SlideShare a Scribd company logo

Web Application Security Testing

Emstell Technology Consulting
Emstell Technology Consulting

Introduction to Web Application Security Testing

Technology
1 of 17
Ayoob Kalathingal - PMP Director - Emstell Technology Consulting Ayoob.ok@emstell.com Kuwait, India, United Kingdom, Saudi Arabia
 Understand the need for securing the application layer of web based applications.  Understand the various web application vulnerabilities, impact and Counter Measures  Security testing. www.emstell.com
 Web applications have evolved from static pages to a more interactive set up. This interaction has started exposing the technical deficiencies of web applications in the form of vulnerabilities.  Dependency on the internet to carry out critical and sensitive business transactions has increased . Hence the stake involved is very high.  “Over 50% of security attacks are targeted on web based applications” - Gartner Report”  Competition is so high that enterprises can‟t ignore the risk associated with their vulnerable application. Loss incurred could vary from monetary losses to loss of credibility. In certain cases it could mean end of business. www.emstell.com
Many Countries has come up with strict rules and regulations on Information Security of business.  IT Act 2011 in India  PIPED Act – Canada (Personal Information Protection and Electronic Documents Act)  U.S. Information Security Law,  HIPAA – 1996 - Health Insurance Portability and Accountability Act Business Customers are increasingly aware of the systems security and is demanding security and quality certifications in the systems  ISO 27001  PCI DSS - Payment Card Industry Data Security Standard www.emstell.com
Large number of applications coming to the hands of common man carrying out transactions with personal and financial data More and more applications moving to cloud where multiple user or enterprise data is stored in single server or data centers. “Application security is no more a Luxury, its Business” www.emstell.com
 Confidentiality – ensuring that information is accessible only to those authorized.  Integrity – safeguarding the accuracy and completeness of information and processing methods.  Availability – ensuring that authorized users have access to information and associated assets when required.  Accountability – ensuring that authorized users use information in appropriate ways. www.emstell.com
Web Server DBApp Server Firewall Port 80 (Open)HTTP Traffic Client www.emstell.com
SQL Query SELECT user FROM Users WHERE Username = '"& strname &"' AND Password = '"& strPassword &"„ Query with valid input SELECT user FROM Users WHERE Username = 'avis' AND Password = 'avis' www.emstell.com
Query with tampered input SELECT user FROM Users WHERE Username = 'avis';--' AND Password = '"& strPassword &"' www.emstell.com
Authorization  Credential/Session Prediction  Insufficient Session Expiration  Session Fixation  Insufficient Authorization Authentication  Brute Force  Weak Password Recovery Policy  Insufficient Authentication Client-Side Attacks  Content Spoofing  Cross Site Scripting Information Disclosure  Directory Indexing  Information Leakage  Path Traversal  Predictable Resource Location Command Execution  Buffer Overflow  Format String Attack  LDAP Injection  OS Commanding  SQL Injection  SSI Injection  X Path Injection Logical Attacks  Abuse of Functionality  Denial of Service  Insufficient Anti- Automation  Insufficient Process Validation www.emstell.com
 Non-availability (By bringing the database down)  Breach of confidentiality (By viewing other user‟s records)  Breach of integrity (By updating other user‟s records)  Impersonation (By logging into accounts without a valid password)  + Business Impacts www.emstell.com
 Strong and Secure systems, firewalls and antiviruses  Proper Input validation  Following standard coding practices  Have strong password policy in place.  Use of strong session ID generation algorithms  Disable scripting in the web browser and disable input echoing  Grant only necessary privileges for accounts that are used to connect to DB  Implement/configure proper access control mechanisms on the web server.  Application Security Testing and Fixing the vulnerabilities  Educating the users www.emstell.com
“Though the significant attacks over time where of Zero Day Attack nature, this forms much a lesser count of the total attacks” Test based on the Target Users  Vulnerability Assessments  Penetration Testing Manual - a team of security experts manually probe the application for common flaws. Automated - a tool is used for testing the application for flaws. False Positives www.emstell.com
“The cost of quality is higher in the later stages of an application” Application security should be a part of the application development and should be incorporated to the SDLC Process. Integrating security to the build. Educating the users, using the best of media and creative formats. www.emstell.com
Ref: www.owasp.org www.emstell.com
Emstell Technology Consulting, is a technology firm offering enterprise level software quality assurance and testing services and ERP Solutions in Education sector. Our Media team deliver creative animated videos for educating users on company policies, explaining business and promotion. We deliver ERP Solutions in ◦ Web Enabled School Management ◦ Library Management Solution ◦ Business Accounting and Inventory www.emstell.com
Ayoob Kalathingal - PMP Director - Emstell Technology Consulting Ayoob.ok@emstell.com Kuwait, India, United Kingdom, Saudi Arabia www.emstell.com

Recommended

Scug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelScug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelPer Larsen
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Proxy For employee monitoring
Proxy For employee monitoringProxy For employee monitoring
Proxy For employee monitoringProxies Rent
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICAmazon Web Services
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecuritySrivigneshwar R Prasad
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Modern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterModern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterForgeRock
 
Ewug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelEwug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelPer Larsen
 

Recommended

Scug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelScug 1809 Take conditional access to the next level
Scug 1809 Take conditional access to the next levelPer Larsen
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Proxy For employee monitoring
Proxy For employee monitoringProxy For employee monitoring
Proxy For employee monitoringProxies Rent
 
Enabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICEnabling Cloud Smart, Zero-Trust, and TIC
Enabling Cloud Smart, Zero-Trust, and TICAmazon Web Services
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecuritySrivigneshwar R Prasad
 
Security by the numbers
Security by the numbersSecurity by the numbers
Security by the numbersEoin Keary
 
Modern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterModern IAM Trends and Themes by Eve Maler, Forrester
Modern IAM Trends and Themes by Eve Maler, ForresterForgeRock
 
Ewug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelEwug 1808 take conditional access to the next level
Ewug 1808 take conditional access to the next levelPer Larsen
 
Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Symantec Mobility Suite -Workforce apps
Symantec Mobility Suite -Workforce apps Symantec Mobility Suite -Workforce apps
Symantec Mobility Suite -Workforce appsSymantec
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...Codecamp Romania
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataSecuring Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataPistoia Alliance
 
Web app presentation
Web app presentationWeb app presentation
Web app presentationzahid6
 
Review Paper ( Research Articles )
Review Paper ( Research Articles )Review Paper ( Research Articles )
Review Paper ( Research Articles )SaadSaif6
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Verizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul HobbsVerizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul HobbsPaul Hobbs
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tamperingDilan Warnakulasooriya
 
4 ways to defend against internal attacks
4 ways to defend against internal attacks4 ways to defend against internal attacks
4 ways to defend against internal attacksCourion Corporation
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyOkta-Inc
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 

More Related Content

What's hot

Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management IntroductionAidy Tificate
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Symantec Mobility Suite -Workforce apps
Symantec Mobility Suite -Workforce apps Symantec Mobility Suite -Workforce apps
Symantec Mobility Suite -Workforce appsSymantec
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksPayPalX Developer Network
 
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...Codecamp Romania
 
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataSecuring Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataPistoia Alliance
 
Web app presentation
Web app presentationWeb app presentation
Web app presentationzahid6
 
Review Paper ( Research Articles )
Review Paper ( Research Articles )Review Paper ( Research Articles )
Review Paper ( Research Articles )SaadSaif6
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationVishal Kumar
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...Amazon Web Services
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Verizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul HobbsVerizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul HobbsPaul Hobbs
 
4 ways to defend against internal attacks
4 ways to defend against internal attacks4 ways to defend against internal attacks
4 ways to defend against internal attacksCourion Corporation
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyOkta-Inc
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 

What's hot (18)

Identity and Access Management Introduction
Identity and Access Management IntroductionIdentity and Access Management Introduction
Identity and Access Management Introduction
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Symantec Mobility Suite -Workforce apps
Symantec Mobility Suite -Workforce apps Symantec Mobility Suite -Workforce apps
Symantec Mobility Suite -Workforce apps
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Developing Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common AttacksDeveloping Secure Applications and Defending Against Common Attacks
Developing Secure Applications and Defending Against Common Attacks
 
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...
Iasi code camp 12 october 2013 ana tudosa - challenges in implementing and ...
 
C01461422
C01461422C01461422
C01461422
 
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise dataSecuring Software-as-a-Service: Cover your SaaS and protect enterprise data
Securing Software-as-a-Service: Cover your SaaS and protect enterprise data
 
Web app presentation
Web app presentationWeb app presentation
Web app presentation
 
Review Paper ( Research Articles )
Review Paper ( Research Articles )Review Paper ( Research Articles )
Review Paper ( Research Articles )
 
Exploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web applicationExploiting parameter tempering attack in web application
Exploiting parameter tempering attack in web application
 
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
AWS Security Best Practices in a Zero Trust Security Model - DEM08 - Toronto ...
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Verizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul HobbsVerizon DMS' Bot Mitigation from Paul Hobbs
Verizon DMS' Bot Mitigation from Paul Hobbs
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 
4 ways to defend against internal attacks
4 ways to defend against internal attacks4 ways to defend against internal attacks
4 ways to defend against internal attacks
 
Identity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust StrategyIdentity's Role in a Zero Trust Strategy
Identity's Role in a Zero Trust Strategy
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
 

Viewers also liked

we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonTEST Huddle
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Generic test cases guidelines
Generic test cases guidelinesGeneric test cases guidelines
Generic test cases guidelineskrishna kishore
 
Window Desktop Application Testing
Window Desktop Application TestingWindow Desktop Application Testing
Window Desktop Application TestingTrupti Jethva
 

Viewers also liked (6)

we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
API Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj RollisonAPI Testing: The heart of functional testing" with Bj Rollison
API Testing: The heart of functional testing" with Bj Rollison
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Generic test cases guidelines
Generic test cases guidelinesGeneric test cases guidelines
Generic test cases guidelines
 
Window Desktop Application Testing
Window Desktop Application TestingWindow Desktop Application Testing
Window Desktop Application Testing
 

Similar to Web Application Security Testing

Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalManoj Agarwal
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIOSR Journals
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPace IT at Edmonds Community College
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CloudIDSummit
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAmazon Web Services
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBsJyothi Satyanathan
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challengewebhostingguy
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challengewebhostingguy
 
9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloudkairostech
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliabilitycaca1009
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004Mike Spaulding
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Amazon Web Services
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAmazon Web Services
 
Ch19 E Commerce Security
Ch19 E Commerce SecurityCh19 E Commerce Security
Ch19 E Commerce Securityphanleson
 
web application security
web application security web application security
web application security ahmed sami
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1NetWatcher
 
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...Symantec
 
August 2007 Presentation Flow Part A – The Challenge
August 2007 Presentation Flow Part A – The ChallengeAugust 2007 Presentation Flow Part A – The Challenge
August 2007 Presentation Flow Part A – The Challengewebhostingguy
 

Similar to Web Application Security Testing (20)

Application Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 FinalApplication Security Review 5 Dec 09 Final
Application Security Review 5 Dec 09 Final
 
A017130104
A017130104A017130104
A017130104
 
Identified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud ComputingIdentified Vulnerabilitis And Threats In Cloud Computing
Identified Vulnerabilitis And Threats In Cloud Computing
 
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and TechniquesPACE-IT, Security+ 4.1: Application Security Controls and Techniques
PACE-IT, Security+ 4.1: Application Security Controls and Techniques
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
 
AWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App SecurityAWS Webcast - Top 3 Ways to Improve Web App Security
AWS Webcast - Top 3 Ways to Improve Web App Security
 
Smart security solutions for SMBs
Smart security solutions for SMBsSmart security solutions for SMBs
Smart security solutions for SMBs
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challenge
 
Presentation Flow Part A – The Challenge
Presentation Flow Part A – The ChallengePresentation Flow Part A – The Challenge
Presentation Flow Part A – The Challenge
 
9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud9 Things You Need to Know Before Moving to the Cloud
9 Things You Need to Know Before Moving to the Cloud
 
Security&reliability
Security&reliabilitySecurity&reliability
Security&reliability
 
Kx3518741881
Kx3518741881Kx3518741881
Kx3518741881
 
Web Application Hacking 2004
Web Application Hacking 2004Web Application Hacking 2004
Web Application Hacking 2004
 
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
Session Sponsored by Trend Micro: 3 Secrets to Becoming a Cloud Security Supe...
 
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend MicroAWS Summit Auckland Platinum Sponsor presentation - Trend Micro
AWS Summit Auckland Platinum Sponsor presentation - Trend Micro
 
Ch19 E Commerce Security
Ch19 E Commerce SecurityCh19 E Commerce Security
Ch19 E Commerce Security
 
web application security
web application security web application security
web application security
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
 
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
IT Security at the Speed of Business: Security Provisioning with Symantec Dat...
 
August 2007 Presentation Flow Part A – The Challenge
August 2007 Presentation Flow Part A – The ChallengeAugust 2007 Presentation Flow Part A – The Challenge
August 2007 Presentation Flow Part A – The Challenge
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 

Recently uploaded (20)

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 

Web Application Security Testing

  • 1. Ayoob Kalathingal - PMP Director - Emstell Technology Consulting Ayoob.ok@emstell.com Kuwait, India, United Kingdom, Saudi Arabia
  • 2.  Understand the need for securing the application layer of web based applications.  Understand the various web application vulnerabilities, impact and Counter Measures  Security testing. www.emstell.com
  • 3.  Web applications have evolved from static pages to a more interactive set up. This interaction has started exposing the technical deficiencies of web applications in the form of vulnerabilities.  Dependency on the internet to carry out critical and sensitive business transactions has increased . Hence the stake involved is very high.  “Over 50% of security attacks are targeted on web based applications” - Gartner Report”  Competition is so high that enterprises can‟t ignore the risk associated with their vulnerable application. Loss incurred could vary from monetary losses to loss of credibility. In certain cases it could mean end of business. www.emstell.com
  • 4. Many Countries has come up with strict rules and regulations on Information Security of business.  IT Act 2011 in India  PIPED Act – Canada (Personal Information Protection and Electronic Documents Act)  U.S. Information Security Law,  HIPAA – 1996 - Health Insurance Portability and Accountability Act Business Customers are increasingly aware of the systems security and is demanding security and quality certifications in the systems  ISO 27001  PCI DSS - Payment Card Industry Data Security Standard www.emstell.com
  • 5. Large number of applications coming to the hands of common man carrying out transactions with personal and financial data More and more applications moving to cloud where multiple user or enterprise data is stored in single server or data centers. “Application security is no more a Luxury, its Business” www.emstell.com
  • 6.  Confidentiality – ensuring that information is accessible only to those authorized.  Integrity – safeguarding the accuracy and completeness of information and processing methods.  Availability – ensuring that authorized users have access to information and associated assets when required.  Accountability – ensuring that authorized users use information in appropriate ways. www.emstell.com
  • 8. SQL Query SELECT user FROM Users WHERE Username = '"& strname &"' AND Password = '"& strPassword &"„ Query with valid input SELECT user FROM Users WHERE Username = 'avis' AND Password = 'avis' www.emstell.com
  • 9. Query with tampered input SELECT user FROM Users WHERE Username = 'avis';--' AND Password = '"& strPassword &"' www.emstell.com
  • 10. Authorization  Credential/Session Prediction  Insufficient Session Expiration  Session Fixation  Insufficient Authorization Authentication  Brute Force  Weak Password Recovery Policy  Insufficient Authentication Client-Side Attacks  Content Spoofing  Cross Site Scripting Information Disclosure  Directory Indexing  Information Leakage  Path Traversal  Predictable Resource Location Command Execution  Buffer Overflow  Format String Attack  LDAP Injection  OS Commanding  SQL Injection  SSI Injection  X Path Injection Logical Attacks  Abuse of Functionality  Denial of Service  Insufficient Anti- Automation  Insufficient Process Validation www.emstell.com
  • 11.  Non-availability (By bringing the database down)  Breach of confidentiality (By viewing other user‟s records)  Breach of integrity (By updating other user‟s records)  Impersonation (By logging into accounts without a valid password)  + Business Impacts www.emstell.com
  • 12.  Strong and Secure systems, firewalls and antiviruses  Proper Input validation  Following standard coding practices  Have strong password policy in place.  Use of strong session ID generation algorithms  Disable scripting in the web browser and disable input echoing  Grant only necessary privileges for accounts that are used to connect to DB  Implement/configure proper access control mechanisms on the web server.  Application Security Testing and Fixing the vulnerabilities  Educating the users www.emstell.com
  • 13. “Though the significant attacks over time where of Zero Day Attack nature, this forms much a lesser count of the total attacks” Test based on the Target Users  Vulnerability Assessments  Penetration Testing Manual - a team of security experts manually probe the application for common flaws. Automated - a tool is used for testing the application for flaws. False Positives www.emstell.com
  • 14. “The cost of quality is higher in the later stages of an application” Application security should be a part of the application development and should be incorporated to the SDLC Process. Integrating security to the build. Educating the users, using the best of media and creative formats. www.emstell.com
  • 16. Emstell Technology Consulting, is a technology firm offering enterprise level software quality assurance and testing services and ERP Solutions in Education sector. Our Media team deliver creative animated videos for educating users on company policies, explaining business and promotion. We deliver ERP Solutions in ◦ Web Enabled School Management ◦ Library Management Solution ◦ Business Accounting and Inventory www.emstell.com
  • 17. Ayoob Kalathingal - PMP Director - Emstell Technology Consulting Ayoob.ok@emstell.com Kuwait, India, United Kingdom, Saudi Arabia www.emstell.com