SlideShare a Scribd company logo

Jouri Dufour - How About Security Testing - EuroSTAR 2013

TEST Huddle
TEST Huddle

EuroSTAR Software Testing Conference 2013 presentation on How About Security Testing by Jouri Dufour. See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/

Technology
1 of 42
Download to read offline
How About Security Testing? Jouri Dufour, CTG www.eurostarconferences.com @esconfs #esconfs
How About Cybercrime?
Our BUSINESS LIFE is online.
“If A happens, then B must be the case, so I will do C.” BUT WHAT IF X OCCURS?
01 Fooling a password change function
Password change function Administrator N Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
Password change function Administrator N FLAW Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
Password change function Administrator N Existing password parameter ? Y User Password change request ATTACK Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Try removing in turn each request parameter Be sure to delete the actual parameter name as well as its value Attack only one parameter at a time Follow a multistage process through to completion
02 Proceeding to checkout
Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality  The assumption  The attack
Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information FLAW The functionality  The assumption  The attack
Retail application Add items to shopping basket Finalize order ATTACK Enter payment information Enter delivery information The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Attempt to submit requests out of the expected sequence Be sure to fully understand the access mechanisms to distinct stages Try to violate the developers’ assumptions Use any interesting error messages and debug output to fine-tune your attacks
The application may enforce strict access control only on the initial stages of the process
03 Beating a business limit
ERP application Bank account 2 Bank account 1 Less than €10.000 ? Y N The functionality  The assumption  The attack
ERP application Bank account 2 Bank account 1 Less than €10.000 ? FLAW Y N The functionality  The assumption  The attack
ERP application Bank account 2 Bank account 1 €20.000 Less than €10.000 ? Y N -€20.000 The functionality  The assumption  The attack
Many applications use numeric limits and beating such limits may have serious business consequences
RECOMMENDED HACK STEPS Try entering negative values Sometimes several steps need to be repeated to bring the application in a vulnerable state
04 Cheating on bulk discounts
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% The functionality  The assumption  The attack
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% FLAW The functionality  The assumption  The attack
Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% ATTACK The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Find out if adjustments are made on a one-time basis Try to manipulate the application’s behavior to get adjustments that don’t correspond to the original intended criteria
05 Escaping from escaping
Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline FLAW The functionality  The assumption  The attack
Web application Operating system command ATTACK User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
Web application COMMAND INJECTION Operating system command Foo;ls Sanitization using the backslash character ; | & < > ` space newline Foo;ls The functionality  The assumption  The attack
RECOMMENDED HACK STEPS Attempt to insert relevant metacharacters into the data you control Always try placing a backslash immediately before each such character
This same defect can be found in some defenses against cross-site scripting attacks
Yesterday Today Tomorrow Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Integrated Application Security Testing (IAST) + =
001:0123450123456789 331017012345678960123456789202468 00:00 Time Victims
HOW ABOUT SECURITY TESTING? Fooling a password change function Proceeding to checkout Beating a business limit Cheating on bulk discounts Escaping from escaping Speaker: Jouri Dufour www.ctg.com jouri.dufour@ctg.com

Recommended

User Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeUser Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchange
Ajeet Singh
 
Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)
Ajeet Singh
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
application developer
 
Do’s and don’ts of api testing
Do’s and don’ts of api testingDo’s and don’ts of api testing
Do’s and don’ts of api testing
webomates
 
Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013
TEST Huddle
 
Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012
TEST Huddle
 
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
TEST Huddle
 
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
TEST Huddle
 

Recommended

User Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchangeUser Manual Guide: Case Management App on Salesforce AppExchange
User Manual Guide: Case Management App on Salesforce AppExchange
Ajeet Singh
 
Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)Feature guide opportunity manager(awom)
Feature guide opportunity manager(awom)
Ajeet Singh
 
Chapter 9
Chapter 9Chapter 9
Chapter 9
application developer
 
Do’s and don’ts of api testing
Do’s and don’ts of api testingDo’s and don’ts of api testing
Do’s and don’ts of api testing
webomates
 
Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013Tony Bruce - One More question.... - EuroSTAR 2013
Tony Bruce - One More question.... - EuroSTAR 2013
TEST Huddle
 
Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012Markus Gartner - Beyond Testing - EuroSTAR 2012
Markus Gartner - Beyond Testing - EuroSTAR 2012
TEST Huddle
 
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
Soren Lynggaard & Pusser Janvit - How To Hire A True Tester - EuroSTAR 2013
TEST Huddle
 
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
Geoff & Emily Bache - Specification By Example With GUI Tests-How Could That ...
TEST Huddle
 
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
TEST Huddle
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
TEST Huddle
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013
TEST Huddle
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
TEST Huddle
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
TEST Huddle
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
TEST Huddle
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
TEST Huddle
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
TEST Huddle
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
TEST Huddle
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
TEST Huddle
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
TEST Huddle
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
TEST Huddle
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
TEST Huddle
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
TEST Huddle
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
TEST Huddle
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
TEST Huddle
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
TEST Huddle
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
TEST Huddle
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013
TEST Huddle
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
TEST Huddle
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
Rafal Los
 

More Related Content

Viewers also liked

Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
TEST Huddle
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
TEST Huddle
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013
TEST Huddle
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
TEST Huddle
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
TEST Huddle
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
TEST Huddle
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
TEST Huddle
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
TEST Huddle
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
TEST Huddle
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
TEST Huddle
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
TEST Huddle
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
TEST Huddle
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
TEST Huddle
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
TEST Huddle
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
TEST Huddle
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
TEST Huddle
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
TEST Huddle
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
TEST Huddle
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013
TEST Huddle
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
TEST Huddle
 

Viewers also liked (20)

Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
Bob Harnisch & Tim Koomen - Mixing Waterfall, Agile & Outsourcing at Dutch Ra...
 
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
Pradeep Soundararajan - Testing for Sales and Competitor Analysis - EuroSTAR ...
 
Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013Jackie McDougall - Testing on Trial - EuroSTAR 2013
Jackie McDougall - Testing on Trial - EuroSTAR 2013
 
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance TestingAlbert Witteveen - With Cloud Computing Who Needs Performance Testing
Albert Witteveen - With Cloud Computing Who Needs Performance Testing
 
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
Rob Lambert - Moving To Weekly Releases - EuroSTAR 2013
 
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012Julian Harty - Open Sourcing Testing - EuroSTAR 2012
Julian Harty - Open Sourcing Testing - EuroSTAR 2012
 
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
Alexandra Schladebeck - What Agile Teams Can Learn From World of Warcraft - E...
 
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
Rajesh Mathur - Testing in a Challenging Environment - EuroSTAR 2013
 
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
Ruud Teunissen - The Awful Truth About Estimation, Have I Been Wrong All Alon...
 
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
Zeger Van Hese - Testing in the Age of Distraction, The Importance of (De)foc...
 
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
Jeanne Hofmans & Eduard Hartog - How to Test a Tunnel - EuroSTAR 2013
 
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
Paul Holland - How To Organise a Peer Conference - EuroSTAR 2013
 
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
Andy Glover - Testing is evolving, but where is the evidence - EuroSTAR 2012
 
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
Iain McCowatt - Automation Time to Change Our Models - EuroSTAR 2013
 
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
Emily Bache - Readable, Executable Requirements: Hands-On - EuroSTAR 2013
 
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
Alexandra Casapu - Fooled by Unknown Unknowns, A Success Story - EuroSTAR 2013
 
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
Remi Hansen - Test Strategies Are 90% Waste - EuroSTAR 2013
 
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
Morten Hougaard - Autism, A Benefit For Testing - EuroSTAR 2013
 
Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013Pekka Marjamaki - Testing Me - EuroSTAR 2013
Pekka Marjamaki - Testing Me - EuroSTAR 2013
 
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
Ard Kramer & Joep Lobee - This Is Not a Success Story - EuroSTAR 2013
 

Similar to Jouri Dufour - How About Security Testing - EuroSTAR 2013

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
Rafal Los
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aop
Dror Helper
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Rana Khalil
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
zakieh alizadeh
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
sk0894308
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
zakieh alizadeh
 
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce Developers
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
PayPalX Developer Network
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014
David Scruggs
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | Edureka
Edureka!
 
Top Testing Tips
Top Testing TipsTop Testing Tips
Top Testing Tips
Salesforce Developers
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
Amazon Web Services
 
Architecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsArchitecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting Concerns
Mike Byrne
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
RapidValue
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce Developers
 
DF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringDF19 South-East Florida Global Gathering
DF19 South-East Florida Global Gathering
Luis E. Luciani ☁
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
hearme limited company
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
Salesforce Developers
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
Payampardaz
 

Similar to Jouri Dufour - How About Security Testing - EuroSTAR 2013 (20)

Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
 
Defying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with AutomationDefying Logic - Business Logic Testing with Automation
Defying Logic - Business Logic Testing with Automation
 
Introduction to aop
Introduction to aopIntroduction to aop
Introduction to aop
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdfAnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf
 
Session3 data-validation
Session3 data-validationSession3 data-validation
Session3 data-validation
 
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
Salesforce1 Platform ELEVATE LA workshop Dec 18, 2013
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Elevate workshop programmatic_2014
Elevate workshop programmatic_2014Elevate workshop programmatic_2014
Elevate workshop programmatic_2014
 
What are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | EdurekaWhat are Software Testing Methodologies | Software Testing Techniques | Edureka
What are Software Testing Methodologies | Software Testing Techniques | Edureka
 
Top Testing Tips
Top Testing TipsTop Testing Tips
Top Testing Tips
 
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
A DIY Guide to Runbooks, Security Incident Reports, & Incident Response (SEC3...
 
Architecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting ConcernsArchitecting C Sharp for Cross Cutting Concerns
Architecting C Sharp for Cross Cutting Concerns
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Salesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep DiveSalesforce.com API Series: Service Cloud Console Deep Dive
Salesforce.com API Series: Service Cloud Console Deep Dive
 
DF19 South-East Florida Global Gathering
DF19 South-East Florida Global GatheringDF19 South-East Florida Global Gathering
DF19 South-East Florida Global Gathering
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Assetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management PlatformAssetforce: Force.com Mobile Asset Management Platform
Assetforce: Force.com Mobile Asset Management Platform
 
Input validation slides of web application workshop
Input validation slides of web application workshopInput validation slides of web application workshop
Input validation slides of web application workshop
 

More from TEST Huddle

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- Accenture
TEST Huddle
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar
TEST Huddle
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway
TEST Huddle
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in Scrum
TEST Huddle
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional Tests
TEST Huddle
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test Work
TEST Huddle
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New Heights
TEST Huddle
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?
TEST Huddle
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of Us
TEST Huddle
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)
TEST Huddle
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger Enterprises
TEST Huddle
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?
TEST Huddle
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test Coverage
TEST Huddle
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for Testers
TEST Huddle
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?
TEST Huddle
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfully
TEST Huddle
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey
TEST Huddle
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using Heuristics
TEST Huddle
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your Role
TEST Huddle
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0
TEST Huddle
 

More from TEST Huddle (20)

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- Accenture
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in Scrum
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional Tests
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test Work
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New Heights
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of Us
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger Enterprises
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test Coverage
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for Testers
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfully
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using Heuristics
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your Role
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0
 

Recently uploaded

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
flufftailshop
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
Pravash Chandra Das
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
DanBrown980551
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 

Recently uploaded (20)

System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdfNunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
Nunit vs XUnit vs MSTest Differences Between These Unit Testing Frameworks.pdf
 
Operating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptxOperating System Used by Users in day-to-day life.pptx
Operating System Used by Users in day-to-day life.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides5th LF Energy Power Grid Model Meet-up Slides
5th LF Energy Power Grid Model Meet-up Slides
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 

Jouri Dufour - How About Security Testing - EuroSTAR 2013

  • 1. How About Security Testing? Jouri Dufour, CTG www.eurostarconferences.com @esconfs #esconfs
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8. Our BUSINESS LIFE is online.
  • 9.
  • 10. “If A happens, then B must be the case, so I will do C.” BUT WHAT IF X OCCURS?
  • 11. 01 Fooling a password change function
  • 12. Password change function Administrator N Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 13. Password change function Administrator N FLAW Existing password parameter ? Y User Password change request Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 14. Password change function Administrator N Existing password parameter ? Y User Password change request ATTACK Username Existing password * New password Confirm new password * Only presented to users The functionality  The assumption  The attack
  • 15. RECOMMENDED HACK STEPS Try removing in turn each request parameter Be sure to delete the actual parameter name as well as its value Attack only one parameter at a time Follow a multistage process through to completion
  • 16. 02 Proceeding to checkout
  • 17. Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information The functionality  The assumption  The attack
  • 18. Retail application Add items to shopping basket Finalize order Enter payment information Enter delivery information FLAW The functionality  The assumption  The attack
  • 19. Retail application Add items to shopping basket Finalize order ATTACK Enter payment information Enter delivery information The functionality  The assumption  The attack
  • 20. RECOMMENDED HACK STEPS Attempt to submit requests out of the expected sequence Be sure to fully understand the access mechanisms to distinct stages Try to violate the developers’ assumptions Use any interesting error messages and debug output to fine-tune your attacks
  • 21. The application may enforce strict access control only on the initial stages of the process
  • 22. 03 Beating a business limit
  • 23. ERP application Bank account 2 Bank account 1 Less than €10.000 ? Y N The functionality  The assumption  The attack
  • 24. ERP application Bank account 2 Bank account 1 Less than €10.000 ? FLAW Y N The functionality  The assumption  The attack
  • 25. ERP application Bank account 2 Bank account 1 €20.000 Less than €10.000 ? Y N -€20.000 The functionality  The assumption  The attack
  • 26. Many applications use numeric limits and beating such limits may have serious business consequences
  • 27. RECOMMENDED HACK STEPS Try entering negative values Sometimes several steps need to be repeated to bring the application in a vulnerable state
  • 28. 04 Cheating on bulk discounts
  • 29. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% The functionality  The assumption  The attack
  • 30. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% FLAW The functionality  The assumption  The attack
  • 31. Retail application Purchase bundle Shopping basket Item 1 €... Item 2 €... Item 3 €... -25% ATTACK The functionality  The assumption  The attack
  • 32. RECOMMENDED HACK STEPS Find out if adjustments are made on a one-time basis Try to manipulate the application’s behavior to get adjustments that don’t correspond to the original intended criteria
  • 33. 05 Escaping from escaping
  • 34. Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
  • 35. Web application Operating system command User-controllable input Sanitization using the backslash character ; | & < > ` space newline FLAW The functionality  The assumption  The attack
  • 36. Web application Operating system command ATTACK User-controllable input Sanitization using the backslash character ; | & < > ` space newline The functionality  The assumption  The attack
  • 37. Web application COMMAND INJECTION Operating system command Foo;ls Sanitization using the backslash character ; | & < > ` space newline Foo;ls The functionality  The assumption  The attack
  • 38. RECOMMENDED HACK STEPS Attempt to insert relevant metacharacters into the data you control Always try placing a backslash immediately before each such character
  • 39. This same defect can be found in some defenses against cross-site scripting attacks
  • 40. Yesterday Today Tomorrow Dynamic Application Security Testing (DAST) Static Application Security Testing (SAST) Integrated Application Security Testing (IAST) + =
  • 42. HOW ABOUT SECURITY TESTING? Fooling a password change function Proceeding to checkout Beating a business limit Cheating on bulk discounts Escaping from escaping Speaker: Jouri Dufour www.ctg.com jouri.dufour@ctg.com