Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What You Need to Know About Web App Security Testing in 2018

120 views

Published on

See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)

Published in: Software
  • Be the first to comment

  • Be the first to like this

What You Need to Know About Web App Security Testing in 2018

  1. 1. WhatYou Need to Know About Web App Security Testing in 2018 Ken De Souza STP Community Webinar, January 2018 V. 1.4 Twitter: @kgdesouz blog.tkee.org
  2. 2. Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
  3. 3. GET https://[redacted].com/orchestration_1111/gdc/ BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/ Paris&TimeFrom=2014-09-27T09:15:21
  4. 4. GET https://[redacted].com/orchestration_1111/gdc/ BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/ Paris&TimeFrom=2014-09-27T09:15:21
  5. 5. Source: https://youtu.be/Nt33m7G_42Q
  6. 6. CVE-2017-5638 March 2017 CVE-2017-9805 4 September 2017
  7. 7. Source: https://www.theguardian.com/us-news/2017/sep/07/equifax-credit-breach-hack-social-security, https:// nakedsecurity.sophos.com/2017/09/08/equifax-data-breach-what-you-need-to-know/
  8. 8. Source: https://github.com/mazen160/struts-pwn_CVE-2017-9805
  9. 9. Source: ‪https://news.ycombinator.com/item?id=15233399
  10. 10. Source: https://krebsonsecurity.com/ 2017/09/ayuda-help-equifax-has-my-data/
  11. 11. This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.
  12. 12. This topic is HUGE The tools don’t replace thinking.
  13. 13. Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next
  14. 14. "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem Source: https://news.ycombinator.com/item?id=11323849
  15. 15. STRIDE(identification) DREAD(classification) OWASP Top 10 (attack vectors)
  16. 16. OWASP ZAP (Web application vulnerability analysis) Dependency Check (3rd party vulnerability analysis)
  17. 17. nmap / Wireshark / tcpdump (network analysis) Microsoft Threat Modeling (communication)
  18. 18. Application Security Risks Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  19. 19. STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Source: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
  20. 20. Sources: https://www.owasp.org/index.php/Application_Threat_Modeling http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx Type Security Control Examples Spoofing Authentication I am Spartacus Tampering Integrity Looks like Johnny got an A! Repudiation Non- Repudiation Didn’t Johnny have a B? Information disclosure Confidentiality Johnny’s SSN is… Denial of service Availability Please try again later. Elevation of privilege Authorization sudo rm –rf /home/johnny
  21. 21. DREAD Damage Reproducibility Exploitability Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
  22. 22. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Developer point of view…. DREAD Parameter Rating Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8
  23. 23. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Tester point of view… DREAD Parameter Rating Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 10 Easily exploitable by automated tools found on the Internet. Affected Users 10 Affects critical administrative users Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 10
  24. 24. STRIDE / DREAD Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  25. 25. OWASP Top 10, 2017 Source: https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf
  26. 26. OWASP Top 10 Open Web Application Security Project
  27. 27. A1: Injection http://example.com/app/accountView? id=' A2: Broken Authentication Using known passwords (from various public lists) Allowing insecure (not strong) passworrd (e.g.: Password1) A3: Sensitive Data Exposure SSL not being used Meltdown Bad programming A4: XML External Entities (new) <node attrib='foo''/> A5: Broken Access Control http://example.com/app/accountInfo? acct=notmyacct Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  28. 28. A6: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; A7: Cross Site Scripting (XSS) <script>alert('test');</script> A8: Insecure Deserialization (new) Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed. A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Insufficient Logging & Monitoring (new) Monitoring unauthorized access; Alerting on potential breaches; Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
  29. 29. nmap crt.sh dig
  30. 30. nmap what ports are open? Where can you attack? Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  31. 31. Source: crt.sh
  32. 32. Source: dig -f shopify-urls.txt +noall +answer
  33. 33. Source: shodan.io
  34. 34. Wireshark tcpdump
  35. 35. Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet,Wifi, Bluetooth, USB, etc
  36. 36. Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems
  37. 37. docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080 "dhatanian/ticketmagpie" This container has LOTS of vulnerabilities, designed for learning about web security Source: Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie)
  38. 38. Wireshark Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  39. 39. Demo
  40. 40. tcpdump: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  41. 41. Why use tcpdump? Use this when you can’t use Wireshark Great for servers
  42. 42. tcpdump -lnni eth0  -w dump -s 65535 host web01 and port 80
  43. 43. OWASP ZAP
  44. 44. Why use OWASP ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode
  45. 45. OWASP ZAP Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  46. 46. Demo
  47. 47. Dependency Check
  48. 48. What is it? Checks your application for 3rd party software Looks to see if there are any known vulnerabilities and gives you suggestions on how to fix them
  49. 49. Threat Modeling
  50. 50. What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics
  51. 51. Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model
  52. 52. Threat Modeling: Communicating it… Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  53. 53. Threat Modeling Step 1: Enumerate –  Product functionality –  Technologies used –  Processes –  Listening ports –  Process to port mappings –  Users processes that running –  3rd party applications / installations
  54. 54. Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat- modeling-you-apps.aspx
  55. 55. Demo
  56. 56. Threat Modeling Can be done at various stages of the SDLC https://www.checkmarx.com/wp-content/uploads/2014/10/SecurityintheSDLC.png
  57. 57. netstat nslookup ps browser dev tools BurpSuite
  58. 58. All these tools, help to answer the question Is your application secure?
  59. 59. Where to go next?
  60. 60. Bug bounties
  61. 61. Practice https://thetestdoctor.wordpress.com/2016/10/11/introducing-ticket-magpie/
  62. 62. Practice https://xss-game.appspot.com
  63. 63. To conclude…
  64. 64. Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding attack vectors is important
  65. 65. Thanks!
  66. 66. References •  Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/ preventing-csrf-with-samesite-cookie-attribute/ •  Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/ security-ninjas-opensource •  Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling- web-application-a-case-study •  Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx •  Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http:// www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known- vulnerabilities •  Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world- application-threat-modelling-by-example •  The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/ •  Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx •  Struts Bug Explained: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability- what-you-need-to-know/

×