SlideShare a Scribd company logo
Introduction to Web Application
Penetration Testing
Katherine Cancelado
Media Relations Coordinator WIA
Agenda:
➔ Web Application Attack
Surface
➔ Penetration Testing
Phases
➔ OWASP Application
Security Verification
Standard
➔ Tips & Tools
Web Application Attack
Surface
… beyond the URL
Web Application Attack Surface
“The attack surface of a software environment is the sum of the different points (the "attack vectors") where an
unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1]
Web Application Attack Surface - URL
“The attack surface of a software environment is the sum of the different points (the "attack vectors") where an
unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1]
Uniform Resource Locator (URL): Also known as the “link” or address of a web resource.
URLs can be used to get resources based on a series of conditions, that aren’t meant to be
manually specified by the user but the underlying application.
Web Application Attack Surface - Form Inputs
“The attack surface of a software environment is the sum of the different points (the "attack vectors") where an
unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1]
Form inputs: Text areas that are meant to enable the
user to interact with the web application. This could
be to submit information, modify the users’ view and
to authenticate the user when required.
Web Application Attack Surface - HTTP Headers
“The attack surface of a software environment is the sum of the different points (the "attack vectors") where an
unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1]
HTTP Headers: Core set of fields that are sent
as part of every requests and response in the
client-server communication. HTTP Headers set
the parameters of every HTTP communication.
Web Application Attack Surface - Cookies
“The attack surface of a software environment is the sum of the different points (the "attack vectors") where an
unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1]
Cookies: variable - value combination of data, that it’s assigned to a user while surfing a web
application. It’s normally use to identify where/ whom the requests belong to by keeping users’
sessions and their preferences.
Penetration Testing Phases
Plan - do - check - act (?)
Penetration Testing Phases
Planning &
Profiling
Vulnerability
Analysis
Information
Gathering
Reporting
Exploitation
A penetration test is performed in order to identify
vulnerabilities and possible attack vectors in a
specific system.
These kinds of tests are legally covered by a
contract/ authorisation that allows the pen tester to
attack the in-scope system.
Of course, you can pen test your own systems, and
that’s a good exercise when wanting to “skill up”.
OWASP Application
Security Verification
Standard (ASVS)
Do it once, do it right!
The ASVS Project
“The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the
range in the coverage and level of rigor available in the market when it comes to performing Web application
security verification using a commercially-workable open standard.
The standard provides a basis for testing application technical security controls, as well as any technical security
controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting
(XSS)and SQL injection.” [2]
ASVS Checklist
1. Architecture, design and threat modelling
2. Authentication Verification Requirements
3. Session Management Verification
Requirements
4. Access Control Verification Requirements
5. Malicious input handling verification
requirements
6. Cryptography at rest verification requirements
7. Error handling and logging verification
requirements
8. Data protection verification requirements
9. Communications security verification
requirements
10. HTTP security configuration verification
requirements
11. Malicious controls verification requirements
12. Business logic verification requirements
13. Files and resources verification requirements
14. Web services verification requirements
15. Configuration
Tips & Tools
Tips
1. Know your target
2. Take notes
3. Read everything you find
4. Use search engines
5. Keep learning
Testing environments:
● bWAPP (Buggy Web Application)
● Multilidae
● Damn Vulnerable Web App (DVWA)
Tools:
● Burp
● OWASP ZAP
● Nikto
● Browser developer tools
● Kali (OS)
Tools
Thanks!
References:
[1] https://en.wikipedia.org/wiki/Attack_surface
[2] https://github.com/OWASP/ASVS

More Related Content

What's hot

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
zakieh alizadeh
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
martinvoelk
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
vhimsikal
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
Avyaan, Web Security Company in India
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
zakieh alizadeh
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
Ted Husted
 
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Lionel Briand
 
penetration testing
penetration testingpenetration testing
penetration testing
Shitesh Sachan
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
YasserElsnbary
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Web Sec Auditor
Web Sec AuditorWeb Sec Auditor
Web Sec Auditor
Aung Khant
 
Automatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPressAutomatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPress
Fresh Consulting
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
zakieh alizadeh
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
Sql injection
Sql injectionSql injection
Sql injection
Manjushree Mashal
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
Shivam Porwal
 

What's hot (20)

Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Web Application Penetration Test
Web Application Penetration TestWeb Application Penetration Test
Web Application Penetration Test
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
Modeling and Testing Security and Privacy Requirements: A Use Case-Driven App...
 
penetration testing
penetration testingpenetration testing
penetration testing
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
Web Sec Auditor
Web Sec AuditorWeb Sec Auditor
Web Sec Auditor
 
Automatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPressAutomatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPress
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injection
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
 
Sql injection
Sql injectionSql injection
Sql injection
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 

Similar to WIA - Introduction to web application penetration testing

Security testing zap it
Security testing   zap itSecurity testing   zap it
Security testing zap it
vodqancr
 
T04505103106
T04505103106T04505103106
T04505103106
IJERA Editor
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
karthik menon
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
Vishal Kumar
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
Mohit Dholakiya
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
Bhagyashri Chalakh
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Boston Institute of Analytics
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10  -2007Application Security Vulnerabilities: OWASP Top 10  -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
chadtindel
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
Arun Voleti
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
hearme limited company
 
Qg was guide
Qg was guideQg was guide
Qg was guide
nat page
 

Similar to WIA - Introduction to web application penetration testing (20)

Security testing zap it
Security testing   zap itSecurity testing   zap it
Security testing zap it
 
T04505103106
T04505103106T04505103106
T04505103106
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Scanning web vulnerabilities
Scanning web vulnerabilitiesScanning web vulnerabilities
Scanning web vulnerabilities
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10  -2007Application Security Vulnerabilities: OWASP Top 10  -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdfJonathan Singer - Wheezing The Juice.pdf
Jonathan Singer - Wheezing The Juice.pdf
 
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
C01461422
C01461422C01461422
C01461422
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
owasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWEowasp top 10 security risk categories and CWE
owasp top 10 security risk categories and CWE
 
IBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security SolutionIBM AppScan Standard - The Web Application Security Solution
IBM AppScan Standard - The Web Application Security Solution
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 

More from Katherine Cancelado

Cybersecurity and data privacy
Cybersecurity and data privacyCybersecurity and data privacy
Cybersecurity and data privacy
Katherine Cancelado
 
Redes y seguridad en AWS - CongresoSSI
Redes y seguridad en AWS - CongresoSSIRedes y seguridad en AWS - CongresoSSI
Redes y seguridad en AWS - CongresoSSI
Katherine Cancelado
 
Conferencia Honeynets - CongresoSSI
Conferencia Honeynets - CongresoSSIConferencia Honeynets - CongresoSSI
Conferencia Honeynets - CongresoSSI
Katherine Cancelado
 
Presentación Honeynets Universidad Libre
Presentación Honeynets Universidad Libre Presentación Honeynets Universidad Libre
Presentación Honeynets Universidad Libre
Katherine Cancelado
 
Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010
Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010 Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010
Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010
Katherine Cancelado
 
Opensolaris flisol
Opensolaris flisolOpensolaris flisol
Opensolaris flisol
Katherine Cancelado
 

More from Katherine Cancelado (6)

Cybersecurity and data privacy
Cybersecurity and data privacyCybersecurity and data privacy
Cybersecurity and data privacy
 
Redes y seguridad en AWS - CongresoSSI
Redes y seguridad en AWS - CongresoSSIRedes y seguridad en AWS - CongresoSSI
Redes y seguridad en AWS - CongresoSSI
 
Conferencia Honeynets - CongresoSSI
Conferencia Honeynets - CongresoSSIConferencia Honeynets - CongresoSSI
Conferencia Honeynets - CongresoSSI
 
Presentación Honeynets Universidad Libre
Presentación Honeynets Universidad Libre Presentación Honeynets Universidad Libre
Presentación Honeynets Universidad Libre
 
Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010
Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010 Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010
Honeynet para dar a luz perfiles de atacantes, CParty Colombia 2010
 
Opensolaris flisol
Opensolaris flisolOpensolaris flisol
Opensolaris flisol
 

Recently uploaded

optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
ManojKumarr75
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
OkgatoSemadi1
 
Dewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show caseDewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show case
DEWANSTUDIO.COM
 
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docxBitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
SFC Today
 
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
TanapatLimsaiprom1
 
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor TerpercayaMegalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
Bangladesh Network Operators Group
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
APNIC
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
cossykin19
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
shamrisumri
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
ffg01100
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
Sweet Potato Tec
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
Bangladesh Network Operators Group
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
AirtoryInc
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
adelewhite125
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
Zsolt Nemeth
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
elbertablack
 
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
shamrisumri
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
ffg01100
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
samyanvichadda
 

Recently uploaded (20)

optimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluationoptimized green synthesis characterization and evaluation
optimized green synthesis characterization and evaluation
 
Trading Strategy for London silver bullet
Trading Strategy for London silver bulletTrading Strategy for London silver bullet
Trading Strategy for London silver bullet
 
Dewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show caseDewanstudio Project Portfolio 2023 show case
Dewanstudio Project Portfolio 2023 show case
 
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docxBitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
Bitcoin vs Ethereum Which Crypto Performed Better in Q2, 2024.docx
 
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaipromInformation Systems Auditing, Controls and Assurance , tanapat limsaiprom
Information Systems Auditing, Controls and Assurance , tanapat limsaiprom
 
Megalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor TerpercayaMegalive99 Situs Betting Online Gacor Terpercaya
Megalive99 Situs Betting Online Gacor Terpercaya
 
Software Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical ImplementationsSoftware Defined Networking, Concepts and Practical Implementations
Software Defined Networking, Concepts and Practical Implementations
 
DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33DASH, presented by Elly Tawhai at PacNOG 33
DASH, presented by Elly Tawhai at PacNOG 33
 
Network Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptxNetwork Layer and its protocols mod .pptx
Network Layer and its protocols mod .pptx
 
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai AvailableChennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
Chennai Girls Call ServiCe X00XXX00XX Tanisha Best High Class Chennai Available
 
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
202254.com香蕉影视,在线观看《我才不要和你做朋友呢》在线观看最新电影,香蕉影视在线观看《我才不要和你做朋友呢》在线观看高清电影
 
How Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital TransformationHow Salesforce Development in the UK is Driving Digital Transformation
How Salesforce Development in the UK is Driving Digital Transformation
 
IPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security ConsiderationsIPv6 Deployment Planning and Security Considerations
IPv6 Deployment Planning and Security Considerations
 
Effective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptxEffective Tips for Creating the Best Rich Media Ads .pptx
Effective Tips for Creating the Best Rich Media Ads .pptx
 
Why Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAEWhy Your Business Needs a Professional Web Design Company UAE
Why Your Business Needs a Professional Web Design Company UAE
 
2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage2023. Archive - Gigabajtos selfpublisher homepage
2023. Archive - Gigabajtos selfpublisher homepage
 
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
Female Service Girls Call Delhi 9873940964 Provide Best And Top Girl Service ...
 
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
High Profile Girls Call ServiCe Chennai XX00XXX00X Tanisha Best High Class Ch...
 
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
202254.com免费观看《长相思第二季》免费观看高清,长相思第二季线上看,《长相思第二季》最新电视剧在线观看,杨紫最新电视剧
 
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
Vip Girls Call ServiCe Chennai X00XXX00XX Tanisha Best High Class Chennai Ava...
 

WIA - Introduction to web application penetration testing

  • 1. Introduction to Web Application Penetration Testing Katherine Cancelado Media Relations Coordinator WIA
  • 2. Agenda: ➔ Web Application Attack Surface ➔ Penetration Testing Phases ➔ OWASP Application Security Verification Standard ➔ Tips & Tools
  • 4. Web Application Attack Surface “The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1]
  • 5. Web Application Attack Surface - URL “The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1] Uniform Resource Locator (URL): Also known as the “link” or address of a web resource. URLs can be used to get resources based on a series of conditions, that aren’t meant to be manually specified by the user but the underlying application.
  • 6. Web Application Attack Surface - Form Inputs “The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1] Form inputs: Text areas that are meant to enable the user to interact with the web application. This could be to submit information, modify the users’ view and to authenticate the user when required.
  • 7. Web Application Attack Surface - HTTP Headers “The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1] HTTP Headers: Core set of fields that are sent as part of every requests and response in the client-server communication. HTTP Headers set the parameters of every HTTP communication.
  • 8. Web Application Attack Surface - Cookies “The attack surface of a software environment is the sum of the different points (the "attack vectors") where an unauthorized user (the "attacker") can try to enter data to or extract data from an environment” [1] Cookies: variable - value combination of data, that it’s assigned to a user while surfing a web application. It’s normally use to identify where/ whom the requests belong to by keeping users’ sessions and their preferences.
  • 9. Penetration Testing Phases Plan - do - check - act (?)
  • 10. Penetration Testing Phases Planning & Profiling Vulnerability Analysis Information Gathering Reporting Exploitation A penetration test is performed in order to identify vulnerabilities and possible attack vectors in a specific system. These kinds of tests are legally covered by a contract/ authorisation that allows the pen tester to attack the in-scope system. Of course, you can pen test your own systems, and that’s a good exercise when wanting to “skill up”.
  • 11. OWASP Application Security Verification Standard (ASVS) Do it once, do it right!
  • 12. The ASVS Project “The primary aim of the OWASP Application Security Verification Standard (ASVS) Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS)and SQL injection.” [2]
  • 13. ASVS Checklist 1. Architecture, design and threat modelling 2. Authentication Verification Requirements 3. Session Management Verification Requirements 4. Access Control Verification Requirements 5. Malicious input handling verification requirements 6. Cryptography at rest verification requirements 7. Error handling and logging verification requirements 8. Data protection verification requirements 9. Communications security verification requirements 10. HTTP security configuration verification requirements 11. Malicious controls verification requirements 12. Business logic verification requirements 13. Files and resources verification requirements 14. Web services verification requirements 15. Configuration
  • 15. Tips 1. Know your target 2. Take notes 3. Read everything you find 4. Use search engines 5. Keep learning Testing environments: ● bWAPP (Buggy Web Application) ● Multilidae ● Damn Vulnerable Web App (DVWA) Tools: ● Burp ● OWASP ZAP ● Nikto ● Browser developer tools ● Kali (OS) Tools