Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Testing by Ken De Souza

314 views

Published on

Security testing is a huge topic. In this talk, Ken will discuss his experience working for small companies where security testing is a requirement, but often gets overlooked. Ken will explore some of the basic things a tester should know about web application security, such as the resources available from OWASP. As part of this talk, Ken will live demo the following tools:

OWASP Zed Attack Proxy
Microsoft Thread Modeling tool
Wireshark / tcpdump
sqlmap (SQL exploitation tool)
Attendees will take away:

A quick overview of some tools that you can use on a daily basis today
Resources to learn more about security testing
Ways of practicing it in a safe environment

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Security Testing by Ken De Souza

  1. 1. The bare minimum you should know about web application security testing in 2017 Ken De Souza QA or the Highway, February 2017 V. 1.1.1 Twitter: @kgdesouz Blog: blog.tkee.org
  2. 2. Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
  3. 3. GET https://[redacted].com/orchestration_1111/gdc/BatterySt atusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&TimeFro m=2014-09-27T09:15:21
  4. 4. GET https://[redacted].com/orchestration_1111/gdc/Batter yStatusRecordsRequest.php?RegionCode=NE&lg=no- NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/Paris&Time From=2014-09-27T09:15:21
  5. 5. Source: https://youtu.be/Nt33m7G_42Q
  6. 6. October 21, 2016
  7. 7. https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet
  8. 8. This topic is HUGE The tools don’t replace thinking. Doing this from my experiences...
  9. 9. Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next
  10. 10. "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem Source: https://news.ycombinator.com/item?id=11323849
  11. 11. https://www.checkmarx.com/wp-content/uploads/2014/10/SecurityintheSDLC.png
  12. 12. Source: http://www.amanhardikar.com/mindmaps/webapptest.html
  13. 13. This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.
  14. 14. The Tools STRIDE (identification) DREAD (classification) OWASP Top 10 (attack vectors) nmap / Wireshark / tcpdump (network analysis) OWASP ZAP (vulnerability analysis) sqlmap (exploitation) Microsoft Threat Modeling (communication)
  15. 15. STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Source: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
  16. 16. Sources: https://www.owasp.org/index.php/Application_Threat_Modeling http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx Type Security Control Examples Spoofing Authentication I am Spartacus Tampering Integrity Looks like Johnny got an A! Repudiation Non- Repudiation Didn’t Johnny have a B? Information disclosure Confidentiality Johnny’s SSN is… Denial of service Availability Please try again later. Elevation of privilege Authorization sudo rm –rf /home/johnny
  17. 17. DREAD Damage Reproducibility Exploitability Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
  18. 18. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Developer point of view…. DREAD Parameter Ratin g Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8
  19. 19. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Tester point of view… DREAD Parameter Ratin g Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 10 Easily exploitable by automated tools found on the Internet. Affected Users 10 Affects critical administrative users Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 10
  20. 20. STRIDE / DREAD Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  21. 21. OWASP Top 10 Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  22. 22. OWASP TOP 10 A1: Injection http://example.com/app/accountView?id=' A2: Broken Authentication and Session Management http://example.com/sale/saleitems?session id=268544541&dest=Hawaii A3: Cross Site Scripting (XSS) <script>alert('test');</script> A4: Insecure Direct Object References http://example.com/app/accountInfo?acct=n otmyacct A5: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
  23. 23. OWASP TOP 10 A6: Sensitive Data Exposure SSL not being used Heartbleed Bad programming A7: Missing Function Level Access Control Access areas where you shouldn’t be able to access A8: Cross-Site Request Forgery <img src="http://example.com/app/transfe rFunds?amount=1500&destinationAccou nt=attackersAcct#" width="0" height="0" /> A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Unvalidated redirects and forwards http://www.example.com/redirect.jsp ?url=evil.com Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
  24. 24. Vulnerability Tool A1: Injection SQLMap or ZAP A2: Broken Authentication and Session Management ZAP A3: Cross Site Scripting (XSS) ZAP A4: Insecure Direct Object References ZAP A5: Security Misconfiguration OpenVAS A6: Sensitive Data Exposure Your brain… A7: Missing Function Level Access Control OpenVAS A8: Cross-Site Request Forgery ZAP A9: Using Components with known vulnerability OpenVAS, nmap A10: Unvalidated redirects and forwards ZAP
  25. 25. Demos: Setup Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie) docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080 "dhatanian/ticketmagpie" This container has LOTS of vulnerabilities, designed for learning about web security
  26. 26. The target
  27. 27. nmap what ports are open? Where can you attack? Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  28. 28. What is Wireshark Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc
  29. 29. Source: http://www.aboutdebian.com/mailfram.gif
  30. 30. Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems
  31. 31. Wireshark: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  32. 32. Wireshark Demo
  33. 33. tcpdump: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  34. 34. Why use tcpdump? Use this when you can’t use Wireshark Great for servers
  35. 35. Example tcpdump -lnni eth0 -w dump -s 65535 host web01 and port 80
  36. 36. TCPDump Demo
  37. 37. What is OWASP ZAP? Find security vulnerabilities in your web applications Can be used both manually and in an automated manner
  38. 38. Why use ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode
  39. 39. OWASP ZAP Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  40. 40. OWASP ZAP Demo
  41. 41. What is SQLMap? SQL injection tool Takes a lot of the exploits available and automates them
  42. 42. SQLMap Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  43. 43. SQLMap Demo
  44. 44. Threat Modeling - What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics
  45. 45. Threat Modeling - Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model
  46. 46. Threat Modeling: Communicating it… Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
  47. 47. Threat Modeling Step 1: Enumerate – Product functionality – Technologies used – Processes – Listening ports – Process to port mappings – Users processes that running – 3rd party applications / installations
  48. 48. Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat- modeling-you-apps.aspx
  49. 49. MS Threat Risk Modeling Tool Demo
  50. 50. Threat Modeling
  51. 51. Threat Modeling Can be done at various stages of the SDLC https://www.checkmarx.com/wp-content/uploads/2014/10/SecurityintheSDLC.png
  52. 52. Other really good tools netstat nslookup ps browser dev tools
  53. 53. All these tools, help to answer the question Is your application secure?
  54. 54. Where to go next?
  55. 55. Read! https://seclist.org
  56. 56. Read!
  57. 57. Read!
  58. 58. Bug bounties
  59. 59. shodan.io
  60. 60. Practice https://thetestdoctor.wordpress.com/2016/10/11/introducing-ticket-magpie/
  61. 61. Practice https://xss-game.appspot.com
  62. 62. To conclude…
  63. 63. Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding vectors is important
  64. 64. Thanks!
  65. 65. References • Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with- samesite-cookie-attribute/ • Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security- ninjas-opensource • Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application- a-case-study • Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx • Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities • Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat- modelling-by-example • The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/ • Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx

×