SlideShare a Scribd company logo

Introduction to web application security testing

Oleksandr Romanov
Oleksandr Romanov

The document outlines the process of web application security testing, emphasizing the necessity of thinking like a hacker and focusing on negative testing. It describes four stages of testing: mapping the application, analyzing its functionality, testing/breaking it, and reporting results, while also suggesting various testing tools for different browsers and comprehensive tools for vulnerability scanning. Overall, it serves as a guide for effectively identifying and addressing security vulnerabilities in web applications.

Technology
1 of 9
Downloaded 20 times
1
2
3
4
5
6
7
8
9
Introduction to web application security testing Alexandr Romanov
What is security testing and why it is neccessary?
Prepare your mind for security testing - Think like a hacker :) - Concentrate on negative testing - Vulnerabilities = bugs
Security testing in action - stage 1 Mapping the application - web spidering - user directed spidering - brute force scanning
Security testing in action - stage 2 Analyze the application - application functionality - data entry points - application technologies
Security testing in action - stage 3 Test/break the application Test: - client-side controls - authentication mechanizm - session management mechanizm - access controls - input-based vulnerabilities .....
Security testing in action - stage 4 Report the results 1. Exclusive summary 2. Detailed report 3. Raw output
Security tester tools Firefox: - Firebug/FirePath - HTTPWatch - FoxyProxy - XSSme/SQLme Chrome: - XSSRays IE: - HTTPWatch/IEWatch
Security tester tools Complex tools: - BurpSuite - WebScarab - Zed Attack Proxy - Fiddler Vulnerability scanners: - Acunetix - Nikto - Nessus

More Related Content

What's hot (20)

PPTX
Web Application Firewall intro
Rich Helton
 
PDF
Benefits of Web Application Firewall
davidjohnrace
 
PPT
Why You Need A Web Application Firewall
Port80 Software
 
PPTX
Web Application Vulnerabilities
Preetish Panda
 
PPTX
Owasp top 10 vulnerabilities
OWASP Delhi
 
PDF
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
PPT
Web 2.0 Hacking
blake101
 
PPTX
Uniface Web Application Security
Uniface
 
PPTX
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
PDF
Automation of Security scanning easy or cheese
Katherine Golovinova
 
PPTX
Static analysis for security
Fadi Abdulwahab
 
PPTX
Owasp top 10 2017
ibrahimumer2
 
PPTX
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
PPTX
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
PDF
Browser Exploit Framework
n|u - The Open Security Community
 
PPTX
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
PPTX
Web application security
Kapil Sharma
 
PPTX
Secure coding guidelines
Sathyanarayana Panduranga
 
PDF
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
PPT
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
Web Application Firewall intro
Rich Helton
 
Benefits of Web Application Firewall
davidjohnrace
 
Why You Need A Web Application Firewall
Port80 Software
 
Web Application Vulnerabilities
Preetish Panda
 
Owasp top 10 vulnerabilities
OWASP Delhi
 
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
Web 2.0 Hacking
blake101
 
Uniface Web Application Security
Uniface
 
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
Automation of Security scanning easy or cheese
Katherine Golovinova
 
Static analysis for security
Fadi Abdulwahab
 
Owasp top 10 2017
ibrahimumer2
 
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
Browser Exploit Framework
n|u - The Open Security Community
 
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Web application security
Kapil Sharma
 
Secure coding guidelines
Sathyanarayana Panduranga
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 

Viewers also liked (17)

PPT
It pays to be mean
pptt33ch3r
 
PPT
Présentation
Pierre Fossaert
 
PPTX
ΕΜΠΕΙΡΙΑ ΧΡΗΣΗΣ ΔΙΑΔΙΚΤΥΟΥ
Smaro Loutou
 
DOCX
Betoog product 2
Maxime Kubbinga
 
PDF
10 things to know about presserving socialmedia
kawanicole
 
PPT
Sales excellence
Anil Maredia
 
PDF
Bab ii keg pembel 6 array
087dwi
 
PPTX
الباب الثالث الدرس الأول تصنيف المثلثات
hassonwayne
 
PPTX
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
Laureen Cantwell
 
PPS
Ca ne nous rajeunit pas
Pierre Fossaert
 
PPTX
Aaa presentasi koloid
087dwi
 
PDF
Inspire edisi 7
Nach Khoirudin
 
PPS
Fériade pampelune
Pierre Fossaert
 
PPTX
Kelompok 7
087dwi
 
PPTX
Como armar una pc
Neovictril
 
PDF
1
Adriana Lorena Villacis
 
PPT
test upload
Sergey Balbeko
 
It pays to be mean
pptt33ch3r
 
Présentation
Pierre Fossaert
 
ΕΜΠΕΙΡΙΑ ΧΡΗΣΗΣ ΔΙΑΔΙΚΤΥΟΥ
Smaro Loutou
 
Betoog product 2
Maxime Kubbinga
 
10 things to know about presserving socialmedia
kawanicole
 
Sales excellence
Anil Maredia
 
Bab ii keg pembel 6 array
087dwi
 
الباب الثالث الدرس الأول تصنيف المثلثات
hassonwayne
 
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
Laureen Cantwell
 
Ca ne nous rajeunit pas
Pierre Fossaert
 
Aaa presentasi koloid
087dwi
 
Inspire edisi 7
Nach Khoirudin
 
Fériade pampelune
Pierre Fossaert
 
Kelompok 7
087dwi
 
Como armar una pc
Neovictril
 
1
Adriana Lorena Villacis
 
test upload
Sergey Balbeko
 
Ad

Similar to Introduction to web application security testing (20)

PPTX
Using Splunk for Information Security
Splunk
 
PPTX
Using Splunk for Information Security
Shannon Cuthbertson
 
PPTX
FALCON.pptx
AvinashRanjan80
 
PPTX
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
PPTX
Application Explosion How to Manage Productivity vs Security
Lumension
 
PDF
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
PPTX
Automating Web Applications Security Assessments Through Scanners
nfteodoro
 
PPT
Bank One App Sec Training
Mike Spaulding
 
PDF
Computer security
Mohamed Abdo
 
PDF
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
PPTX
So You Want a Job in Cybersecurity
2nd Sight Lab
 
PDF
cybersecurity-careers.pdf
RakeshKumar442494
 
PDF
Offensive cyber security engineer
ShivamSharma909
 
PDF
Offensive cyber security engineer updated
InfosecTrain
 
PDF
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
PDF
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
PPTX
Automated_Malware_Detection_Website_Plan.pptx
praharsh23bcy10246
 
PPTX
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
PPTX
Web applications security conference slides
Bassam Al-Khatib
 
PDF
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Using Splunk for Information Security
Splunk
 
Using Splunk for Information Security
Shannon Cuthbertson
 
FALCON.pptx
AvinashRanjan80
 
Penetration testing dont just leave it to chance
Dr. Anish Cheriyan (PhD)
 
Application Explosion How to Manage Productivity vs Security
Lumension
 
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 
Automating Web Applications Security Assessments Through Scanners
nfteodoro
 
Bank One App Sec Training
Mike Spaulding
 
Computer security
Mohamed Abdo
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
So You Want a Job in Cybersecurity
2nd Sight Lab
 
cybersecurity-careers.pdf
RakeshKumar442494
 
Offensive cyber security engineer
ShivamSharma909
 
Offensive cyber security engineer updated
InfosecTrain
 
Offensive cyber security engineer pragram course agenda
ShivamSharma909
 
Security Testing Approach for Web Application Testing.pdf
AmeliaJonas2
 
Automated_Malware_Detection_Website_Plan.pptx
praharsh23bcy10246
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
grecsl
 
Web applications security conference slides
Bassam Al-Khatib
 
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 
Ad

More from Oleksandr Romanov (10)

PPTX
Тестування Blockchain - Що там можна тестувати?
Oleksandr Romanov
 
PDF
What does it mean to test a blockchain
Oleksandr Romanov
 
PPTX
Ups and downs of contract testing in real life
Oleksandr Romanov
 
PPTX
Testing challenges at microservices world
Oleksandr Romanov
 
PPTX
Practical contract testing with Spring Cloud Contract [Test Con 2019]
Oleksandr Romanov
 
PPTX
Turning automation education upside down [QAFest 2019]
Oleksandr Romanov
 
PPTX
Hidden complexities in microservices testing
Oleksandr Romanov
 
PPTX
Automating microservices: what, where and when
Oleksandr Romanov
 
PPTX
Integration testing for microservices with Spring Boot
Oleksandr Romanov
 
PDF
Introduction to pairwise testing
Oleksandr Romanov
 
Тестування Blockchain - Що там можна тестувати?
Oleksandr Romanov
 
What does it mean to test a blockchain
Oleksandr Romanov
 
Ups and downs of contract testing in real life
Oleksandr Romanov
 
Testing challenges at microservices world
Oleksandr Romanov
 
Practical contract testing with Spring Cloud Contract [Test Con 2019]
Oleksandr Romanov
 
Turning automation education upside down [QAFest 2019]
Oleksandr Romanov
 
Hidden complexities in microservices testing
Oleksandr Romanov
 
Automating microservices: what, where and when
Oleksandr Romanov
 
Integration testing for microservices with Spring Boot
Oleksandr Romanov
 
Introduction to pairwise testing
Oleksandr Romanov
 

Recently uploaded (20)

PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PDF
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
PDF
Français Patch Tuesday - Juillet
Ivanti
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PDF
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
PDF
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
PDF
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Women in Automation Presents: Reinventing Yourself — Bold Career Pivots That ...
DianaGray10
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
SFWelly Summer 25 Release Highlights July 2025
Anna Loughnan Colquhoun
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
The Builder’s Playbook - 2025 State of AI Report.pdf
jeroen339954
 
Français Patch Tuesday - Juillet
Ivanti
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
Smart Air Quality Monitoring with Serrax AQM190 LITE
SERRAX TECHNOLOGIES LLP
 
Impact of IEEE Computer Society in Advancing Emerging Technologies including ...
Hironori Washizaki
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Chris Elwell Woburn, MA - Passionate About IT Innovation
Chris Elwell Woburn, MA
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
NewMind AI - Journal 100 Insights After The 100th Issue
NewMind AI
 
Windsurf Meetup Ottawa 2025-07-12 - Planning Mode at Reliza.pdf
Pavel Shukhman
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 

Introduction to web application security testing

  • 1. Introduction to web application security testing Alexandr Romanov
  • 2. What is security testing and why it is neccessary?
  • 3. Prepare your mind for security testing - Think like a hacker :) - Concentrate on negative testing - Vulnerabilities = bugs
  • 4. Security testing in action - stage 1 Mapping the application - web spidering - user directed spidering - brute force scanning
  • 5. Security testing in action - stage 2 Analyze the application - application functionality - data entry points - application technologies
  • 6. Security testing in action - stage 3 Test/break the application Test: - client-side controls - authentication mechanizm - session management mechanizm - access controls - input-based vulnerabilities .....
  • 7. Security testing in action - stage 4 Report the results 1. Exclusive summary 2. Detailed report 3. Raw output
  • 8. Security tester tools Firefox: - Firebug/FirePath - HTTPWatch - FoxyProxy - XSSme/SQLme Chrome: - XSSRays IE: - HTTPWatch/IEWatch
  • 9. Security tester tools Complex tools: - BurpSuite - WebScarab - Zed Attack Proxy - Fiddler Vulnerability scanners: - Acunetix - Nikto - Nessus