SlideShare a Scribd company logo

Security testing ?

M
Maikel Ninaber

How serious is Web Apps Security Testing ?

Internet
1 of 46
Maikel Ninaber 19/04/2016 How serious is Web Apps Security Testing ?
2Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
3Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
4Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
5Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
6Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
7Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
8Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
9Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
10Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
11Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
12Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
13Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
14Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
15Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
16Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
17Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
18Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
19Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
20Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
21Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
22Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
23Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
24Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
25Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
26Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
27Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
28Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
29Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 OWASP top 10
30Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 No SQL injection today
31Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
32Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
33Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
34Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
35Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
36Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
37Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
38Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Demo
39Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
40Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
41Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
42Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
43Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Where to practice
44Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Limitations  Computer Fraud and Abuse Act • Using a computer to intrude upon or steal something from another computer is illegal  Unintended consequences, such as damaging hijacked computers belonging to innocent individuals, while real criminals remain hidden several layers back on the Internet (e.g., TOR)  The only kind of hacking that's considered tolerable is what you might enact defensively within your own computer or network. What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.
45Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Another Hacker goes to jail !
46Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Sources  http://www.telerik.com/fiddler  https://www.troyhunt.com/  https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sh eet  https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project  http://www.dvwa.co.uk/  https://hackyourselffirst.troyhunt.com/  https://nl.linkedin.com/in/maikelninaber  http://cookiecontroller.com/internet-cookies/secure-cookies/  http://stackoverflow.com/questions/1442863/how-can-i-set-the-secure-flag-on- an-asp-net-session-cookie

Recommended

Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumarVikesh Kumar
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 

Recommended

Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumarVikesh Kumar
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat ModelingMiriam Celi, CISSP, GISP, MSCS, MBA
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsStephan Kaps
 

More Related Content

What's hot

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?PECB
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouKevin Fealey
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SASTBlueinfy Solutions
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetCrowdStrike
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUlf Mattsson
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security toolsVicky Fernandes
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsEnterprise Management Associates
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 

What's hot (20)

Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
 
Security testing
Security testingSecurity testing
Security testing
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
Ethical Hacking vs Penetration Testing vs Cybersecurity: Know the Difference?
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
Source Code Analysis with SAST
Source Code Analysis with SASTSource Code Analysis with SAST
Source Code Analysis with SAST
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
State of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers MindsetState of Endpoint Security: The Buyers Mindset
State of Endpoint Security: The Buyers Mindset
 
Secure Code Warrior - Os command injection
Secure Code Warrior - Os command injectionSecure Code Warrior - Os command injection
Secure Code Warrior - Os command injection
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Understanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External ThreatsUnderstanding Your Attack Surface and Detecting & Mitigating External Threats
Understanding Your Attack Surface and Detecting & Mitigating External Threats
 
Cyber security and demonstration of security tools
Cyber security and demonstration of security toolsCyber security and demonstration of security tools
Cyber security and demonstration of security tools
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
How to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-ToolsHow to Reduce the Attack Surface Created by Your Cyber-Tools
How to Reduce the Attack Surface Created by Your Cyber-Tools
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 

Viewers also liked

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsStephan Kaps
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing DocumentMinhas Kamal
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 

Viewers also liked (8)

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing Document
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 

Similar to Security testing ?

No, you be the hacker !
No, you be the hacker !No, you be the hacker !
No, you be the hacker !Maikel Ninaber
 
Once upon a time... before UX became relevant
Once upon a time... before UX became relevantOnce upon a time... before UX became relevant
Once upon a time... before UX became relevantMichael Van der Gaag
 
Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7Keisuke Anzai
 
Webinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatWebinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatCyren, Inc
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareCyren, Inc
 
Nrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflectionsNrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflectionsCapgemini
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
 

Similar to Security testing ? (9)

No, you be the hacker !
No, you be the hacker !No, you be the hacker !
No, you be the hacker !
 
Once upon a time... before UX became relevant
Once upon a time... before UX became relevantOnce upon a time... before UX became relevant
Once upon a time... before UX became relevant
 
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
 
Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7
 
Webinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatWebinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threat
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomware
 
Nrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflectionsNrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflections
 
State of NetBeans
State of NetBeansState of NetBeans
State of NetBeans
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
 

Recently uploaded

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfMilind Agarwal
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一3sw2qly1
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 

Recently uploaded (20)

VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdfThe Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
The Intriguing World of CDR Analysis by Police: What You Need to Know.pdf
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
定制(CC毕业证书)美国美国社区大学毕业证成绩单原版一比一
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 

Security testing ?

  • 1. Maikel Ninaber 19/04/2016 How serious is Web Apps Security Testing ?
  • 2. 2Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
  • 3. 3Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
  • 4. 4Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 5. 5Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 6. 6Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 7. 7Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 8. 8Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 9. 9Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 10. 10Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 11. 11Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 12. 12Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 13. 13Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 14. 14Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 15. 15Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
  • 16. 16Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
  • 17. 17Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
  • 18. 18Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 19. 19Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 20. 20Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 21. 21Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 22. 22Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 23. 23Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 24. 24Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 25. 25Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 26. 26Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
  • 27. 27Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
  • 28. 28Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
  • 29. 29Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 OWASP top 10
  • 30. 30Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 No SQL injection today
  • 31. 31Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 32. 32Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 33. 33Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 34. 34Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 35. 35Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 36. 36Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 37. 37Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 38. 38Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Demo
  • 39. 39Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 40. 40Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 41. 41Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 42. 42Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 43. 43Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Where to practice
  • 44. 44Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Limitations  Computer Fraud and Abuse Act • Using a computer to intrude upon or steal something from another computer is illegal  Unintended consequences, such as damaging hijacked computers belonging to innocent individuals, while real criminals remain hidden several layers back on the Internet (e.g., TOR)  The only kind of hacking that's considered tolerable is what you might enact defensively within your own computer or network. What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.
  • 45. 45Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Another Hacker goes to jail !
  • 46. 46Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Sources  http://www.telerik.com/fiddler  https://www.troyhunt.com/  https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sh eet  https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project  http://www.dvwa.co.uk/  https://hackyourselffirst.troyhunt.com/  https://nl.linkedin.com/in/maikelninaber  http://cookiecontroller.com/internet-cookies/secure-cookies/  http://stackoverflow.com/questions/1442863/how-can-i-set-the-secure-flag-on- an-asp-net-session-cookie