Web applications security conference slides
Download as PPTX, PDF2 likes202 views
The document discusses web application security testing techniques. It covers topics like the difference between web sites and applications, security definitions, vulnerabilities like SQL injection and XSS, defense mechanisms, and tools for security testing like Burp Suite. The agenda includes discussing concepts, designing test cases, and practicing security testing techniques manually and using automated tools.
![ Its one of software product attributes that bear on its ability to
prevent unauthorized access, weather accidental or deliberate
to programs and data.
[ISO 9126 – ISTQB Glossary]
2: What is security ?
9](https://image.slidesharecdn.com/webapplicationssecurity-conferenceslides-170828073416/85/Web-applications-security-conference-slides-9-320.jpg)
![ A non-functional testing type, to determine the security of the
software product.
[ISO 9126 – ISTQB Glossary]
2.1: What is security testing ?
10](https://image.slidesharecdn.com/webapplicationssecurity-conferenceslides-170828073416/85/Web-applications-security-conference-slides-10-320.jpg)
![ Spider : This is an intelligent application-aware web spider that can
crawl an application to locate its content and functionality.
Scanner : [Pro version] - This is an advanced web vulnerability
scanner, which can automatically discover numerous types of
vulnerabilities.
9.1: Burp Suite
68](https://image.slidesharecdn.com/webapplicationssecurity-conferenceslides-170828073416/85/Web-applications-security-conference-slides-68-320.jpg)
Web applications security conference slides
- 1. Technical Practices Bassam Al-Khatib Web Applications Security Testing
- 2. What You Will Learn Today? Security testing techniques Test cases design & implementation New testing tool. 2
- 3. Discussing concepts & definitions Why web applications security matters? Defense Mechanisms Tester`s role in WAST Practice Time Questions & Answers Agenda 3
- 4. Training Plan Technical Background Hybrid Examples (Manual & Auto) Practice Using Burp WAST Discussion Our Plan 4
- 5. What is the deference between web sites and web applications? 5
- 6. Web sites: Information repositories and browsers retrieve data all the time. Information flow is one way, from server to browser. No users authentication. 1: Difference between web sites & web applications? 6
- 7. Web Applications: Highly functional and rely on two-way flow of information. Support login, registration, financial transactions, search. Information is generated for each user dynamically and on the fly. 1: Difference between web sires & web applications? 7
- 8. 1.1: Examples of web applications 8
- 9. Its one of software product attributes that bear on its ability to prevent unauthorized access, weather accidental or deliberate to programs and data. [ISO 9126 – ISTQB Glossary] 2: What is security ? 9
- 10. A non-functional testing type, to determine the security of the software product. [ISO 9126 – ISTQB Glossary] 2.1: What is security testing ? 10
- 11. Security testing provides the evidence and awareness for the business to make the informed decision of how much security risk to accept. 2.2: Let`s discuss the definitions.. 11
- 12. Security vulnerabilities often have no symptoms, not like other types of failures where the error is patently obvious. 2.2: Let`s discuss the definitions.. 12
- 13. Security testing ensures that people cant see what they should not have access to. 2.2:Let`s discuss the definitions.. 13
- 14. Who should do security testing ? 14
- 15. 2.3: Security Testing Specialties 15 Web Application Penetration Tester Web Application Defenders Penetration Tester
- 16. Web Application Penetration Tester: Security personnel whose job duties involve tests web applications holes and vulnerabilities. 2.3.1: Security Testing Specialties 16
- 17. Penetration Tester : Security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities 2.3.3: Security Testing Specialties 17
- 18. Web Application Defenders: Security personnel with skills and abilities which are taken from the areas of Defensive Network Infrastructure, Packet Analysis, Penetration Testing, Incident Handling, and Malware Removal 2.3.2: Security Testing Specialties 18
- 19. What is the difference between web applications security and IT security? 19
- 20. Why firewalls and antivirus don’t protect Web applications from hacking ? 20
- 21. IT security means : Fire Walls Antivirus Email security products 3: Because its software security NOT IT security 21
- 22. Web applications security means: Software source code and business logic which written by developer and tested by QA testers. 3: Because its software security NOT IT security 22
- 23. Why web application security Matters ? 23
- 24. Every body suffer from attacks… 4: Why web application security Matters ? 24
- 25. Because… Crimes Cost World Economic Annual Loss of $1 trillion 46 Million Credit Card Numbers Stolen 99% of Tested web Applications Have Vulnerabilities 4: Why web application security Matters ? 25
- 26. 4: Why web application security Matters ? 26
- 27. 4: Why web application security matters ? 27
- 28. 4: Why web application security matters ? 28
- 29. We need to protect our web application, is there any Defense Mechanisms to use ? 29
- 30. Virtually all applications employ mechanisms that are conceptually similar, although the details of the design and the effectiveness of the implementation differ very widely indeed. 5: Defense Mechanisms 30
- 31. The defense mechanisms employed by web applications comprise the following core elements: Handling user access to the application’s data and functionality. Handling user input to the application’s functions. Handling application`s behavior against attackers. Managing the application itself, by enabling administrators to monitor its activities and configure its functionality. 5: Defense Mechanisms 31
- 33. Authentication 5.1: Defense Mechanisms 33
- 34. Session Management (Session Time out) 5.2: Defense Mechanisms 34
- 35. Access control, we have it in different levels, Users and groups, on application level, and on document level. 5.3: Defense Mechanisms 35
- 36. Tester`s Role is Security Testing As a tester what is my role? 36
- 37. Provide an evidence about the lack of vulnerabilities. Observing a potential vulnerability is enough to prompt a fix. 6: As a tester what is my role? 37
- 38. 38 How can I observe a vulnerability ?
- 39. It’s a new methodology. A new technical practice to learn. 6.1: My Observation model 39
- 40. 40 Vulnerability Exists? Submit malicious input Prompt a fix Check normal behavior Check behavior again •This is a techninal practice depends on the following: 1) Crafting inputs. 2) Observe behavior. No Yes
- 41. Since my role as a tester is known. I need to know what is a vulnerability. 6.2: How to start security testing? 41
- 42. What is vulnerability ? 42
- 43. The word "vulnerability" describes a problem (such as a programming bug or common configuration error) that allows a system to be attacked or broken into. How could that happen? , see next slide.. 7: What is vulnerability ? 43
- 44. 7: What is vulnerability ? 44
- 45. Understanding the differences between vulnerabilities type will help you in: How you should test? How to report them? How they get fixed? 7: What is vulnerability ? 45
- 46. What about these vulnerabilities?, let`s see the following list .. 46
- 47. 47
- 48. 48 Let`s have some vulnerabilities in practice..
- 49. Security Testing Practice Attendees will try SQL injection XSS URL Tampering Burp Attendees will NOT try DOM- Based XSS Malicious Files 8: Practice Plan.. 49
- 50. Enables hacker to submit crafted input to interfere with application`s interaction with back-end database. Hacker may be able to retrieve arbitrary data from application, interfere with logic or execute commands on the database server itself. 8.4: SQL Injection 50
- 51. Open http://www.testfire.net/bank/ Populate User name with admin' OR 1=1 – Populate password field with any value 8.1: Guessing User name or Password 51
- 52. admin' OR 1=1 -- SQL statement would look like SELECT * FROM users WHERE username = 'admin' OR 1=1 --'; Since validation is weak, this will either select the admin account or it will before 1=1 which will result in true. Which in SQL terms this will return the entire users table. Which the users table could contain all sorts of other additional sensitive information 8.1: What happened at the backend ? 52
- 53. Reveals a vulnerability Miss validation URL Query 8.5: URL Tampering 53
- 54. URLs consist of: 8.5: URL Tampering 54 Protocol Password Server Name Port Path http:// user:password@ www.testfire.net/ :80 /bank/account.html Makes it possible to exchange web pages in HTML format Makes it possible to specify the parameters required to access a secure server.(Optional) This is the domain name of the computer hosting the requested resource. To define type of resource is being requested.(Optional) Defines the resource location(Directory)
- 55. Open http://www.testfire.net/bank/ Add the following parameter at the end of URL :id Run the URL, No validation appers. Add the following at the end of URL ?id=1’ Run the URL, a directory page is opened 8.5: No validation 55 This proofs that malicious inputs are NOT validated
- 56. All parameters should be send from client to server via valid session / server side tokens . Prevent HTTP viewing of HTTPS accessible pages. 8.5: Solution / defense mechanism 56
- 57. File Name • Can include potential opportunity for injection attacks. • For example ‘onerror=alert(‘xss’)’ a=‘.jpg File Type • “Zip of Death” which circulated in 2001 and targeted for email virus checkers. • This file if sent by email will be unzipped for ever and bring email server to halt. File Size • 100 times larger files than normal usage will keep your application loading if they attached. • For example try files of size 500MB. 8.6: Malicious Files 57
- 58. Virus Scanners. Anti Spam Software. 8.6.1: Solution/Defense Mechanism 58
- 59. "Unbalanced Quotes `Accent Grave &qout;HTML Entities 'Escaped Quotes 8.7: Illegal Characters 59 Open Reliance Home page. User view source. Search for these characters. Are they escaped ?
- 60. These chars. Should be filtered out from user input to prevent Java script and SQL Injection. Attacker will guess which chars. Will pass the filter then will try to use. 8.7.1: Solution/Defense Mechanism 60
- 61. Tool Selection depends on the usefulness of any individual tool will depend heavily on your context—particularly the web application’s language and what you most need to protect 9: Web Apps. Security Testing Tools 61
- 62. 9: Web Apps. Security Testing Tools 62 Web Proxies • Web Scrap – Provided from OWASP. Web Scanners • cURL Inspection tools • Firefox Plugins
- 63. Why we are using burp ? 63
- 64. Burp Suite is an integrated platform for performing security testing of web applications. It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. 9: Burp Suite 64
- 65. 9: Burp Suite 65
- 66. Burp Suite 66 Contains the following tools 1 Target 2 Proxy 3 Spider 4 Scanner 5 Sequencer 6 Decoder 7 Comparer 8 Extender
- 67. Target : This tool contains detailed information about your target applications, and lets you drive the process of testing for vulnerabilities. Proxy : This is an intercepting web proxy that operates as man-in-the- middle between the end browser and the target web application. It lets you intercept, inspect and modify the raw traffic passing in both directions. 9.1: Burp Suite 67
- 68. Spider : This is an intelligent application-aware web spider that can crawl an application to locate its content and functionality. Scanner : [Pro version] - This is an advanced web vulnerability scanner, which can automatically discover numerous types of vulnerabilities. 9.1: Burp Suite 68
- 69. Intruder : This is a powerful tool for carrying out automated customized attacks against web applications. It is highly configurable and can be used to perform a wide range of tasks to make your testing faster and more effective. Repeater : This is a simple tool for manually manipulating and reissuing individual HTTP requests, and analyzing the application's responses. 9.1: Burp Suite 69
- 70. Sequencer : This is a sophisticated tool for analyzing the quality of randomness in an application's session tokens or other important data items that are intended to be unpredictable. Decoder : This is a useful tool for performing manual or intelligent decoding and encoding of application data. 9.1: Burp Suite 70
- 71. Comparer : This is a handy utility for performing a visual "diff" between any two items of data, such as pairs of similar HTTP messages. Extender : This lets you load Burp extensions, to extend Burp's functionality using your own or third-party code. 9.1: Burp Suite 71
- 72. Security vulnerabilities are our shared responsibility (Developers, QA, Tech. Support). Applying new techniques for your test cases design and implementation reveals more vulnerabilities. 10: Conclusion & Recommendations 72
- 73. Security testing is a hybrid testing methodology. Running Real time periodic security tests (Using burp scanner) will help to discover new vulnerabilities. 10: Conclusion & Recommendations 73
- 74. Recommended books to read 74
- 75. Web security testing cookbook, Paco Hope, 2009. The.Web.Application.Hackers.Handbook, Dafydd Stuttard, 2007. The myths of security, John Viega, 2009. Cenzic-Application-Vulnerability-Trends-Report-2013. ISTQB – Glossery of Temss. AdvancedSoftwareTesting - Vol3, 2011 11: References - Books 75
- 76. http://portswigger.net/burp/help/ http://www.testfire.net/bank/ http://www.example.com http://www.testingsecurity.com/ http://code.google.com/p/dvwa/wiki/README 11: References – Websites 76
- 77. 77 Questions!
- 78. Thank You! 78