SlideShare a Scribd company logo

Introduction to Web Application Penetration Testing

Download as PPTX, PDF
Rana Khalil
Rana Khalil

Intro to web application penetration testing workshop I held in Atlanta as part of the AnitaBorg Cybersecurity Weekend on Aug. 19. The link for the event can be found here: https://community.anitab.org/event/atl-cybersecurity-day-two/

1 of 56
INTRODUCTION TO WEB APPLICATION PENETRATION TESTING By: Rana Khalil
WHO AM I?  University of Ottawa student – Master of Computer Science  Thesis: Comparative Analysis of Open-source Web Application Vulnerability Scanners  Previous work experience include: Software developer, Tester, Ransomware researcher, Security Analyst.  Aspiring Ethical Hacker!  Removed my wisdom tooth a week ago  2
OUTLINE  Introduction to web application penetration testing  Software setup  Mapping and analyzing the application  Bypassing client-side controls  Attacking authentication  Attacking session management  Attacking data stores 3
THE WEB APPLICATION HACKER’S HANDBOOK 4  Bible of web application penetration testing.  Good mix of theory and practice.  Most of the examples in the slides are from this book.
TOOLS NEEDED FOR WORKSHOP 5  Burp Community Edition  OWASP ZAP  VirtualBox  OWASP BWA Project  FoxyProxy Standard  Modern browser (preferably Firefox) Note: You should have these tools already installed. An email was sent to registered participants prior to workshop.
INTRODUCTION SECTION 1
WHY THE WEB? 7  Let’s look at some statistics:  Over 3.9 billion internet users in the world  Over 1.9 billion websites online  We use websites for everything: e-commerce, online banking to social networking, social media, etc.  Web security has become a major concern for businesses.  Recent example: Equifax. The breach exposed the personal information of 143 million US users and an estimated 100,000 Canadian users.  According to Trustwave’s 2018 Global Security Report:  100% of the web applications scanned by Trustwave displayed at least one vulnerability.  Median number of 11 vulnerabilities detected per application.
HOW TO SECURE A WEB APPLICATION? 8 Combination of techniques are used:  Secure coding practices  Web application firewalls  Static code analysis  Web application penetration testing  Etc.
WHAT IS WEB APP PEN TESTING? 9  Combination of manual and automated tests to identify vulnerabilities, security flaws and/or threats in a web application.  Categorized into three types:  White box: Tester has complete access and in-depth knowledge of the system. Access to source code is usually given.  Black box: Tester is given little to no information about the system. Just the URL of the application is usually given.  Grey box: Combination of white box and black box penetration testing. Limited information and access is given to the tester.  Several methodologies and guidelines: OWASP, PTES, PCI DSS, etc.  Most important thing to keep in mind: you need permission to perform a security test!
WHAT IS OWASP? 10  Stands for Open Web Application Security Project  International open source community “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted”.  Contains widely used and popular tools such as the ZAP.  OWASP TOP 10 Project
ABSTRACT PEN TESTING METHODOLOGY 11 Reconnaissance Mapping + Analyzing Discovery Exploitation
SOFTWARE SETUP SECTION 2
SOFTWARE SETUP 13 1. Download VirtualBox and OWASP BWA Project virtual machine. 2. Install OWASP BWA Project vm on VirtualBox. 3. Download Firefox and FoxyProxy add-on. 4. Download Burp Suite Community Edition and OWASP ZAP. 5. Configure Burp and ZAP in FoxyProxy.
HOW DOES A PROXY WORK? 14
SOFTWARE SETUP 15 Setup Demonstration
MAPPING AND ANALYZING THE APPLICATION SECTION 3
MAPPING THE APPLICATION 17  Explore the visible content  Review public resources  Identify any hidden content
ANALYZING THE APPLICATION 18  Identify functionality  Identify data entry points  Identify the technologies used  Map the attack surface
EXERCISE #1: WACKOPICKO 19 Web Spidering Your goal is to use ZAP spider to crawl the application. 1. Configure browser to work with ZAP 2. Load the application on configured browser 3. Include root application URL in context. 4. Right click on the root URL in the Sites tree map > select Attack > select Spider. 5. Right click on the root URL in the Sites tree map > select Attack > select Ajax Spider.
EXERCISE #1: WACKOPICKO 20 Solution demonstration using ZAP and Burp Suite.
BYPASSING CLIENT-SIDE CONTROLS SECTION 4
CLIENT-SIDE VS SERVER-SIDE VALIDATION Client-side Server-side 22 1 2 3 1 2 3
BYPASSING CLIENT-SIDE CONTROLS  Allowing clients to submit arbitrary input is a core security problem in web applications.  Users have full control of everything submitted from the client.  Can cause a range of problems including corrupting data stores, allowing unauthorized access to users and buffer overflows.  In general, there are two ways client-side controls are used to restrict user input:  Transmitting data via the client using mechanisms that “prevent” user interaction. Examples include hidden form fields, disabled elements, referrer header, URL parameters, etc.  Controlling user input using measures that “restrict” user input. Examples include HTML form features, client-side scripts, etc. 23
TRANSMITTING DATA VIA THE CLIENT  Example #1: Hidden Form Field 24 Code Request
TRANSMITTING DATA VIA THE CLIENT  Example #2: HTTP Cookies  Response: Request: 25
EXERCISE #2: WEBGOAT Exploit Hidden Fields Try to purchase the HDTV for less than the purchase price, if you have not done so already. 26
EXERCISE #2: WEBGOAT Solution Demonstration 27
RESTRICTING USER DATA  Example #3: Length Limits 28
RESTRICTING USER DATA  Example #4: Disabled Elements 29
EXERCISE #3: WEBGOAT Bypass HTML Field Restrictions You must submit invalid values for all six fields in one form submission. 30
EXERCISE #3: WEBGOAT Solution Demonstration 31
RESTRICTING USER DATA  Example #5: Script-Based Validation 32
EXERCISE #4: WEBGOAT Bypass Client Side JavaScript Validation You must break all 7 validators at the same time. 33
EXERCISE #4: WEBGOAT Solution Demonstration 34
ATTACKING AUTHENTICATION SECTION 5
AUTHENTICATION  Authentication is a mechanism for validating a user.  There are many authentication technologies:  HTML forms-based authentication  Multifactor authentication  Client SSL certificates and/or smartcards  etc  In general, there are two factors that result in insecure authentication:  Design flaws in authentication mechanisms  Implementation flaws in authentication 36
DESIGN FLAWS IN AUTHENTICATION MECHANISMS  Bad passwords*  Brute-forcible logins  Verbose Failure messages  Vulnerable transmission of credentials  Weaknesses in password change functionality  Weaknesses in forgotten password functionality*  etc. 37
BAD PASSWORDS  Very short or blank passwords  Common dictionary words or names  The same as the username  Still set to the default value  Check the strength of your password: https://password.kaspersky.com/ 38
EXERCISE #5: WEBGOAT Forgot Password The goal is to retrieve the password of another user. 39
EXERCISE #5: WEBGOAT Solution Demonstration 40
IMPLEMENTATION FLAWS IN AUTHENTICATION  Fail-open login mechanisms  Defects in multistage login mechanisms*  Assumption that access to a later stage means that the user cleared prior stages.  Trusting client side data across stages  Insecure storage of credentials  etc. 41
EXERCISE #6: WEBGOAT Multi Level Login 2 Your goal is to log in as Jane. 42
EXERCISE #6: WEBGOAT Solution Demonstration 43
ATTACKING SESSION MANAGEMENT SECTION 6
ATTACKING SESSION MANAGEMENT 45  Understand the mechanism  Test session tokens for meaning  Test session tokens for predictability  Check for session termination
EXERCISE #7: WACKOPICKO Session Management Try to determine how the session is being calculated for the admin interface. Log in as admin/admin multiple times to solve this exercise. 46
EXERCISE #7: WACKOPICKO Solution Demonstration 47
ATTACKING DATA STORES SECTION 7
ATTACKING DATA STORES 49  Most applications have a data store to manage and store data.  User accounts, credentials and personal information.  Prices of items  Orders  Privilege level of a user  We’ll test for SQL injections.  Supply unexpected syntax that might cause problems in the application.  Identify and analyze any anomalies and error messages received.  Attempt to exploit the vulnerability
EXERCISE #8: WEBGOAT String SQL Injection Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of 'Smith'. 50
EXERCISE #8: WEBGOAT Solution Demonstration 51
CONCLUSION SECTION 8
WHAT NEXT? 53 Concepts we learned today Remaining concepts
WHAT NEXT?  Read books  Get a mentor  So many free online resource! (Cybrary, coursera, MIT open courseware, etc.)  Practice on intentionally vulnerable web applications  Participate in CTF competitions  Attend conferences  Contribute to open-source security projects  Apply to security jobs (Even if you don’t have all the qualifications. Most people don’t!)  Take life one step at a time. You can do this! 54
GET IN TOUCH! 55 https://rkhal101.github.io/ /ranakhalil1 @rana__khalil /rkhal101
GET IN TOUCH! 56 Laptop stickers generously donated by OWASP!

Recommended

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
Georgekutty Francis
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 

Recommended

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
Adhoura Academy
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Sam Bowne
 
Ethical hacking presentation
Ethical hacking presentationEthical hacking presentation
Ethical hacking presentation
Georgekutty Francis
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
Computer security
Computer securityComputer security
Computer security
Mahesh Singh Madai
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Aryan Saxena
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 

More Related Content

What's hot

OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
Mohamed Talaat
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Anoop T
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Footprinting
FootprintingFootprinting
Footprinting
Duah John
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
n|u - The Open Security Community
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
Bernardo Damele A. G.
 
Computer security
Computer securityComputer security
Computer security
Mahesh Singh Madai
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Aryan Saxena
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
Hajer alriyami
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
Bharat Thakkar
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
Priyanka Aash
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
NishaYadav177
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample ReportOctogence
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
vishalgohel12195
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
Mikhail Egorov
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 

What's hot (20)

OWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacksOWASP Top 10 - Day 1 - A1 injection attacks
OWASP Top 10 - Day 1 - A1 injection attacks
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Footprinting
FootprintingFootprinting
Footprinting
 
Bug Bounty Secrets
Bug Bounty Secrets Bug Bounty Secrets
Bug Bounty Secrets
 
Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)Advanced SQL injection to operating system full control (slides)
Advanced SQL injection to operating system full control (slides)
 
Computer security
Computer securityComputer security
Computer security
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Password Cracking
Password CrackingPassword Cracking
Password Cracking
 
Course on Ehtical Hacking - Introduction
Course on Ehtical Hacking - IntroductionCourse on Ehtical Hacking - Introduction
Course on Ehtical Hacking - Introduction
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Web PenTest Sample Report
Web PenTest Sample ReportWeb PenTest Sample Report
Web PenTest Sample Report
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Password cracking and brute force
Password cracking and brute forcePassword cracking and brute force
Password cracking and brute force
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 

Similar to Introduction to Web Application Penetration Testing

AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
Bassam Al-Khatib
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
Thoughtworks
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Rana Khalil
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Security Innovation
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
Ram G Athreya
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
Asep Sopyan
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
Mike Spaulding
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
HackerOne
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application Assessments
Internet Security Auditors
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
Jim Kaplan CIA CFE
 
Web security
Web securityWeb security
Web security
kareem zock
 

Similar to Introduction to Web Application Penetration Testing (20)

AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsec
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
 
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
Develop, Test & Maintain Secure Systems (While Being PCI Compliant)
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networks
 
Security testing
Security testingSecurity testing
Security testing
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...2009: Securing Applications With Web Application Firewalls and Vulnerability ...
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application Assessments
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Web security
Web securityWeb security
Web security
 

Recently uploaded

CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
BhavyaRajput3
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
JosvitaDsouza2
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
Anna Sz.
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
Jisc
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
SACHIN R KONDAGURI
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
kaushalkr1407
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
CarlosHernanMontoyab2
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
RaedMohamed3
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
Jheel Barad
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
Sandy Millin
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
beazzy04
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
Atul Kumar Singh
 

Recently uploaded (20)

CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCECLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
CLASS 11 CBSE B.St Project AIDS TO TRADE - INSURANCE
 
1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx1.4 modern child centered education - mahatma gandhi-2.pptx
1.4 modern child centered education - mahatma gandhi-2.pptx
 
Polish students' mobility in the Czech Republic
Polish students' mobility in the Czech RepublicPolish students' mobility in the Czech Republic
Polish students' mobility in the Czech Republic
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Supporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptxSupporting (UKRI) OA monographs at Salford.pptx
Supporting (UKRI) OA monographs at Salford.pptx
 
"Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe..."Protectable subject matters, Protection in biotechnology, Protection of othe...
"Protectable subject matters, Protection in biotechnology, Protection of othe...
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
The Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdfThe Roman Empire A Historical Colossus.pdf
The Roman Empire A Historical Colossus.pdf
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf678020731-Sumas-y-Restas-Para-Colorear.pdf
678020731-Sumas-y-Restas-Para-Colorear.pdf
 
Palestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptxPalestine last event orientationfvgnh .pptx
Palestine last event orientationfvgnh .pptx
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...2024.06.01 Introducing a competency framework for languag learning materials ...
2024.06.01 Introducing a competency framework for languag learning materials ...
 
Chapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptxChapter 3 - Islamic Banking Products and Services.pptx
Chapter 3 - Islamic Banking Products and Services.pptx
 
Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345Sha'Carri Richardson Presentation 202345
Sha'Carri Richardson Presentation 202345
 
Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.Language Across the Curriculm LAC B.Ed.
Language Across the Curriculm LAC B.Ed.
 

Introduction to Web Application Penetration Testing

  • 1. INTRODUCTION TO WEB APPLICATION PENETRATION TESTING By: Rana Khalil
  • 2. WHO AM I?  University of Ottawa student – Master of Computer Science  Thesis: Comparative Analysis of Open-source Web Application Vulnerability Scanners  Previous work experience include: Software developer, Tester, Ransomware researcher, Security Analyst.  Aspiring Ethical Hacker!  Removed my wisdom tooth a week ago  2
  • 3. OUTLINE  Introduction to web application penetration testing  Software setup  Mapping and analyzing the application  Bypassing client-side controls  Attacking authentication  Attacking session management  Attacking data stores 3
  • 4. THE WEB APPLICATION HACKER’S HANDBOOK 4  Bible of web application penetration testing.  Good mix of theory and practice.  Most of the examples in the slides are from this book.
  • 5. TOOLS NEEDED FOR WORKSHOP 5  Burp Community Edition  OWASP ZAP  VirtualBox  OWASP BWA Project  FoxyProxy Standard  Modern browser (preferably Firefox) Note: You should have these tools already installed. An email was sent to registered participants prior to workshop.
  • 7. WHY THE WEB? 7  Let’s look at some statistics:  Over 3.9 billion internet users in the world  Over 1.9 billion websites online  We use websites for everything: e-commerce, online banking to social networking, social media, etc.  Web security has become a major concern for businesses.  Recent example: Equifax. The breach exposed the personal information of 143 million US users and an estimated 100,000 Canadian users.  According to Trustwave’s 2018 Global Security Report:  100% of the web applications scanned by Trustwave displayed at least one vulnerability.  Median number of 11 vulnerabilities detected per application.
  • 8. HOW TO SECURE A WEB APPLICATION? 8 Combination of techniques are used:  Secure coding practices  Web application firewalls  Static code analysis  Web application penetration testing  Etc.
  • 9. WHAT IS WEB APP PEN TESTING? 9  Combination of manual and automated tests to identify vulnerabilities, security flaws and/or threats in a web application.  Categorized into three types:  White box: Tester has complete access and in-depth knowledge of the system. Access to source code is usually given.  Black box: Tester is given little to no information about the system. Just the URL of the application is usually given.  Grey box: Combination of white box and black box penetration testing. Limited information and access is given to the tester.  Several methodologies and guidelines: OWASP, PTES, PCI DSS, etc.  Most important thing to keep in mind: you need permission to perform a security test!
  • 10. WHAT IS OWASP? 10  Stands for Open Web Application Security Project  International open source community “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted”.  Contains widely used and popular tools such as the ZAP.  OWASP TOP 10 Project
  • 11. ABSTRACT PEN TESTING METHODOLOGY 11 Reconnaissance Mapping + Analyzing Discovery Exploitation
  • 13. SOFTWARE SETUP 13 1. Download VirtualBox and OWASP BWA Project virtual machine. 2. Install OWASP BWA Project vm on VirtualBox. 3. Download Firefox and FoxyProxy add-on. 4. Download Burp Suite Community Edition and OWASP ZAP. 5. Configure Burp and ZAP in FoxyProxy.
  • 14. HOW DOES A PROXY WORK? 14
  • 16. MAPPING AND ANALYZING THE APPLICATION SECTION 3
  • 17. MAPPING THE APPLICATION 17  Explore the visible content  Review public resources  Identify any hidden content
  • 18. ANALYZING THE APPLICATION 18  Identify functionality  Identify data entry points  Identify the technologies used  Map the attack surface
  • 19. EXERCISE #1: WACKOPICKO 19 Web Spidering Your goal is to use ZAP spider to crawl the application. 1. Configure browser to work with ZAP 2. Load the application on configured browser 3. Include root application URL in context. 4. Right click on the root URL in the Sites tree map > select Attack > select Spider. 5. Right click on the root URL in the Sites tree map > select Attack > select Ajax Spider.
  • 20. EXERCISE #1: WACKOPICKO 20 Solution demonstration using ZAP and Burp Suite.
  • 22. CLIENT-SIDE VS SERVER-SIDE VALIDATION Client-side Server-side 22 1 2 3 1 2 3
  • 23. BYPASSING CLIENT-SIDE CONTROLS  Allowing clients to submit arbitrary input is a core security problem in web applications.  Users have full control of everything submitted from the client.  Can cause a range of problems including corrupting data stores, allowing unauthorized access to users and buffer overflows.  In general, there are two ways client-side controls are used to restrict user input:  Transmitting data via the client using mechanisms that “prevent” user interaction. Examples include hidden form fields, disabled elements, referrer header, URL parameters, etc.  Controlling user input using measures that “restrict” user input. Examples include HTML form features, client-side scripts, etc. 23
  • 24. TRANSMITTING DATA VIA THE CLIENT  Example #1: Hidden Form Field 24 Code Request
  • 25. TRANSMITTING DATA VIA THE CLIENT  Example #2: HTTP Cookies  Response: Request: 25
  • 26. EXERCISE #2: WEBGOAT Exploit Hidden Fields Try to purchase the HDTV for less than the purchase price, if you have not done so already. 26
  • 27. EXERCISE #2: WEBGOAT Solution Demonstration 27
  • 28. RESTRICTING USER DATA  Example #3: Length Limits 28
  • 29. RESTRICTING USER DATA  Example #4: Disabled Elements 29
  • 30. EXERCISE #3: WEBGOAT Bypass HTML Field Restrictions You must submit invalid values for all six fields in one form submission. 30
  • 31. EXERCISE #3: WEBGOAT Solution Demonstration 31
  • 32. RESTRICTING USER DATA  Example #5: Script-Based Validation 32
  • 33. EXERCISE #4: WEBGOAT Bypass Client Side JavaScript Validation You must break all 7 validators at the same time. 33
  • 34. EXERCISE #4: WEBGOAT Solution Demonstration 34
  • 36. AUTHENTICATION  Authentication is a mechanism for validating a user.  There are many authentication technologies:  HTML forms-based authentication  Multifactor authentication  Client SSL certificates and/or smartcards  etc  In general, there are two factors that result in insecure authentication:  Design flaws in authentication mechanisms  Implementation flaws in authentication 36
  • 37. DESIGN FLAWS IN AUTHENTICATION MECHANISMS  Bad passwords*  Brute-forcible logins  Verbose Failure messages  Vulnerable transmission of credentials  Weaknesses in password change functionality  Weaknesses in forgotten password functionality*  etc. 37
  • 38. BAD PASSWORDS  Very short or blank passwords  Common dictionary words or names  The same as the username  Still set to the default value  Check the strength of your password: https://password.kaspersky.com/ 38
  • 39. EXERCISE #5: WEBGOAT Forgot Password The goal is to retrieve the password of another user. 39
  • 40. EXERCISE #5: WEBGOAT Solution Demonstration 40
  • 41. IMPLEMENTATION FLAWS IN AUTHENTICATION  Fail-open login mechanisms  Defects in multistage login mechanisms*  Assumption that access to a later stage means that the user cleared prior stages.  Trusting client side data across stages  Insecure storage of credentials  etc. 41
  • 42. EXERCISE #6: WEBGOAT Multi Level Login 2 Your goal is to log in as Jane. 42
  • 43. EXERCISE #6: WEBGOAT Solution Demonstration 43
  • 45. ATTACKING SESSION MANAGEMENT 45  Understand the mechanism  Test session tokens for meaning  Test session tokens for predictability  Check for session termination
  • 46. EXERCISE #7: WACKOPICKO Session Management Try to determine how the session is being calculated for the admin interface. Log in as admin/admin multiple times to solve this exercise. 46
  • 49. ATTACKING DATA STORES 49  Most applications have a data store to manage and store data.  User accounts, credentials and personal information.  Prices of items  Orders  Privilege level of a user  We’ll test for SQL injections.  Supply unexpected syntax that might cause problems in the application.  Identify and analyze any anomalies and error messages received.  Attempt to exploit the vulnerability
  • 50. EXERCISE #8: WEBGOAT String SQL Injection Try to inject an SQL string that results in all the credit card numbers being displayed. Try the user name of 'Smith'. 50
  • 51. EXERCISE #8: WEBGOAT Solution Demonstration 51
  • 54. WHAT NEXT?  Read books  Get a mentor  So many free online resource! (Cybrary, coursera, MIT open courseware, etc.)  Practice on intentionally vulnerable web applications  Participate in CTF competitions  Attend conferences  Contribute to open-source security projects  Apply to security jobs (Even if you don’t have all the qualifications. Most people don’t!)  Take life one step at a time. You can do this! 54
  • 56. GET IN TOUCH! 56 Laptop stickers generously donated by OWASP!

Editor's Notes

  1. Pic taken from: http://caseythecollegeceliac.blogspot.com/2014/05/celiac-and-wisdom-teeth-part-1.html
  2. Download VirtualBox and OWASP BWA Project virtual machine. VirtualBox: https://www.virtualbox.org/ OWASP BWA: https://sourceforge.net/projects/owaspbwa/ Install OWASP BWA Project vm on VirtualBox. Sample installation instructions: https://www.utest.com/articles/installing-owasp-broken-web-applications-owasp-bwa-project Download Firefox and FoxyProxy add-on. Firefox: https://www.mozilla.org/en-US/firefox/new/ FoxyProxy: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ Download Burp Suite Community Edition and OWASP ZAP. Burp Suite Community Edition (the free version): https://portswigger.net/burp OWASP ZAP: https://www.zaproxy.org/ Configure Burp and ZAP in FoxyProxy. Sample configuration instructions for ZAP: https://andrewedstrom.com/zap-foxyproxy/ Sample configuration instructions for Burp: https://nvisium.com/blog/2014/01/10/setting-up-burpsuite-with-firefox-and.html
  3. Any request sent by the browser will first be intercepted by zap and then sent to the web application. Similarly, any response sent by the web application will be intercepted by zap and then sent to the browser. When a request is intercepted, ZAP can modify the request to exploit an existing vulnerability in the web application.
  4. In order to change the price value, click on Purchase button and intercept the request using Burp Proxy. In the intercepted request, you’ll see that the price field is sent to the server as a parameter when the form is submitted. Change the price value to the desired value and forward the request by clicking on the Forward button in Burp. The application will successfully process the transaction with the chosen price value.
  5. The following form has field restrictions on each input field. Our goal is to submit this form with each field containing a value that would otherwise be rejected on the client side. Similar to example 2, intercept the request and modify every value.
  6. Solution similar to example 2 and 3.
  7. Most applications
  8. The goal of this exercise is to retrieve the password of another user. We’ll try to get the admin’s password. Try the username ‘admin’, You get directed to another page that contains the secret question which means the username ‘admin’ is a valid username. Now, enter any color in the answer field and intercept the request in Burp Suite. In the Intercept sub-tab of the proxy tab, right click anywhere on the request and select ‘Send to Intruder’. In the ‘Intruder’ tab, click the ‘Clear’ button to clear all payload markers and highlight the color you entered and click the ‘Add’ button. Switch to the ‘Payloads’ sub-tab and add all the colors under ‘Payloads Options [Simple List]’. Make sure that the proxy intercept is off. Switch back to the ‘Positions’ sub-tab and click on ‘Start Attack’. The color with the different payload size is the correct answer (in this case it is green).
  9. Log in with the given username Joe and password banana. Enter a transaction number and intercept the request in Burp Suite. In the ‘Intercept’ sub-tab, change the parameter ‘hidden_user’ to ‘Jane’ and forward the request.
  10. Enter the username/password admin/admin and intercept the request in Burp Suite. In the ‘Intercept’ sub-tab under the ‘Proxy’ tab, right click anywhere on the request and select ‘Send to Sequencer’. In Sequencer tab, click the option ‘Start live capture’. This should give you an analysis of the statistical randomness of the session tokens. In our case, there is no statistical randomness, because the session cookies differ by 1.
  11. Burp sequencer
  12. To exploit the vulnerability enter the input Smith' or 'a' = 'a