This document discusses web application penetration testing and security. It begins with an overview of web application security standards and realities, noting that standards do not encompass all vulnerability types or attacks. It then discusses web application testing methodologies and realities of security testing. The main part of the document focuses on facets of web application penetration testing, highlighting the importance of thinking beyond surface issues to more hidden vulnerabilities. It concludes with demonstrations of different web application attacks.

1. Web Maniac Hacking TrustAditya K Sood [adi_ks [at] secniche.org] SecNiche Security

2. DisclaimerWeb Maniac - Hacking TrustPentesting web applications in a hacker’s way. Attack surface varies from application to application. How to think below the surface? That’s the aim!All contents of this presentation represent my own beliefs and views and do not, unless explicitly stated otherwise, represent the beliefs of my current, or any of my previous in that effect, employers.Screenshots have been shared from various resources. This is done to show the comparative model of various methodologies.

3. About MeFounder , SECNICHE Security Labs.http://www.secniche.org PhD Candidate at Michigan State University

4. Worked previously for Armorize as Senior Security Practitioner , COSEINC as Senior Security Researcher and Security Consultant for KPMGWritten content Author for HITB E-Zine, Hakin9 ,ELSEVIER, USENIX Journals.

5. Like to do Bug Hunting and Malware dissection.

6. Released Advisories to Forefront Companies.

7. Active Speaker at Security Conferences including RSA etc.

8. Blog: http://secniche.blogspot.com| http://zeroknock.blogspot.com Agenda Web Application Security Standards

9. Web Application Security- A view of Reality

10. Web Application – Testing and Development Methodologies

11. Facets of Web Application Pen Testing (WAPT)

12. Demonstrations – Live Targets  Web Application Security Standards – Really

13.  Web Application Security Standards - ?? ! Answers ! Standards provide specific classification of vulnerabilities

14. Do they comprise of all types of vulnerabilities ?

15. Are all types of web attacks predefined in them?

16. Do you think the design of web application matters? [to what extent ]

17. A view of web application and a website under testing.

18. Do platforms and web servers matter while web application assessment?

19. Do you think penetration testing of web applications is beyond these standards ?

20.  Web Application State and Risks© OWASP

21.  Web Application Architecture - Development

22.  Web Application Testing - Methodologies

23.  Why Security Testing ?Defacement Statistics© Zone H

24.  Web Application Security ! Reality - Broken

25.  Is that Ethical?

26.  Existence and Reality – Web Penetration Test Is this all about compliance (PCI) ?

27. Is this all about reporting generic issues and using reports for cert’s?

28. Do you think organizational teams patch all the reported issues?

29. White box or Black box – Changed definitions.

30. Security Assessment ! = Penetration Testing [ Mismatch ]

31. Time dependency – A big factor in determining the effectiveness

32. Penetration Tests – Does not provide security / That’s the Truth

33. Applied security comes out of the actions taken to remove those vulnerabilities which are exploited during the course of penetration testing. Vulnerability assessment provides a glimpse of security to some degree

34. Penetration tests emulate real world attacks to exploit the network and web infrastructure

35. Effective penetration tests provide a degree to which systems can be exploited. It can be more. Pentesting Stringency in Real World

36.  Is that True ?# Then what about Human Ignorance ? # A critical component in every sphere. Hard to beat it.

37.  Thinking in the Wild – Web Penetration Testing.Is it all about shooting what we see ?Do we need to take care of the hidden or shadowed?

38.  Web Penetration Test – The Refined Art Turning the Black Box Testing into White box Testing

39. Expertise – Hacking in a controlled manner

40. Meeting the expectations The One – Murphy’s Law (Variation) Pen Tester – The Word of Advice “Everything that goes wrong on the target host, network, or on the Internet from two weeks before you plug in to two weeks after you submit the report will be your fault.”

41.  Demonstration Attacking Web Apps through Content Rendering – 4: 15 M

42. SQLXSSI – XSS through SQL Injections : Yahoo – 5:30 M

43. Persistent Redirection Attacks and Malware - 4:00 M

44. Content Delivery Networks – Infection Behavior - 4:09 M

45. Widget Redirection Attacks – Outbrain – 3:20 M Demo 1: Document Content Rendering Attacks

46.  Demo 2 : SQLXSSI – Using SQLI to conduct XSS

47.  Demo 3 : Persistent Logout Redirection Attacks

48.  Demo 4 : Third Party Content Delivery Infections

49.  Demo 5 : Widget Redirection Attacks

50.  Questions and Queries

51.  ThanksSecNiche Security : http://www.secniche.orgHacker Halted – http://www.hackerhalted.com