This document provides an introduction to the Open Web Application Security Project (OWASP) and web application security testing. It discusses what OWASP is, why it is needed, and how individuals can get involved. The document then outlines common web application security testing techniques such as information gathering, configuration management testing, authentication testing, and denial of service testing. It provides examples of how to use open source tools to conduct these tests and find vulnerabilities in web applications.

1. Introduction to OWASP &
Web Application Security
Sreenath Sasikumar
Information Security Consultant

2. Information Security Consultatnt
IBM, QBurst, DBG
Technical Reviewer - 3 Books (2 security books)
Dev – 8 Mozilla Addons
Dev – World's first security testing browser
Speaker at Google DevFest, Unicom, Gtech ...
sreenath.sasikumar@gmail.com
www.sreenathsasikumar.com/about

3. OWASP
●
What is it?
●
Why do we need it?
●
How does it work?
●
Where is this?
●
Who can join?

4. OWASP Kerala
●
Founded 2006
●
Recent Activities
●
Planned Activities
●
How you can Contribute

5. Take Away
• Understanding web application security
• How to security test web applications
• Mitigating web application security risks
• Open source tools

6. How do web applications work

7. Understanding web security

8. Security testing web applications
• Information Gathering
• Configuration Management Testing
• Authentication Testing
• Session Management Testing
• Authorization Testing
• Business Logic Testing
• Data Validation Testing
• Denial of Service Testing

9. Information Gathering

10. www.google.com/robots.txt
Spiders Robots and Crawlers

11. Search Engine Discovery
Google Hacking
• site
• cache
• inurl
• filetype
How to:
Manual
HackSearch

12. Identify Application Entry points
• GET
• POST
• Cookies
• Server Parameters
• Files
How to:
Tamper Data, WebScarab, ZAP

13. Web Application Fingerprinting
How to:
Nikto
Vulnerability Scanners

14. Application Discovery
Different Base URL
• www.example.com/abc
Different port
• www.example.com:8000
Different sub domain ( Virtual host )
• abc.example.com
How to:
Zap, WebSlayer

15. Analysis of Error Code

16. Configuration Management

17. SSL Testing
Identify ssl ports and services
How strong is you cipher?
How to:
Nmap -sV, Nessus, OpenSSL

18. Configuration Management Testing
• Infrastructure Configuration Management
• Application Configuration Management

19. Old, Backup & Unreferenced Files
User-agent: *
Disallow: /Admin
Disallow: /uploads
Disallow: /backup
Disallow: /~jbloggs
How to:
HackSearch, Webslayer

20. Testing for HTTP Methods
• HEAD
• GET
• POST
• PUT
• DELETE
• TRACE
• OPTIONS
• CONNECT
How to:
Netcat
Nikto

21. Authentication Testing

22. Credentials transport over an
encrypted channel
Prevent man in the middle attack

23. Testing for user enumeration
Error Messages/Notifications
"Sorry, please enter a valid password"
"Sorry, please enter a valid username"
"Sorry, this user does not exist"
"Sorry, this user is no longer active"

24. Testing for Guessable Users
& BruteForce Attacks
How to:
John the Ripper
Hydra

25. Testing for CAPTCHA

26. Testing Session & Cookies

27. Authorization Testing

28. Testing for privilege escalation
• vertical escalation
• horizontal escalation
www.example.com/?user=1&groupID=2

29. Business Logic Testing

30. Data Validation Testing

31. Injections
SQL
XSS

32. • SQL Injection
• XSS Injection
• LDAP Injection
• XML Injection
• HTML Injection
• SSI Injection
• ORM Injection
• XPath Injection
• IMAP/SMTP Injection
• Buffer Overflow

33. Testing for Denial of Service

34. Testing for SQL Wildcard Attacks
SELECT * FROM Article WHERE Content LIKE '%foo%'
SELECT TOP 10 * FROM Article WHERE Content LIKE
'%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()
$*R"_)][%](%[x])%a][$*"£$-9]_%'

35. Testing for DoS Locking Customer
Accounts

36. Open Source Tools
Nikto
Nessus
W3AF
ZAP
WebSlayer
Netcat
Nmap
Skipfish
Hydra
Mozilla Firefox addons
Lots & lots more...

37. Questions ?