Upload
prathan-d
View
1.471
Download
4
Embed Size (px)
DESCRIPTION
Citation preview
Copyright © 2012 Aware Corporation Ltd.
“Quality is the link to Success”
Copyright © 2012 Aware Corporation Ltd.
• What kind of application security vulnerabilities should be tested?
• Methodology for testing
• Open source tools available
• Prioritizing application security defects
Agenda
Copyright © 2012 Aware Corporation Ltd.
Testing Security
in
Web Applications
Copyright © 2012 Aware Corporation Ltd.
Case Studies
Copyright © 2012 Aware Corporation Ltd.
Web Application
Security Testing
Copyright © 2012 Aware Corporation Ltd.
Different Security Standards
Copyright © 2012 Aware Corporation Ltd.
OWASP Top 10
OWASP (Open Web Application Security Project) is an organization that provides unbiased and
practical, cost-effective information about computer and Internet applications. Project members
include a variety of security experts from around the world who share their knowledge of
vulnerabilities, threats, attacks and countermeasures.
http://www.owasp.org
Copyright © 2012 Aware Corporation Ltd.
OWASP Top 10 Testing
Information Gathering
Configuration Management
Authentication
Session Management
Authorization Business
Logic
Data Validation
Denial of Service
Web Services
Divided in 9 Sub
Categories
And
66 Controls
Copyright © 2012 Aware Corporation Ltd.
• SQL Injection – SQL injection is a technique used to take advantage of non-validated input
vulnerabilities to pass SQL commands through a Web application for execution by a backend database.
• Cross Site Scripting
– Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users.
• Authentication
– Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions
Top Attacks
Copyright © 2012 Aware Corporation Ltd.
Fir
ewal
l
Hardened OS
Web Server
App Server
Fir
ewal
l
Dat
abas
es
Leg
acy S
yst
ems
Web
Ser
vic
es
Dir
ecto
ries
Hum
an R
esrc
s
Bil
ling
Custom Code
APPLICATION
ATTACK
Net
work
Lay
er
Ap
pli
cati
on L
ayer
Acc
ounts
Fin
ance
Ad
min
istr
atio
n
Tra
nsa
ctio
ns
Co
mm
un
icati
on
Kno
wle
dge
Mgm
t
E-C
om
mer
ce
Bus.
Funct
ions
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT * FROM
accounts WHERE
acct=‘’ OR 1=1--
’"
1. Application presents a
form to the attacker
2. Attacker sends an
attack in the form data
3. Application forwards
attack to the database in
a SQL query
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query
containing attack and
sends encrypted results
back to application
5. Application decrypts
data as normal and
sends results to the user
Account:
SKU:
Account:
SKU:
SQL Injection
Copyright © 2012 Aware Corporation Ltd.
Application with
stored XSS
vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a
malicious script into a web
page that stores the data
on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s
browser with full access to
the DOM and cookies
Custom Code
Acc
ounts
Fin
ance
Adm
inis
trat
ion
Tra
nsa
ctio
ns
Com
mu
nic
ati
on
Know
ledge
Mgm
t
E-C
om
mer
ce
Bus.
Funct
ions
Cross Site Scripting
Copyright © 2012 Aware Corporation Ltd.
Authentication
Copyright © 2012 Aware Corporation Ltd.
Tools Overview
Copyright © 2012 Aware Corporation Ltd.
Tools • Proxies
– Burp Suite
– Paros
– WebScarab
– Fiddler
• FoxyProxy plugin
• Open source scanners
– Skipfish
Copyright © 2012 Aware Corporation Ltd.
http://portswigger.net/proxy/
Burp Suite
Copyright © 2012 Aware Corporation Ltd.
https://addons.mozilla.org/en-US/firefox/addon/2464/
Foxy Proxy
Copyright © 2012 Aware Corporation Ltd.
http://code.google.com/p/skipfish/
A fully automated, active web application security
reconnaissance tool
* Server-side SQL injection (including blind vectors, numerical
parameters).
* Stored and reflected XSS
* Directory listing bypass vectors.
* External untrusted embedded content.
Skip Fish
Copyright © 2012 Aware Corporation Ltd.
Cheat Sheet
Copyright © 2012 Aware Corporation Ltd.
Cheat Sheet
Copyright © 2012 Aware Corporation Ltd.
Tools Demonstration
Copyright © 2012 Aware Corporation Ltd.
• Discovering vulnerabilities is important, but just as
important is being able to estimate the associated risk to
the business.
Risk = Likelihood * Impact
RISK
Copyright © 2012 Aware Corporation Ltd.
Prioritizing RISK
Copyright © 2012 Aware Corporation Ltd.
D
R
E
A
D
amage potential
eproducibility
xploitability
ffected users
iscoverability
Threat Risk
Copyright © 2012 Aware Corporation Ltd.
Copyright © 2012 Aware Corporation Ltd.