This document summarizes web application security testing. It discusses understanding how web applications work and common security risks. It then outlines the main steps of a security test: information gathering, configuration management testing, authentication testing, authorization testing, business logic testing, data validation testing, and denial of service testing. Specific techniques are provided for each step like using tools like Nikto, ZAP, and Hydra or manually testing authentication, injections, error handling, and more.

1. Web Application Security
Sreenath Sasikumar
QBurst

2. Who am I ?
www.MakeMeResume.com/@sreenath

3. Take Away
• Understanding web application security
• How to security test web applications
• Mitigating web application security risks
• Open source tools

4. How web applications work

5. Understanding web security

6. Security testing web applications
• Information Gathering
• Configuration Management Testing
• Authentication Testing
• Session Management Testing
• Authorization Testing
• Business Logic Testing
• Data Validation Testing
• Denial of Service Testing

7. Information Gathering

8. www.google.com/robots.txt
Spiders Robots and Crawlers

9. Search Engine Discovery
Google Hacking
• site
• cache
• inurl
• filetype
How to:
Manual
HackSearch

10. Identify Application Entry points
• GET
• POST
• Cookies
• Server Parameters
• Files
How to:
Tamper Data, WebScarab, ZAP

11. Web Application Fingerprinting
How to:
Nikto
Vulnerability Scanners

12. Application Discovery
Different Base URL
• www.example.com/abc
Different port
• www.example.com:8000
Different sub domain ( Virtual host )
• abc.example.com
How to:
Zap, WebSlayer

13. Analysis of Error Code

14. Configuration Management

15. SSL Testing
Identify ssl ports and services
How strong is you cipher?
How to:
Nmap -sV, Nessus, OpenSSL

16. Configuration Management Testing
• Infrastructure Configuration Management
• Application Configuration Management

17. Old, Backup & Unreferenced Files
User-agent: *
Disallow: /Admin
Disallow: /uploads
Disallow: /backup
Disallow: /~jbloggs
How to:
HackSearch, Webslayer

18. Testing for HTTP Methods
• HEAD
• GET
• POST
• PUT
• DELETE
• TRACE
• OPTIONS
• CONNECT
How to:
Netcat
Nikto

19. Authentication Testing

20. Credentials transport over an
encrypted channel
Prevent man in the middle attack

21. Testing for user enumeration
Error Messages/Notifications
"Sorry, please enter a valid password"
"Sorry, please enter a valid username"
"Sorry, this user does not exist"
"Sorry, this user is no longer active"

22. Testing for Guessable Users
& BruteForce Attacks
How to:
John the Ripper
Hydra

23. Testing for CAPTCHA

24. Testing Session & Cookies

25. Authorization Testing

26. Testing for privilege escalation
• vertical escalation
• horizontal escalation
www.example.com/?user=1&groupID=2

27. Business Logic Testing

28. Data Validation Testing

29. Injections
SQL
XSS

30. • SQL Injection
• XSS Injection
• LDAP Injection
• XML Injection
• HTML Injection
• SSI Injection
• ORM Injection
• XPath Injection
• IMAP/SMTP Injection
• Buffer Overflow

31. Testing for Denial of Service

32. Testing for SQL Wildcard Attacks
SELECT * FROM Article WHERE Content LIKE '%foo%'
SELECT TOP 10 * FROM Article WHERE Content LIKE
'%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()
$*R"_)][%](%[x])%a][$*"£$-9]_%'

33. Testing for DoS Locking Customer
Accounts

34. Open Source Tools
Nikto
Nessus
W3AF
ZAP
WebSlayer
Netcat
Nmap
Skipfish
Hydra
Mozilla Firefox addons
Lots & lots more...

35. PenQ - Security testing browser

36. Questions ?