vodQA(Pune) 2018 - QAing the security way

QAing the Security Way!
Amit & Null
vodQA, Pune 17th March 2018

“A system is secure if it behaves
precisely in the manner intended -
and does nothing more”
- Ivan Arce

Amit Gundiyal
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
6+ years of experience (as Dev, QA & BA)
About Me

Nalinikanth AKA Null
About Me
Senior Consultant - Quality Analyst at ThoughtWorks, Inc
5+ years of experience

©ThoughtWorks, Inc. Do not copy. Do not distribute. 5
Ground Rules
● Follow the speaker
○ Don’t get deviated.
○ If you are stuck call any of the volunteers.
● We will share you all the material don’t bother about
that.
● Ask questions whenever you have - don’t wait.
● MOST IMPORTANT!

Information Technology Act 2000
Imprisonment upto
5 years
and / or
with fine upto
₹5,00,000
http://www.itlaw.in/
https://en.wikipedia.org/wiki/Information_Technology_Act,_2000

What to expect?
● Talk about QAing and Security.
● OWASP TOP 10
● Hands on few OWASP threats.
● We will be using tools to do an attack, but will not go in
depth on the tools.

Agenda
● What and Why of security ?
● QA role in testing security.
● OWASP TOP 10
● Hands on security vulnerabilities

What and Why of Security Testing?
In 2017
● Verizon: 14 Millions of customer records exposed in security lapse.
● Verifone: the largest maker of point-of-sale credit card terminals used across world.
● Deloitte: Embarrassingly for the accounting firm who pride themselves on their Cyber
Intelligence Centre, Deloitte fell victim to a cyber attack in March.
● Deep Root Analytics: A data analytics firm, to gather political information about U.S. voters.
Chris Vickery, a cyber risk analyst, discovered that the sensitive information Deep Root
Analytics obtained–personal data for roughly 198 million American citizens.
● Virgin America: In a letter to employees, airline Virgin America revealed that a hacker had
successfully entered their corporate network gaining access to login information and
passwords used by employees to access the network.
● Equifax: one of the three largest credit agencies in the U.S., suffered a breach that may affect
143 million consumers.

What a QA has?
● End to end knowledge.
● One who tests almost
everything in the system.
● Implement security thinking.
● Add security analysis to stories.
● Identify where security can
possibly go for toss.
● Test the stories if they are
vulnerable.
● Help team build more security
products
What a QA can do?

QA could have stopped this
https://www.exploit-db.com/exploits/6421/

Let's start with a story

OWASP
● Open Web Application Security Project (OWASP)
● Online community, which creates freely-available articles, tools,
methodologies, documentation, and technologies in the field of
web application security.
● Not-for-profit charitable organization.
● Focussed on improving the security of software.
● Currently has over 150+ active projects

OWASP Top 10
● List the 10 most critical web application security risks.
● A powerful awareness document.
● Published at regular intervals.
● Approximately once in 3 years.
● Last published in 2017

OWASP Top 10 - 2013 vs 2017

Tools we are using today
● OWASP Mutillidae II - Application to attack
● Burp suite to intercept requests (we can use ZAP as
well)
● Python to steal cookie

What causes most of the attacks?

User Input - Surface Area
I don’t like user input
and
this is why I don’t

A7: Cross-site Scripting (XSS)
XSS flaws occur whenever an application takes untrusted data and
sends it to a web browser without proper validation or escaping.
XSS allows attackers to execute scripts in the victim’s browser which
can:
● hijack user sessions
● deface web sites
● redirect the user to malicious sites.

A7: How XSS works?

Types of XSS
● Reflected XSS
○ Reflected XSS occurs when user input is immediately returned by a
web application in an error message, search result, etc. and
without permanently storing the user provided data.
● Stored XSS
○ Stored XSS generally occurs when user input is stored on the
target server, such as in a database, in a message forum, visitor
log, comment field, etc.

Where in Mutillidae II?

A1: Injection
Injection flaws occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the interpreter into
executing unintended commands or accessing data without proper
authorization.
Types of Injection:
● SQL Injection - Anywhere input value is being executed as a database
query.
● OS Command Injection - Anywhere input is being executed as a command.
● Hibernate Query Language (HQL), LDAP, XPath, XQuery, XSLT, XML and
many more

For SQL Injections -

For OS Command Injection -

A3 : Sensitive Data Exposure
Many web applications do not properly protect sensitive
data, such as credit cards, tax IDs, and authentication
credentials. Sometimes data pertaining to the
configuration of systems is also leaked by error messages
or forgotten debug pages.

A3 : Sensitive Data Exposure
Scenario #1: An application encrypts credit card numbers in a database using
automatic database encryption. However, this data is automatically decrypted when
retrieved, allowing an SQL injection flaw to retrieve credit card numbers in clear text.
Scenario #2: A site doesn't use or enforce TLS for all pages, or if it supports weak
encryption. An attacker simply monitors network traffic, strips or intercepts the TLS (like
an open wireless network), and steals the user's session cookie.The attacker then
replays this cookie and hijacks the user's (authenticated) session, accessing or
modifying the user's private data. Instead of the above he could alter all transported
data, e.g. the recipient of a money transfer.
Scenario #3: The password database uses unsalted hashes to store everyone's
passwords. A file upload flaw allows an attacker to retrieve the password database. All
the unsalted hashes can be exposed with a rainbow table of pre-calculated hashes.

Where do we miss it
● Access to some unwanted files.
● Poor encryption mechanism.
● Not using HTTPS

Sensitive Data Exposure Hands-on!!

A2 : Broken Authentication

Session management is a critical piece of application
security. It is broader risk, and requires developers take
care of protecting session id, user credential secure
storage, session duration, and protecting critical session
data in transit.

How A2 can happen?
● SQL Injection.
● Weak passwords and Password retrieval mechanisms
● Not handling session ids properly which leads to
privilege escalation or elevation of privilege.
● Cookies (Unencrypted, not securing them properly)

Broken Authentication Hands-on!!

Set up Proxy on firefox!!

Set up your burp Proxy!!

Interceptor on burp

A9 : Using components with known vulnerabilities
Components such as libraries, frameworks & other
modules, almost always run with privileges. Exploitation
of a vulnerable component can cause serious data loss or
server takeover. Apps using components with known
vulnerabilities may undermine app defenses and enable a
range of attacks.

Where
● Technology we use.
● Third party libraries
○ Programing languages/ frameworks
○ Node modules
○ Charting libraries
○ Many more...
● Any tools or softwares installed.

A9 : Recent Times

Where to check and how to protect?
● https://www.cvedetails.com/
Use dependency checkers..
● https://www.owasp.org/index.php/OWASP_Dependency_Check
● https://github.com/nodesecurity/nsp

A4 : XML External Entity (XXE)
Many older or poorly configured XML processors evaluate external entity
references within XML documents. External entities can be used to
disclose internal files using the file URI handler, internal SMB file shares
on unpatched Windows servers, internal port scanning, remote code
execution, and denial of service attacks, such as the Billion Laughs attack.

A4 : XML External Entity (XXE)

A8 : Insecure Deserialization
Web servers and applications can leak information and
allow attackers to take control over systems using
misconfigurations either arising out of weak defaults,
hidden applications or via enhanced functionality that
causes the app to become vulnerable.

A8 : Insecure Deserialization - Example

A5 : Broken Access Control
Restrictions on what authenticated users are allowed to do are
not properly enforced. Attackers can exploit these flaws to
access unauthorized functionality and/or data, such as access
other users' accounts, view sensitive files, modify other users’
data, change access rights, etc.

A6 : Security Misconfiguration
Web servers and applications can leak information and allow
attackers to take control over systems using misconfigurations either
arising out of weak defaults, hidden applications or via enhanced
functionality that causes the app to become vulnerable.

A10 : Insufficient Logging and Monitoring
Insufficient logging and monitoring, coupled with missing or
ineffective integration with incident response allows attackers to
further attack systems, maintain persistence, pivot to more systems,
and tamper, extract or destroy data. Most breach studies show time
to detect a breach is over 200 days, typically detected by external
parties rather than internal processes or monitoring.

©ThoughtWorks, Inc. Do not copy. Do not distribute.
● What do you log?
● Where do you log?
● When do you log?
● Why do you log?
● Is this log sufficient?
54
A10 : Insufficient Logging and Monitoring

A system is secure if and only if it
starts in a secure state and cannot
enter an insecure state!!

©ThoughtWorks, Inc. Do not copy. Do not distribute.
References
● https://blog.sqreen.io/reflected-xss/
● https://news.netcraft.com/archives/2008/05/16/paypal_xss_vulnerability_undermines_ev_ssl_security.html
● https://www.theregister.co.uk/2017/10/31/wordpress_security_fix_4_8_3/
● https://motherboard.vice.com/en_us/article/ne3bv7/equifax-breach-social-security-numbers-researcher-
warning
● http://www.information-age.com/10-cyber-security-trends-look-2017-123463680/
● http://www.information-age.com/10-biggest-hacks-rocked-business-world-2017-123469857/
● http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
● https://www.csoonline.com/article/2130877/data-breach/the-16-biggest-data-breaches-of-the-21st-
century.html
● http://fortune.com/2017/06/22/cybersecurity-hacks-history/
● https://en.wikipedia.org/wiki/List_of_data_breaches
● http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/
● https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-
emails

THANK YOU
For questions or suggestions mailto:
amit.gundiyal@thoughtworks.com
nalinim@thoughtworks.com

vodQA(Pune) 2018 - QAing the security way

More Related Content

What's hot

Similar to vodQA(Pune) 2018 - QAing the security way

More from vodQA

Recently uploaded

vodQA(Pune) 2018 - QAing the security way