. 48. Threat Modeling Can be done at various stages of the SDLC Source: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study
  49. 49. Other really good tools nmap netstat nslookup ps browser dev tools
  50. 50. All these tools, help to answer the question Is your application secure?
  51. 51. Where to go next?
  52. 52. Full disclosure
  53. 53. Read!
  54. 54. OWASP Testing Guide
  55. 55. Bug bounties
  56. 56. To conclude…
  57. 57. Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding vectors is important
  58. 58. Thanks!
  59. 59. References • Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with- samesite-cookie-attribute/ • Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security- ninjas-opensource • Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application- a-case-study • Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx • Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities • Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat- modelling-by-example • The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/

×