The document discusses web application security testing. It defines security testing as identifying vulnerabilities in software, databases, operating systems, and organizations to protect information from hackers. Effective security practices need to be implemented through security testing to avoid losses and protect organizations' reputations from data breaches. Security testing includes vulnerability assessments to find security issues and penetration tests to simulate hacker activities and evaluate vulnerabilities' impacts. The goals of security testing are to achieve confidentiality, integrity, and availability as defined in the CIA security triad.

1. Web Application Security
Testing

2. What is Security Testing
Security Testing is to identify/uncover any Security
Loopholes (i.e., Vulnerabilities or Security Bugs) in
the given Software System (i.e., Applications,
Databases, Machines, Operating Systems,
Organizations etc.) and get them fixed, with an
intention of protecting the Information in these
Systems from Hackers.

3. Security Testing - Importance of Security
Testing with Examples
• Examples of data breaches and hacks that
happened over a period of time
• As the number of cyber-attacks are growing
with the advancements in the technology,
efficient and effective security practices needs
to be implemented by all the organization in a
timely and priority manner to avoid the losses
and protecting the reputation. Hence Security
Testing is very important to ensure the security
of the systems and there by protecting the
organizations from losing money and
reputation.

4. Security Testing
versus Vulnerability
Assessment versus
Penetration Testing
• Security Testing comprises of both Vulnerability
Assessment and Penetration Testing
• As part of Vulnerability Assessment, we simply assess the
application and identify the security loopholes (i.e.
Vulnerabilities) in the Application
• As part of Penetration Testing, we simulate the hacker
activities by hacking/breaching/utilizing the identified
security loophole (i.e. vulnerability) to check or prove
what kind of damage/risk that the vulnerability is causing
• While performing Security Testing in our Job, we should
not be doing Penetration Testing until the client insists to
do it.
• We may also have to educate the Client and take his
approval before performing Penetration Testing.

5. High Level Objectives
of Security Testing
• Basic or high level Goals and Objectives of
Security Testing or Security Program is to
achieve CIA Triad
• CIA Traid stands for - Confidentiality,
Integrity and Availability
• Confidentiality - Information is private and
secured
• Integrity - Only Authorized people should be
able to update (add,modify,delete)
Information
• Availability - Application/System is available
all the time to the intended users.

6. Security Testing (Basics) - Cookie
What is a Cookie? What a Cookie can do?
Track your Activities
Maintain Login Session
Remember Login
Remember other details for your convenience
What will happen if Cookie is
stolen?

7. Cookie versus Session ID versus Session
WHAT IS A
COOKIE?
WHAT IS A
SESSION ID?
WHAT IS A
SESSION?
COOKIE VERSUS
SESSION

8. Cryptography and different Techniques
Cryptography
1.Enables secret communication between two parties.
2.Encryption and Decryption of data during
communication between two parties.
3.Algorithm and key are used for making this
possible.
4.HTTPS = HTTP + SSL
Cryptography Techniques
Encryption
• Symmetric Encryption
• Asymmetric Encryption
Hashing
Encoding

9. Symmetric Key Encryption
Examples for Symmetric Key Encryption
AES (Advanced
Encryption Standard)
DES (Data Encryption
Standard)
IDEA (International
Data Encryption
Algorithm)
Blowfish RC4 (Rivest Cipher 4) RC5 (Rivest Cipher 5) RC6 (Rivest Cipher 6)
In Symmetric Key Encryption, the same key is used for both encryption and decryption of the data
being transferred between two parties
Symmetric Key Encryption is one of the techniques used for achieving Cryptography

10. Symmetric Key Encryption
• AES-128
• AES-192
• AES-256
Most commonly used Symmetric Key Encryption
• Key used for encryption need to be exchanged with the receiver
before decryption
Drawback

11. Asymmetric Key
Encryption
• In Asymmetric Key Encryption, the
public key of receiver is used for
encryption and the private key of
receiver is used for decryption of
the data
being transferred between two
parties
• Examples for Asymmetric Key
Encryption
• RSA - Rivest Shamir Adleman
Algorithm
• DSA - Digital Signature
Algorithm
• ELGamal
• ECC - Elliptic Curve
Cryptography
• And many more

12. Encoding and
Decoding
• Encoding and Decoding
• Encoding:
• Transforming data into other formats, so that the
data can be consumed properly by the Systems
• Example: btoa('arun motoori') in Chrome Browser
Console, for converting a string text into base64
format
• Decoding:
• Converting back to original format from the
encoded format
• Example: atob('YXJ1biBtb3Rvb3Jp') in Chrome
Browser Console, for converting the base64
encoded format to original String
• Not for converting to secret language for
transferring secretly between two parties
• Purpose is for proper consumption by the receiver

13. Encoding and Decoding
• ASCII
• base64
• Unicode
• URL Encoding
• Show examples of URL Encoding
Different Types of Encoding Formats used:
• Network > Request > Accept-Encoding
• Server uses this to send the response in the proper encoding format required by the Browser
Finding the encoding standards accepted by the Browser
• By having knowledge of different encoding formats, we can try to decode the stuff and see if the
Hacker/Attacker can view any sensitive data anywhere
• More about this will be explained in the upcoming sessions.
How Encoding plays a role in Security

14. OWASP
• OWASP stands for Open Web Application Security Project
• OWASP.org
• Non-Profit Organization
• Objective is to encourage all organizations in improving their Software
security
• OWASP is known for:
• Publishing OWASP Top 10 Vulnerabilities
• Guides
• Free Tools
• Open Application for practicing Security
• Events
• Community
• And many more

15. OWASP Top 10 Vulnerabilities
Injection
Broken
Authentication
Sensitive Data
Exposure
XML External
Entities
Broken Access
Control
Security
Misconfiguration
Cross Site Scripting
Insecure
Deserialisation
Using Components
with known
vulnerabilities
Insufficient Logging
and Monitoring