SlideShare a Scribd company logo

Security Testing Training With Examples

Download as PPTX, PDF
Alwin Thayyil
Alwin Thayyil

This slide is for people who are new to security testing. This shows the basic examples to perform web application attacks.

1 of 47
Security Testing Training With Examples ALWIN JOSEPH THAYYIL
What is Security Testing • Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. • It also helps in detecting all possible security risks in the system and help developers in fixing these problems through coding • Security testing is vital for e-commerce website that store sensitive customer information like credit cards.
Why web application security is of high importance • Web applications are increasing day by day • Most web applications are vulnerable. • 98 % of the web applications are vulnerable . • 78 % of easily exploitable weakness occur in web applications.
Types of web application vulnerabilities  Security Testing is deemed successful when the below attributes of an application are intact • Authentication • Authorization • Client side attacks • Command Execution • Information Disclosure • Logical Attacks
Authentication – Stealing user account identities  The Authentication section covers attacks that target a websites method of validating the identity of a user.  To confirm that something or someone is authentic – true to the claims.  The digital identity of a user is validated and verified.  Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.  Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.  Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.
Authorization – illegal access to applications  The Authorization section covers attacks that target a web sites method of determining if a user has the necessary permissions to perform a requested action.  Is the Person allowed to do this operation  Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.  Credential / Session Prediction is a method of hijacking or impersonating a user .
Client side attacks – illegal execution of foreign code • Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.  Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.
Command Execution – hijacks control of web application  SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.  Buffer Overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
Information Disclosure – shows sensitive data to attackers  The Information Disclosure section covers attacks designed to acquire system specific information about a web site.  Information leakage : Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.  Path traversal : The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
Logical Attacks – interfere with application usage  Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms.  Denial of Service (DoS) attacks prevent a web site from serving normal user activity.
Burp Suite  Burp Suite is an integrated platform for performing security testing of web applications.  The Burp Suite is made up of tools
Burp Suite  Proxy: It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.  Spider: Burp Spider is a tool for mapping web applications.  Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications.  Intruder: For performing powerful customized attacks to find and exploit unusual vulnerabilities.  Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses.  Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data.  Limitations of tools: Unrealistic expectations from the tool & People depend on the tool a lot.
Configure your browser
Brute force attack (Ex For Authentication vulnerabilities) • Brute Force Attack  Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in.  The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts.
Brute force attack (Ex For Authentication vulnerabilities) This is a web application having vulnerabilities. I am going to explain brute force attack with the help of burp suite.
Brute force attack Then send it to intruder
Brute force attack
Brute force attack Then select the payloads and attack type.
Brute force attack  Give the payload 1 datas. Here in this example I had given only some values actually you can upload username and password lists from outside.
Brute force attack Give the payload 2 datas and from intruder give the attack.
Brute force attack Check the request and response of payloads having maximum length variation
Brute force attack Now the brute force attack is successfully launched with the username admin and password password.
Password Passing to server( Ex for Information leakage ) • Password Passing to server The password should be encrypted while being transmitted over the network. In the below example password between server and client is being passed in clear text during the registration process.
Session Hijacking (Ex for Session Management) This test is to check whether the cookie can be reused in another computer during the log-in phase. 1. Login in the application and capture the request in that valid session along with the authenticated URL:
Session Hijacking (Ex for Session Management) Then copy it to a notepad
Session Hijacking (Ex for Session Management) • Open the new browser and go to the authenticated URL captured in step 1. Then, capture the request and replace the cookie with earlier captured cookie value:
Session Hijacking (Ex for Session Management) Successfully launched the session hijacking attack.
Directory Scanning (Ex for Authorization)  This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.  http://demo.guru99.com/Security/SEC_V1/index.php  A small example for directory scanning can be shown from this site  Here the login credentials are user id: 1303 and pass:Guru99.  This is an ordinary customer login, having the rights to view his payments fund transfer etc. he is not having the permission to add, edit or delete other customers data. Enter the below url in the browser and check Now customer can add new customers.  http://demo.guru99.com/Security/SEC_V1/customer/addcustomerpage.php  I hope you checked it and understand how to perform it.
File uploads  Only valid files should be permitted for uploading.  http://demo.guru99.com/Security/SEC_V1/customer/contactus.php  In the above link the upload file menu, currently accepts any file format including exe,php, js, etc. A malicious user can upload a virus or executable file and using  The file size should also be checked so that users do not upload large files which would eat up the server space.
Forceful browsing A malicious user can access the complete application from different browsers without login. How to perform: Log in to an application then copy the url now paste it in another browser and check whether user is logging in or redirected to the login page. Recommendation: The application must implement proper session/cookie management on the server side, to ensure strict access control. This would avoid any user in directly copy-pasting of the link to get unauthorized access into the internal pages.
Audi trail Implementation  An Audit trail should be incorporated in the application, where all user activities have to be logged.
Phishing attacks  Phishing. It is a technique that uses trickery and deceit to obtain private data from users. A hacker may try to impersonate a genuine website such as yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.  http://bank.83answers.com/  http://demo.guru99.com/Security/SEC_V1/index.php
SQL Injection  SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution.  The targeted site to perform sql injection is dvwa
SQL Injection  Enter User ID, click submit and intercept the request with Burp Suite Proxy. The next step is sending the request to Burp Suite Intruder (click right on the request and choose “Send to Intruder”).
SQL Injection  A penetration tester can create his own list of payloads or use an existing one. Exemplary payloads can be found, for example, in Kali Linux (penetration testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let’s use SQL.txt from this location to test the parameter id for SQL injection vulnerability.
SQL Injection  It might suggest that more data was read from the database. Let’s check the response for this payload.
SQL Injection  As we can see, this payload can be used to extract first names and surnames of all users from the database.
XSS  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.  There are two types of injection active and passive.
XSS How to test XSS:  Visit the page of the website you wish to test for XSS vulnerabilities  Enter some appropriate input in to the web application and submit the request.
XSS  Alternatively, return to the Proxy "Intercept" tab and right click on the request to bring up the context menu.  Click "Send to Repeater".
XSS  Go to the "Repeater" tab.  Here we can input various XSS payloads in to the input field of a web application. We can test various inputs by editing the "Value" of the appropriate parameter in the "Raw" or "Params" tabs.
XSS  The "Response" section of the "Repeater" tab shows the response from the server.
XSS  Ensure that "Intercept is off" in the Proxy "Intercept" tab and go to your browser.  Enter the payload into the input field and submit the request.  Assess the response in the browser to check that the payload has performed as expected.
Dos attack A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, Consider a functionality (such as registration) which typically does not require authentication. An attacker can easily place a heavy load on the server by simulate multiple registration operations and by feeding in arbitrarily huge input data through the registration fields, thus placing further load on the server and also consuming database connections. This could cause the server to crash or slow down to a crawl.
Other Security Checks • Session Time out • Session should terminate when user is gone through an error page • Auto fill should be off • Check whether application is able to view the authenticated page using back button of the browser • Check whether It is possible to view the contents of the authenticated pages by fetching the page from the browser cache memory and history. • User should not have the option to remember password as this may give unauthorized access to malicious users.
References  https://www.owasp.org/index.php/  dvwa  http://searchsecurity.techtarget.com/  http://demo.guru99.com/Security/SEC_V1/index.php
THANK YOU

Recommended

Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 

Recommended

Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
n|u - The Open Security Community
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
Cygnet Infotech
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 

More Related Content

What's hot

Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
Ritesh Gupta
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Security testing
Security testingSecurity testing
Security testing
Rihab Chebbah
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
HackerOne
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
vodQA
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
jasonhaddix
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
Prashant Chopra
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
Barrel Software
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 

What's hot (20)

Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Security testing
Security testingSecurity testing
Security testing
 
Cross site scripting (xss)
Cross site scripting (xss)Cross site scripting (xss)
Cross site scripting (xss)
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Security testing
Security testingSecurity testing
Security testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
OWASP Top 10 - 2017
OWASP Top 10 - 2017OWASP Top 10 - 2017
OWASP Top 10 - 2017
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Pentesting Using Burp Suite
Pentesting Using Burp SuitePentesting Using Burp Suite
Pentesting Using Burp Suite
 
Web application security
Web application securityWeb application security
Web application security
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 

Similar to Security Testing Training With Examples

Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
Karan Nagrecha
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
Pankaj Kumar Sharma
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
Sumanth Damarla
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
Infosectrain3
 
T04505103106
T04505103106T04505103106
T04505103106
IJERA Editor
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
VIRAJDEY1
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
Digital Auxilio Technologies
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
idescitation
 
05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...
appsec
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
IRJET Journal
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
 

Similar to Security Testing Training With Examples (20)

Security Testing
Security TestingSecurity Testing
Security Testing
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
C01461422
C01461422C01461422
C01461422
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
 
T04505103106
T04505103106T04505103106
T04505103106
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 

Security Testing Training With Examples

  • 1. Security Testing Training With Examples ALWIN JOSEPH THAYYIL
  • 2. What is Security Testing • Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. • It also helps in detecting all possible security risks in the system and help developers in fixing these problems through coding • Security testing is vital for e-commerce website that store sensitive customer information like credit cards.
  • 3. Why web application security is of high importance • Web applications are increasing day by day • Most web applications are vulnerable. • 98 % of the web applications are vulnerable . • 78 % of easily exploitable weakness occur in web applications.
  • 4. Types of web application vulnerabilities  Security Testing is deemed successful when the below attributes of an application are intact • Authentication • Authorization • Client side attacks • Command Execution • Information Disclosure • Logical Attacks
  • 5. Authentication – Stealing user account identities  The Authentication section covers attacks that target a websites method of validating the identity of a user.  To confirm that something or someone is authentic – true to the claims.  The digital identity of a user is validated and verified.  Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.  Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.  Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.
  • 6. Authorization – illegal access to applications  The Authorization section covers attacks that target a web sites method of determining if a user has the necessary permissions to perform a requested action.  Is the Person allowed to do this operation  Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.  Credential / Session Prediction is a method of hijacking or impersonating a user .
  • 7. Client side attacks – illegal execution of foreign code • Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.  Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.
  • 8. Command Execution – hijacks control of web application  SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.  Buffer Overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
  • 9. Information Disclosure – shows sensitive data to attackers  The Information Disclosure section covers attacks designed to acquire system specific information about a web site.  Information leakage : Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.  Path traversal : The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
  • 10. Logical Attacks – interfere with application usage  Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms.  Denial of Service (DoS) attacks prevent a web site from serving normal user activity.
  • 11. Burp Suite  Burp Suite is an integrated platform for performing security testing of web applications.  The Burp Suite is made up of tools
  • 12. Burp Suite  Proxy: It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.  Spider: Burp Spider is a tool for mapping web applications.  Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications.  Intruder: For performing powerful customized attacks to find and exploit unusual vulnerabilities.  Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses.  Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data.  Limitations of tools: Unrealistic expectations from the tool & People depend on the tool a lot.
  • 14. Brute force attack (Ex For Authentication vulnerabilities) • Brute Force Attack  Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in.  The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts.
  • 15. Brute force attack (Ex For Authentication vulnerabilities) This is a web application having vulnerabilities. I am going to explain brute force attack with the help of burp suite.
  • 16. Brute force attack Then send it to intruder
  • 18. Brute force attack Then select the payloads and attack type.
  • 19. Brute force attack  Give the payload 1 datas. Here in this example I had given only some values actually you can upload username and password lists from outside.
  • 20. Brute force attack Give the payload 2 datas and from intruder give the attack.
  • 21. Brute force attack Check the request and response of payloads having maximum length variation
  • 22. Brute force attack Now the brute force attack is successfully launched with the username admin and password password.
  • 23. Password Passing to server( Ex for Information leakage ) • Password Passing to server The password should be encrypted while being transmitted over the network. In the below example password between server and client is being passed in clear text during the registration process.
  • 24. Session Hijacking (Ex for Session Management) This test is to check whether the cookie can be reused in another computer during the log-in phase. 1. Login in the application and capture the request in that valid session along with the authenticated URL:
  • 25. Session Hijacking (Ex for Session Management) Then copy it to a notepad
  • 26. Session Hijacking (Ex for Session Management) • Open the new browser and go to the authenticated URL captured in step 1. Then, capture the request and replace the cookie with earlier captured cookie value:
  • 27. Session Hijacking (Ex for Session Management) Successfully launched the session hijacking attack.
  • 28. Directory Scanning (Ex for Authorization)  This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.  http://demo.guru99.com/Security/SEC_V1/index.php  A small example for directory scanning can be shown from this site  Here the login credentials are user id: 1303 and pass:Guru99.  This is an ordinary customer login, having the rights to view his payments fund transfer etc. he is not having the permission to add, edit or delete other customers data. Enter the below url in the browser and check Now customer can add new customers.  http://demo.guru99.com/Security/SEC_V1/customer/addcustomerpage.php  I hope you checked it and understand how to perform it.
  • 29. File uploads  Only valid files should be permitted for uploading.  http://demo.guru99.com/Security/SEC_V1/customer/contactus.php  In the above link the upload file menu, currently accepts any file format including exe,php, js, etc. A malicious user can upload a virus or executable file and using  The file size should also be checked so that users do not upload large files which would eat up the server space.
  • 30. Forceful browsing A malicious user can access the complete application from different browsers without login. How to perform: Log in to an application then copy the url now paste it in another browser and check whether user is logging in or redirected to the login page. Recommendation: The application must implement proper session/cookie management on the server side, to ensure strict access control. This would avoid any user in directly copy-pasting of the link to get unauthorized access into the internal pages.
  • 31. Audi trail Implementation  An Audit trail should be incorporated in the application, where all user activities have to be logged.
  • 32. Phishing attacks  Phishing. It is a technique that uses trickery and deceit to obtain private data from users. A hacker may try to impersonate a genuine website such as yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.  http://bank.83answers.com/  http://demo.guru99.com/Security/SEC_V1/index.php
  • 33. SQL Injection  SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution.  The targeted site to perform sql injection is dvwa
  • 34. SQL Injection  Enter User ID, click submit and intercept the request with Burp Suite Proxy. The next step is sending the request to Burp Suite Intruder (click right on the request and choose “Send to Intruder”).
  • 35. SQL Injection  A penetration tester can create his own list of payloads or use an existing one. Exemplary payloads can be found, for example, in Kali Linux (penetration testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let’s use SQL.txt from this location to test the parameter id for SQL injection vulnerability.
  • 36. SQL Injection  It might suggest that more data was read from the database. Let’s check the response for this payload.
  • 37. SQL Injection  As we can see, this payload can be used to extract first names and surnames of all users from the database.
  • 38. XSS  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.  There are two types of injection active and passive.
  • 39. XSS How to test XSS:  Visit the page of the website you wish to test for XSS vulnerabilities  Enter some appropriate input in to the web application and submit the request.
  • 40. XSS  Alternatively, return to the Proxy "Intercept" tab and right click on the request to bring up the context menu.  Click "Send to Repeater".
  • 41. XSS  Go to the "Repeater" tab.  Here we can input various XSS payloads in to the input field of a web application. We can test various inputs by editing the "Value" of the appropriate parameter in the "Raw" or "Params" tabs.
  • 42. XSS  The "Response" section of the "Repeater" tab shows the response from the server.
  • 43. XSS  Ensure that "Intercept is off" in the Proxy "Intercept" tab and go to your browser.  Enter the payload into the input field and submit the request.  Assess the response in the browser to check that the payload has performed as expected.
  • 44. Dos attack A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, Consider a functionality (such as registration) which typically does not require authentication. An attacker can easily place a heavy load on the server by simulate multiple registration operations and by feeding in arbitrarily huge input data through the registration fields, thus placing further load on the server and also consuming database connections. This could cause the server to crash or slow down to a crawl.
  • 45. Other Security Checks • Session Time out • Session should terminate when user is gone through an error page • Auto fill should be off • Check whether application is able to view the authenticated page using back button of the browser • Check whether It is possible to view the contents of the authenticated pages by fetching the page from the browser cache memory and history. • User should not have the option to remember password as this may give unauthorized access to malicious users.
  • 46. References  https://www.owasp.org/index.php/  dvwa  http://searchsecurity.techtarget.com/  http://demo.guru99.com/Security/SEC_V1/index.php