This is a security workshop presented at vodQA pune. For the OWASP top 10 attacks

1. QAing the Security Way!
Amit & Null
vodQA, Pune 17th March 2018

2. “A system is secure if it behaves
precisely in the manner intended -
and does nothing more”
- Ivan Arce

3. 3
Amit Gundiyal
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
6+ years of experience (as Dev, QA & BA)
About Me

4. 4
Nalinikanth AKA Null
About Me
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
5+ years of experience

5. 5
Ground Rules
●
○
○
●
●
● MOST IMPORTANT!

6. Information Technology Act 2000
Imprisonment upto
5 years
and / or
with fine upto
₹5,00,000
http://www.itlaw.in/
https://en.wikipedia.org/wiki/Information_Technology_Act,_2000

7. 7
What to expect?
●
●
●
●

8. 8
Agenda
●
●
●
●

9. 9
What and Why of Security Testing?
In 2017
● Verizon:
● Verifone:
● Deloitte:
● Deep Root Analytics:
● Virgin America:
● Equifax:

10. As a QA

11. 11
What a QA has?
● End to end knowledge.
● One who tests almost
everything in the system.
● Implement security thinking.
● Add security analysis to stories.
● Identify where security can
possibly go for toss.
● Test the stories if they are
vulnerable.
● Help team build more security
products
What a QA can do?

12. 12
QA could have stopped this
https://www.exploit-db.com/exploits/6421/

13. 13
Let's start with a story

14. 14
OWASP
● O W A S P
●
●
●
●

15. 15
OWASP Top 10
●
●
●
●
●

16. 16
OWASP Top 10 - 2013 vs 2017

17. 17
Tools we are using today
●
●
●

18. What causes most of the attacks?

19. 19
Surface Area

20. 20
A7: Cross-site Scripting (XSS)
●
●
●
takes untrusted data
sends without validation escaping

21. 21
A7: How XSS works?

22. 22
Types of XSS
●
○
●
○

23. XSS Hands-on!!

24. 24
Where in Mutillidae II?

25. 25
A1: Injection
Types of Injection:
●
●
●

26. Injection Hands-on!!

27. 27
Where in Mutillidae II?
For SQL Injections -

28. 28
Where in Mutillidae II?
For OS Command Injection -

29. 29
A3 : Sensitive Data Exposure

30. 30
A3 : Sensitive Data Exposure
Scenario #1:
Scenario #2:
Scenario #3:

31. 31
Where do we miss it
●
●
●

32. Sensitive Data Exposure Hands-on!!

33. 33
A2 : Broken Authentication

34. 34
A2 : Broken Authentication

35. 35
A2 : Broken Authentication

36. 36
How A2 can happen?
●
●
●
●

37. Broken Authentication Hands-on!!

38. 38
Set up Proxy on firefox!!

39. 39
Set up your burp Proxy!!

40. 40
Interceptor on burp

41. 41
A9 : Using components with known vulnerabilities

42. 42
Where
●
●
○
○
○
○
●

43. 43
A9 : Recent Times

44. 44
Where to check and how to protect?
●
●
●

45. 45
A4 : XML External Entity (XXE)

46. 46
A4 : XML External Entity (XXE)

47. 47
A8 : Insecure Deserialization

48. 48
A8 : Insecure Deserialization - Example

49. 49
A5 : Broken Access Control

50. 50
A6 : Security Misconfiguration

51. 51
A6 : Security Misconfiguration

52. 52
A6 : Security Misconfiguration

53. 53
A10 : Insufficient Logging and Monitoring

54. ●
●
●
●
●
54
A10 : Insufficient Logging and Monitoring

55. A system is secure if and only if it
starts in a secure state and cannot
enter an insecure state!!

56. 56
References
●
●
●
●
●
●
●
●
●
●
●
●

57. THANK YOU
amit.gundiyal@thoughtworks.com
nalinim@thoughtworks.com

58. 58
Slide Owners
Amit
Total
Null
Total
Count
26
Count
26
Common Slides - 1,2, 55, 56, 57