1

Security Testing: What Can

We Do?

Hien Trinh Minh

Harvey Nash Vietnam

Presenter : Hien Trinh Minh

Background & Work experience:

Harvey Nash Vietnam : Testing Solution Architect More than 2 years of experience in Web Application Security Testing, Mobile Application Security Testing,

security analysis.

More than 12 years of experience in software testing for Telecom application and networking.

More than 7 years of experience in software testing for UMTS : Inter-Operability Test, Functional Network

Element Test, Field testing activities at 3G lab with live network.

Contact info:

Hien.trinhminh@harveynash.vn

2

Tech Agenda

• Introduction to Security Testing

• Open Web Application Security Project Top 10

• Security testing on OWASP Web Top 10

• Security Testing Tools

• Demo

3

Introduction to Security Testing

4

Security Testing Network Security Testing

Application Security Testing

Web App Security Testing

Mobile App Security Testing

Introduction to Security Testing (cont.)

5

• High Risks

– Allows an attacker to read or modify confidential data

belonging to other web sites. If exploited would compromise

data security, potentially allowing access to confidential

data, or could compromise processing resources in a user's

computer.

• Medium Risks

– Allows an attacker to obtain limited amounts of information.

That is limited to a significant degree by factors such as

default configuration, auditing, or is difficult to exploit.

• Low Risks

– Allows an attacker temporary control over non-critical

browser features. That has minimal impact and is extremely

difficult to exploit.

• Information

– Just provide information

High

Medium

Low

Information

Severity

OWASP TOP 10

6

A1: Injection

7

A1: Injection (cont.)

8

A2 : Broken Authentication and

Session Management

• Password not hashed/encrypted in

database

• No wrong password limit (Brute

force attack)

• Session id exposed in URL

• No session timeout

• Session id vulnerable to session

fixation.

9

A2 : Broken Authentication and

Session Management (cont.)

10

A3 : Cross Site Scripting (XSS)

11

A3 : Cross Site Scripting- XSS (cont.)

12

A4 : Insecure Direct Object References

• A direct object reference occurs when a developer exposes a reference to an

internal implementation object, such as a file, directory, database record, or

key, as a URL or form parameter.

13

A4 : Insecure Direct Object

References (cont.)

14

A5 : Security Misconfiguration

• Directories are listed and PHPinfo page has been found in this directory

15

A6 : Sensitive Data Exposure

16

Examples:

• Transmitting data in the clear text

e.g. non-SSL, URLs, login forms

over http

• Unencrypted credit card info

• Incorrect encryption

• Logging

A7 : Missing Function Level Access

Control

• Attacker notices the URL indicates his role

/user/Accounts

• He modifies it to another directory (role) /admin/Accounts

or /manager/Accounts

• Attacker views more accounts than just their own

17

A8 : Cross-Site Request Forgery

(CSRF)

18

A9 : Using Components with Known

Vulnerabilities

19

A10 : Unvalidated Redirects and

Forwards

20

Security Testing Tools

21

Demo

22

References

• https://www.owasp.org

• http://projects.webappsec.org

• http://code.google.com/p/owaspbwa

• https://www.hacking-lab.com/

• http://www.acunetix.com/

• https://portswigger.net/burp/

• https://www.mavensecurity.com/resources/web-security-dojo/

• https://sourceforge.net/projects/samurai/files/

• http://www.bonsai-sec.com/en/research/moth.php

• Books:

The_Basics_of_Hacking_and_Penetration_Testing__Ethical_Hacking_and_Penetration_Testing_Made_

Easy

• -the-web-application-hackers-handbook

• -HowtoBreak

• -Hacking attacks and Examples Test

23

Q & A

© 2014 HCMC Software Testing Club

THANK YOU