QAing the security way!

QAing the Security Way!
Amit & Null
vodQA, Pune 17th March 2018

“A system is secure if it behaves
precisely in the manner intended -
and does nothing more”
- Ivan Arce

Amit Gundiyal
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
6+ years of experience (as Dev, QA & BA)
About Me

Nalinikanth AKA Null
About Me
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
5+ years of experience

©ThoughtWorks, Inc. Do not copy. Do not distribute. 5
Ground Rules
● Follow the speaker
○ Don’t get deviated.
○ If you are stuck call any of the volunteers.
● We will share you all the material don’t bother about that.
● Ask questions whenever you have - don’t wait.
● MOST IMPORTANT!

Information Technology Act 2000
Imprisonment upto
5 years
and / or
with fine upto
₹5,00,000
http://www.itlaw.in/
https://en.wikipedia.org/wiki/Information_Technology_Act,_2000

What to expect?
● Talk about QAing and Security.
● OWASP TOP 10
● Hands on few OWASP threats.
● We will be using tools to do an attack, but will not go in
depth on the tools.

Agenda
● What and Why of security ?
● QA role in testing security.
● OWASP TOP 10
● Hands on security vulnerabilities

What and Why of Security Testing?
In 2017
● Verizon: 14 Millions of customer records exposed in security lapse.
● Verifone: the largest maker of point-of-sale credit card terminals used across world.
● Deloitte: Embarrassingly for the accounting firm who pride themselves on their Cyber Intelligence
Centre, Deloitte fell victim to a cyber attack in March.
● Deep Root Analytics: A data analytics firm, to gather political information about U.S. voters. Chris
Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root Analytics
obtained–personal data for roughly 198 million American citizens.
● Virgin America: In a letter to employees, airline Virgin America revealed that a hacker had
successfully entered their corporate network gaining access to login information and passwords
used by employees to access the network.
● Equifax: one of the three largest credit agencies in the U.S., suffered a breach that may affect 143
million consumers.

What a QA has?
● End to end knowledge.
● One who tests almost
everything in the system.
● Implement security thinking.
● Add security analysis to stories.
● Identify where security can
possibly go for toss.
● Test the stories if they are
vulnerable.
● Help team build more security
products
What a QA can do?

QA could have stopped this
https://www.exploit-db.com/exploits/6421/

Let's start with a story

OWASP
● Open Web Application Security Project (OWASP)
● Online community, which creates freely-available articles, tools,
methodologies, documentation, and technologies in the field of
web application security.
● Not-for-profit charitable organization.
● Focussed on improving the security of software.
● Currently has over 150+ active projects

OWASP Top 10
● List the 10 most critical web application security risks.
● A powerful awareness document.
● Published at regular intervals.
● Approximately once in 3 years.
● Last published in 2017

OWASP Top 10 - 2013 vs 2017

Tools we are using today
● OWASP Mutillidae II - Application to attack
● Burp suite to intercept requests (we can use ZAP as well)
● Python to steal cookie

What causes most of the attacks?

User Input - Surface Area
I don’t like user input
and
this is why I don’t

A7: Cross-site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping.
XSS allows attackers to execute scripts in the victim’s browser which can:
● hijack user sessions
● deface web sites
● redirect the user to malicious sites.

A7: How XSS works?

Types of XSS
● Reflected XSS
○ Reflected XSS occurs when user input is immediately returned by a
web application in an error message, search result, etc. and without
permanently storing the user provided data.
● Stored XSS
○ Stored XSS generally occurs when user input is stored on the target
server, such as in a database, in a message forum, visitor log,
comment field, etc.

Where in Mutillidae II?

A1: Injection
Injection flaws occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
Types of Injection:
● SQL Injection - Anywhere input value is being executed as a database query.
● OS Command Injection - Anywhere input is being executed as a command.
● Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, XML and many
more

For SQL Injections -

For OS Command Injection -

A3 : Sensitive Data Exposure
Many web applications do not properly protect sensitive
data, such as credit cards, tax IDs, and authentication
credentials. Sometimes data pertaining to the configuration
of systems is also leaked by error messages or forgotten
debug pages.

A3 : Sensitive Data Exposure
Scenario #1: An application encrypts credit card numbers in a database using automatic
database encryption. However, this data is automatically decrypted when retrieved,
allowing an SQL injection flaw to retrieve credit card numbers in clear text.
Scenario #2: A site doesn't use or enforce TLS for all pages, or if it supports weak
encryption. An attacker simply monitors network traffic, strips or intercepts the TLS (like an
open wireless network), and steals the user's session cookie.The attacker then replays this
cookie and hijacks the user's (authenticated) session, accessing or modifying the user's
private data. Instead of the above he could alter all transported data, e.g. the recipient of a
money transfer.
Scenario #3: The password database uses unsalted hashes to store everyone's
passwords. A file upload flaw allows an attacker to retrieve the password database. All the
unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.

Where do we miss it
● Access to some unwanted files.
● Poor encryption mechanism.
● Not using HTTPS

Sensitive Data Exposure Hands-on!!

A2 : Broken Authentication

Session management is a critical piece of application
security. It is broader risk, and requires developers take care
of protecting session id, user credential secure storage,
session duration, and protecting critical session data in
transit.

How A2 can happen?
● SQL Injection.
● Weak passwords and Password retrieval mechanisms
● Not handling session ids properly which leads to privilege
escalation or elevation of privilege.
● Cookies (Unencrypted, not securing them properly)

Broken Authentication Hands-on!!

Set up Proxy on firefox!!

Set up your burp Proxy!!

Interceptor on burp

A9 : Using components with known vulnerabilities
Components such as libraries, frameworks & other modules,
almost always run with privileges. Exploitation of a
vulnerable component can cause serious data loss or server
takeover. Apps using components with known vulnerabilities
may undermine app defenses and enable a range of attacks.

Where
● Technology we use.
● Third party libraries
○ Programing languages/ frameworks
○ Node modules
○ Charting libraries
○ Many more...
● Any tools or softwares installed.

A9 : Recent Times

Where to check and how to protect?
● https://www.cvedetails.com/
Use dependency checkers..
● https://www.owasp.org/index.php/OWASP_Dependency_Check
● https://github.com/nodesecurity/nsp

A4 : XML External Entity (XXE)
Many older or poorly configured XML processors evaluate external entity
references within XML documents. External entities can be used to disclose
internal files using the file URI handler, internal SMB file shares on
unpatched Windows servers, internal port scanning, remote code execution,
and denial of service attacks, such as the Billion Laughs attack.

A4 : XML External Entity (XXE)

A8 : Insecure Deserialization
Web servers and applications can leak information and allow
attackers to take control over systems using
misconfigurations either arising out of weak defaults, hidden
applications or via enhanced functionality that causes the
app to become vulnerable.

A8 : Insecure Deserialization - Example

A5 : Broken Access Control
Restrictions on what authenticated users are allowed to do are
not properly enforced. Attackers can exploit these flaws to access
unauthorized functionality and/or data, such as access other
users' accounts, view sensitive files, modify other users’ data,
change access rights, etc.

A6 : Security Misconfiguration
Web servers and applications can leak information and allow attackers to
take control over systems using misconfigurations either arising out of
weak defaults, hidden applications or via enhanced functionality that
causes the app to become vulnerable.

A10 : Insufficient Logging and Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective
integration with incident response allows attackers to further attack
systems, maintain persistence, pivot to more systems, and tamper,
extract or destroy data. Most breach studies show time to detect a
breach is over 200 days, typically detected by external parties rather
than internal processes or monitoring.

©ThoughtWorks, Inc. Do not copy. Do not distribute.
● What do you log?
● Where do you log?
● When do you log?
● Why do you log?
● Is this log sufficient?
54
A10 : Insufficient Logging and Monitoring

A system is secure if and only if it
starts in a secure state and cannot
enter an insecure state!!

©ThoughtWorks, Inc. Do not copy. Do not distribute.
References
● https://blog.sqreen.io/reflected-xss/
● https://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html
● https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
● https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-warning
● http://www.information-age.com/10-cyber-security-trends-look-2017-123463680/
● http://www.information-age.com/10-biggest-hacks-rocked-business-world-2017-123469857/
● http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
● https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-century.html
● http://fortune.com/2017/06/22/cybersecurity-hacks-history/
● https://en.wikipedia.org/wiki/List_of_data_breaches
● http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
● https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails

THANK YOU
For questions or suggestions mailto:
amit.gundiyal@thoughtworks.com
nalinim@thoughtworks.com

QAing the security way!

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to QAing the security way!

Similar to QAing the security way! (20)

Recently uploaded

Recently uploaded (20)

QAing the security way!