SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 30 day free trial to unlock unlimited reading.
What You Need to Know About Web App Security Testing in 2018
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
What You Need to Know About Web App Security Testing in 2018
1.
WhatYou Need to Know About Web
App Security Testing in 2018
Ken De Souza
STP Community Webinar, January 2018
V. 1.4
Twitter: @kgdesouz
blog.tkee.org
11.
This is a practical / experience talk.
These are the tools I use on a daily(ish)
basis when I'm testing software.
Your mileage may vary.
12.
This topic is HUGE
The tools don’t replace thinking.
13.
Common terminology
Learn something about the threats
Demos of tools
Explain the risks to stake holders
Where to go next
14.
"security, just like disaster recovery, is a
lifestyle, not a checklist"
This is not a black and white problem
Source: https://news.ycombinator.com/item?id=11323849
15.
STRIDE(identification)
DREAD(classification)
OWASP Top 10 (attack vectors)
19.
STRIDE
Spoofing Tampering Repudiation
Information
Disclosure
Denial of
Service
Elevation of
Privilege
Source: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
20.
Sources: https://www.owasp.org/index.php/Application_Threat_Modeling
http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx
Type Security Control Examples
Spoofing Authentication I am Spartacus
Tampering Integrity Looks like Johnny got an A!
Repudiation
Non-
Repudiation
Didn’t Johnny have a B?
Information
disclosure
Confidentiality Johnny’s SSN is…
Denial of
service
Availability Please try again later.
Elevation of
privilege
Authorization sudo rm –rf /home/johnny
22.
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view….
DREAD
Parameter
Rating Rationale
Damage
Potential
5
An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 2
Easily exploitable by automated tools found on
the Internet.
Affected Users 1 Affects critical administrative users
Discoverability 1
Affected page “admin.aspx” easily guessed by
an attacker.
Overall Rating 3.8
23.
Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view…
DREAD
Parameter
Rating Rationale
Damage
Potential
10
An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 10
Easily exploitable by automated tools found on
the Internet.
Affected Users 10 Affects critical administrative users
Discoverability 10
Affected page “admin.aspx” easily guessed by
an attacker.
Overall Rating 10
25.
OWASP Top 10,
2017
Source: https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf
26.
OWASP Top 10
Open Web Application Security Project
27.
A1: Injection
http://example.com/app/accountView?
id='
A2: Broken Authentication
Using known passwords (from various
public lists)
Allowing insecure (not strong)
passworrd (e.g.: Password1)
A3: Sensitive Data Exposure
SSL not being used
Meltdown
Bad programming
A4: XML External Entities
(new)
<node attrib='foo''/>
A5: Broken Access Control http://example.com/app/accountInfo?
acct=notmyacct
Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
28.
A6: Security
Misconfiguration
Default admin account enabled;
directories shown on site;
Stack traces shown to users;
A7: Cross Site Scripting
(XSS)
<script>alert('test');</script>
A8: Insecure Deserialization
(new)
Typical data tampering attacks, such
as access-control-related attacks,
where existing data structures are
used but the content is changed.
A9: Using Components with
known vulnerability
Not patching your 3rd party sh*t
A10: Insufficient Logging &
Monitoring (new)
Monitoring unauthorized access;
Alerting on potential breaches;
Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
35.
Network packet / protocol analysis tool
Allows users to capture network traffic
from any interface, like Ethernet,Wifi,
Bluetooth, USB, etc
36.
Why use Wireshark?
It is a great tool to debug your
environment
Help to examine potential security
problems
37.
docker run -e
"SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080
"dhatanian/ticketmagpie"
This container has LOTS of vulnerabilities,
designed for learning about web security
Source: Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie)
38.
Wireshark
Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
44.
Why use OWASP ZAP?
Can be used to find many of the top 10
exploits
Can be quick integrated into you manual
or automated workflow
Can be used in active or passive mode
48.
What is it?
Checks your application for 3rd party
software
Looks to see if there are any known
vulnerabilities and gives you suggestions
on how to fix them
50.
What is it?
A way to analyze and communicate
security related problems
This is a much larger topic than we have
time for
… but I’ll give you the basics
51.
Why do this?
To explain to management
To explain to customers
To explain to developers, architects, etc.
With the tools I just showed you, you now
have the basics to be able to build a model
66.
References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/
preventing-csrf-with-samesite-cookie-attribute/
• Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/
security-ninjas-opensource
• Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-
web-application-a-case-study
• Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx
• Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://
www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-
vulnerabilities
• Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-
application-threat-modelling-by-example
• The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/
• Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx
• Struts Bug Explained: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability-
what-you-need-to-know/
0 likes
Be the first to like this
Views
Total views
371
On SlideShare
0
From Embeds
0
Number of Embeds
1
You have now unlocked unlimited access to 20M+ documents!
Unlimited Reading
Learn faster and smarter from top experts
Unlimited Downloading
Download to take your learnings offline and on the go
You also get free access to Scribd!
Instant access to millions of ebooks, audiobooks, magazines, podcasts and more.
Read and listen offline with any device.
Free access to premium services like Tuneln, Mubi and more.