This document provides an overview of common web application security vulnerabilities and how to test for them. It covers:
1. Never trusting user input and how HTTP works.
2. Testing for misconfiguration issues, hidden options, forced navigation, mass parameter assignment, CSRF, injection flaws like XSS and SQLi, open redirect, path traversal, and DoS vulnerabilities.
3. Recommending automation tools like Dirbuster and BurpSuite to help find issues, but noting that context is important and automated scanners have limitations. More manual testing is needed.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Secure code review is probably the most effective technique to identify security bugs early in the system development lifecycle.
When used together with automated and manual penetration testing, code review can significantly increase the cost effectiveness of an application security verification effort. This presentation explain how can we start secure code review effectively.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **)
This ‘SQL Injection Attack’ PPT by Edureka will help you learn one of the most dangerous web application vulnerability – SQL Injection.
Below is the list of topics covered in this session:
Web Application Security
What is SQL Injection Attack?
Types of SQL Injection attacks
Demo – SQL Injection Attack Types
Prevention of SQL Injection Attack
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
The VAPT testers from Suma Soft are familiar with different ethical hacking techniques such as Foot printing and reconnaissance, Host enumeration, Scanning networks, System hacking Evading IDS, Firewalls and honeypots, Social engineering, SQL injection, Session hijacking, Exploiting the network etc. https://bit.ly/2HLpbnz
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
What is SQL Injection Attack | How to prevent SQL Injection Attacks? | Cybers...Edureka!
(** Cyber Security Course: https://www.edureka.co/cybersecurity-certification-training **)
This ‘SQL Injection Attack’ PPT by Edureka will help you learn one of the most dangerous web application vulnerability – SQL Injection.
Below is the list of topics covered in this session:
Web Application Security
What is SQL Injection Attack?
Types of SQL Injection attacks
Demo – SQL Injection Attack Types
Prevention of SQL Injection Attack
Cyber Security Playlist: https://bit.ly/2N2jlNN
Cyber Security Blog Series: https://bit.ly/2AuULkP
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Finacle paper on secure coding practices gives an insight into application coding security and highlights how comprehensive approach in security is need to not only secure code but also web servers and databases.
Penetration testing reporting and methodologyRashad Aliyev
This paper covering information about Penetration testing methodology, standards reporting formats and comparing reports. Explained problem of Cyber Security experts when they making penetration tests. How they doing current presentations.
We will focus our work in penetration testing methodology reporting form and detailed information how to compare result and related work information.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
You own a SIEM, but to be secure, you need a Security Operations Center! How do you cross the chasm? Do you hire staff or outsource? And what skills are needed? Mike Ostrowski, a cybersecurity industry veteran, will review common pitfalls experienced through the journey from SIEM to SOC, the pros and cons of an all in-house SOC vs. outsourcing, and the benefits of a hybrid SOC model.
Learning Objectives:
1: You own a SIEM, but to be secure, you need a SOC. How do you cross the chasm?
2: What are the pros and cons of in-house, fully managed and hybrid security?
3: What considerations go into deciding whether to employ a hybrid strategy?
(Source: RSA Conference USA 2018)
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
The VAPT testers from Suma Soft are familiar with different ethical hacking techniques such as Foot printing and reconnaissance, Host enumeration, Scanning networks, System hacking Evading IDS, Firewalls and honeypots, Social engineering, SQL injection, Session hijacking, Exploiting the network etc. https://bit.ly/2HLpbnz
Drupal core is a secure product, but how secure are contrib modules? And custom ones?
This session is about proper use of the drupal api's and some best practices for secure drupal development.
10 things I’ve learnt about web application securityJames Crowley
This talk was given in 2014. Learn about OWASP Top 10, treating security vulnerabilities as bugs, hashing, validating input, forward secrecy and hacking your own site.
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
OWASP Top 10 vs Drupal
Abstract: Drupal is the most used and well-known open source content management system in the world. Created by Dries Buytaert years ago it has grown with the support of a big community. Drupal 7 is already released and there is an entire ecosystem for Drupal and Drupal web agencies.
During this presentation we will discuss the findings of an automated static code analysis of Drupal 6 and Drupal 7 and how Drupal protects against the OWASP Top 10 Application Security Risks. We will explain the security weaknesses that remain when you use Drupal and what you can implement to have a secure cloud server running Drupal.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
2. About me
- Python programming background
- Current job: Teamlead @ SoftSeq (Web app audits &
certification, embedding Secure SDLC)
- Successfully hacked banking, trading, insurance, security, mailing
providers, etc.
3. Plan
1. Basic knowledge to start
2. Never trust user input. How HTTP works.
3. Misconfiguration
4. Hidden options && forced navigation && mass parameter
assignment
5. CSRF
6. Injection
a. XSS
b. SQLi
c. OS Command injection
7. open redirect
8. path traversal
9. DoS due to application logic errors
10. Basic HOWTO
11. Links
12. Questions
4. What?
- Understanding common bugs that allows
doing something evil =)
- Web app vulnerabilities are based inside the app itself (web appsec !=
pentest)
How?
- There’s a lot of info. I’ve tried to explain vulnerabilities that can be found
by QA during testing routine. See links to get more HOWTO
5. Baseline
- How web app, browser and HTTP works, basic HTML
- Any programming language, including (very)basic JS
Tools
- Browser + FoxyFroxy + BurpSuite
- Google =)
6.
7. Misconfiguration
- Opened ports
- Default or no passwords (e.g. RabbitMQ)
- Backup, .git and other sensitive folders accessible
- Default or unnecessary features enabled
- No pre-authorization to staging/testing environment
- Security headers missing (e.g. iframe is allowed: UI redress aka Clickjacking)
- Bad pseudorandom used for password/key/pin generation
- No “Secure”, “HTTPOnly” cookie flags, allowed subdomains and insecure path
- Using components with known vulnerabilities
- And more…
Good news: automated scanners can find it pretty well.
8. Components with known vulnerabilities
- Remember Equifax? They forgot to update library
- Average small app can have ~ 20-40 dependencies
- Enterprise apps can have over 200 dependencies
9. Components with known vulnerabilities
Basic rule: if there is info that component is vulnerable it doesn’t
matter if you can show how to exploit it. UPDATE! Search
vulnerabilities at https://cve.mite.org or https://nvd.nist.gov/
Try to find some of them automatically (all of them can be found
ONLY manually because of reasons =) )
- Dependency checker (ASP, Java)
- Retire.js (vulnerable forntend libs)
13. User pushes
button to
Save profile
Browser adds
headers, cookies
and
Makes request
POST /save HTTP/1.1
Host: bank.com
Cookies: auth=abcdi848d;
Content-length: 123
Connection: close
email=myemail@mail.com&id=123
HTTP. Recall.
14. User pushes
button to
Save profile
Browser adds
headers, cookies and
Makes request
POST /save HTTP/1.1
Host: bank.com
Cookies: auth=abcdi848d;
Connection: close
email=myemail@mail.com&
id=123
PROXY-SERVER
POST /save HTTP/1.1
Host: bank.com
Cookies: auth=abcdi848d;
Connection: close
email=myemail@mail.com&
id=124
16. Direct object reference examples:
- Yahoo: deleting ~ 1m comments and posts
- Apple: 300k 3rd party developers accounts
- FB, VK, Instagram photos
- Some hackers who tried to f*** fortune 100 companies
but totally blew it by exposing all info for scum emails
- Common anti-automation problem
17. Mass parameter assignment
User input:
email=email@email.com
DB model:
- ID
- Email
- IsBlocked
- Some app controllers may process not user input itself, but a model created
from the input to ease coding routine.
- In this case if no additional anti-forgery measures have been implemented,
it is possible to add additional parameters
18. What does it mean?
- No decision making on frontend pls
- Never trust user input. Consider any user input as harmful.
- Input validation on frontend - for UX, on backend - for decision making
19. More thinking…
- Humans make mistakes
- Developers think how to MAKE, not how to BREAK
- Parts written by several developers can be VERY different (one controller can
be totally secure,
another - totally broken)
- Companies with TOP developers and good security teams still are getting
hacked or reported by whitehats
20. CSRF (Cross site request forgery)
Root problem:
Browser sends cookies automatically for every URL or submitted form.
Exploit:
We can craft a form on a web-site we control and force a user to perform
request with desired parameters to a desired resource
Fix:
Unpredictable anti-CRSF token (as one of the parameters in POST queries)
22. XSS: (very) short info
- An ability to inject malicious JavaScript to the legitimate site
- Happens when server sends back user-generated data
without validation and sanitization
- Usually exploited by embedding HTML tags or breaking JS
syntax
24. Two simple rules to prevent XSS:
1. All user input that comes back from server should be SANITIZED by
trusted functional (e.g. template engine).
2. NEVER write your own filters. They probably can be hacked.
WHY?
<scr<script>ipt>
<img src=x onerror=’alert(1)’>
<a href=”javascript:alert(1)”>click me</a>
26. SQL Injection
- Happens when user input is passed to SQL query so it can be modified.
For example, user is trying to access some user item:
SELECT * FROM items WHERE itemname = 'secret_unique_id';
- If we have control over ‘secret_unique_id’, we can submit special syntax
and receive all items.
Like:
SELECT * FROM items WHERE itemname = 'secret_unique_id' OR
'a'='a';
27. SQL Injection
- Not very common in the new projects
- Exists because user input is not validated and for some reason raw SQL
queries are still used.
- Easier to search in the source code rather than blackbox
28. SQL Injection hints
- Easily avoided if ORM/parameterized queries are used
- Some ORM-parameters can be still exploited, read specs!
- Check stored procedures!
- Even if you think everybody is writing in a secure manner, someone
probably have used raw SQL to execute a complex query
29. OS Command Injection
- Accepting user input inside OS command invocation
- Can be easily found in the source code by keywords
Cases:
- Proto and video modification (imagemagic, ffmpeg)
- Operations with files, folders, systems (e.g. some deploy platforms)
31. Example 2: Modern world
www.cute-images.com/image/cute_puppy.png?width=100&height=100
www.cute-
images.com/image/save/resize/cute_puppy.png?width=100&height=100
….what if?
www.cute-
images.com/image/cute_puppy.png?width=2147483647&height=2147483647
www.cute-
images.com/image/save/resize/cute_puppy.png?width=2147483647&height=21
47483647
DOS via application logic errors
32. Open redirect.
Case:
1. User tries to reach URL, but he is not logged in.
2. For better UX, user should be redirected to login page and after — back to the
page he requested
Example:
User tries to reach http://example.com/page12134
User is redirected to http://example.com/login?redirect=/page1234
But what if we make user to follow link like this:
http://example.com/login?redirect=http://exampIe.com
33.
34. Path traversal
Usually happens when user input is feeded directly in file path
parameter
e.g. f = open(“FOLDER_NAME” + user_input_file, “r”)
35. Basic “How to test”
BlackBox:
- Check how application handles unexpected data (single/double quotes, <>,
%0a%0d%00, etc.)
- Simple XSS test: '';!--"<XSS>=&{()}
- Simple SQLi test: 1' or '1' = '1
- Path traversal ../../../../../../../etc/passwd (or other known file)
- directory browsing and open folders DIRBUSTER (careful, can DOS the server)
- CSRF: check if anti-csrf token is present AND it’s required
- OS command injection: if something looks like shell command - try to insert
another
Desired result: unpredicted behavior or errors.
36. WhiteBox (access to source code)
Easy:
1. Find OWASP Code review guide
2. Find desired language and search for keywords, review them.
3. For frontend - search for .innerHTML, eval(), $.html (there is more. Search for
your framework)
37. Automation doesn’t work (as good as expected) because
CONTEXT MATTERS.
Automated solutions find
- hundreds of false-positives
- Can’t find not obvious vulnerabilities
But:
- Better than nothing
- Can work better for some projects
- Detects misconfiguration
- Can be tweaked and proxied to perform better for you
38. Info and literature:
1. GOOGLE
2. Our appsec knowledge checklist: link
a. Some playgrounds: p.5-10
3. OWASP ASVS (standard), OWASP Testing Guide at https://owasp.org
4. Web Application hacker’s handbook