Web applications security conference slides

Technical Practices Bassam Al-Khatib Web Applications Security Testing

What You Will Learn Today? Security testing techniques Test cases design & implementation New testing tool. 2

Discussing concepts & definitions Why web applications security matters? Defense Mechanisms Tester`s role in WAST Practice Time Questions & Answers Agenda 3

Training Plan Technical Background Hybrid Examples (Manual & Auto) Practice Using Burp WAST Discussion Our Plan 4

What is the deference between web sites and web applications? 5

 Web sites:  Information repositories and browsers retrieve data all the time.  Information flow is one way, from server to browser.  No users authentication. 1: Difference between web sites & web applications? 6

 Web Applications:  Highly functional and rely on two-way flow of information.  Support login, registration, financial transactions, search.  Information is generated for each user dynamically and on the fly. 1: Difference between web sires & web applications? 7

1.1: Examples of web applications 8

 Its one of software product attributes that bear on its ability to prevent unauthorized access, weather accidental or deliberate to programs and data. [ISO 9126 – ISTQB Glossary] 2: What is security ? 9

 A non-functional testing type, to determine the security of the software product. [ISO 9126 – ISTQB Glossary] 2.1: What is security testing ? 10

 Security testing provides the evidence and awareness for the business to make the informed decision of how much security risk to accept. 2.2: Let`s discuss the definitions.. 11

 Security vulnerabilities often have no symptoms, not like other types of failures where the error is patently obvious. 2.2: Let`s discuss the definitions.. 12

 Security testing ensures that people cant see what they should not have access to. 2.2:Let`s discuss the definitions.. 13

Who should do security testing ? 14

2.3: Security Testing Specialties 15 Web Application Penetration Tester Web Application Defenders Penetration Tester

 Web Application Penetration Tester:  Security personnel whose job duties involve tests web applications holes and vulnerabilities. 2.3.1: Security Testing Specialties 16

 Penetration Tester :  Security personnel whose job duties involve assessing target networks and systems to find security vulnerabilities 2.3.3: Security Testing Specialties 17

 Web Application Defenders:  Security personnel with skills and abilities which are taken from the areas of Defensive Network Infrastructure, Packet Analysis, Penetration Testing, Incident Handling, and Malware Removal 2.3.2: Security Testing Specialties 18

What is the difference between web applications security and IT security? 19

Why firewalls and antivirus don’t protect Web applications from hacking ? 20

 IT security means :  Fire Walls  Antivirus  Email security products 3: Because its software security NOT IT security 21

 Web applications security means:  Software source code and business logic which written by developer and tested by QA testers. 3: Because its software security NOT IT security 22

Why web application security Matters ? 23

 Every body suffer from attacks… 4: Why web application security Matters ? 24

Because… Crimes Cost World Economic Annual Loss of $1 trillion 46 Million Credit Card Numbers Stolen 99% of Tested web Applications Have Vulnerabilities 4: Why web application security Matters ? 25

4: Why web application security Matters ? 26

4: Why web application security matters ? 27

4: Why web application security matters ? 28

We need to protect our web application, is there any Defense Mechanisms to use ? 29

 Virtually all applications employ mechanisms that are conceptually similar, although the details of the design and the effectiveness of the implementation differ very widely indeed. 5: Defense Mechanisms 30

 The defense mechanisms employed by web applications comprise the following core elements:  Handling user access to the application’s data and functionality.  Handling user input to the application’s functions.  Handling application`s behavior against attackers.  Managing the application itself, by enabling administrators to monitor its activities and configure its functionality. 5: Defense Mechanisms 31

Handling User Access Authentication Session Management Access Control 5: Defense Mechanisms 32

 Authentication 5.1: Defense Mechanisms 33

 Session Management (Session Time out) 5.2: Defense Mechanisms 34

 Access control, we have it in different levels, Users and groups, on application level, and on document level. 5.3: Defense Mechanisms 35

Tester`s Role is Security Testing As a tester what is my role? 36

 Provide an evidence about the lack of vulnerabilities.  Observing a potential vulnerability is enough to prompt a fix. 6: As a tester what is my role? 37

38 How can I observe a vulnerability ?

 It’s a new methodology.  A new technical practice to learn. 6.1: My Observation model 39

40 Vulnerability Exists? Submit malicious input Prompt a fix Check normal behavior Check behavior again •This is a techninal practice depends on the following: 1) Crafting inputs. 2) Observe behavior. No Yes

 Since my role as a tester is known.  I need to know what is a vulnerability. 6.2: How to start security testing? 41

 The word "vulnerability" describes a problem (such as a programming bug or common configuration error) that allows a system to be attacked or broken into.  How could that happen? , see next slide.. 7: What is vulnerability ? 43

 Understanding the differences between vulnerabilities type will help you in:  How you should test?  How to report them?  How they get fixed? 7: What is vulnerability ? 45

What about these vulnerabilities?, let`s see the following list .. 46

48 Let`s have some vulnerabilities in practice..

Security Testing Practice Attendees will try SQL injection XSS URL Tampering Burp Attendees will NOT try DOM- Based XSS Malicious Files 8: Practice Plan.. 49

 Enables hacker to submit crafted input to interfere with application`s interaction with back-end database.  Hacker may be able to retrieve arbitrary data from application, interfere with logic or execute commands on the database server itself. 8.4: SQL Injection 50

 Open http://www.testfire.net/bank/  Populate User name with admin' OR 1=1 –  Populate password field with any value 8.1: Guessing User name or Password 51

admin' OR 1=1 -- SQL statement would look like SELECT * FROM users WHERE username = 'admin' OR 1=1 --'; Since validation is weak, this will either select the admin account or it will before 1=1 which will result in true. Which in SQL terms this will return the entire users table. Which the users table could contain all sorts of other additional sensitive information 8.1: What happened at the backend ? 52

Reveals a vulnerability Miss validation URL Query 8.5: URL Tampering 53

 URLs consist of: 8.5: URL Tampering 54 Protocol Password Server Name Port Path http:// user:password@ www.testfire.net/ :80 /bank/account.html Makes it possible to exchange web pages in HTML format Makes it possible to specify the parameters required to access a secure server.(Optional) This is the domain name of the computer hosting the requested resource. To define type of resource is being requested.(Optional) Defines the resource location(Directory)

 Open http://www.testfire.net/bank/  Add the following parameter at the end of URL :id  Run the URL, No validation appers.  Add the following at the end of URL ?id=1’  Run the URL, a directory page is opened 8.5: No validation 55 This proofs that malicious inputs are NOT validated

 All parameters should be send from client to server via valid session / server side tokens .  Prevent HTTP viewing of HTTPS accessible pages. 8.5: Solution / defense mechanism 56

File Name • Can include potential opportunity for injection attacks. • For example ‘onerror=alert(‘xss’)’ a=‘.jpg File Type • “Zip of Death” which circulated in 2001 and targeted for email virus checkers. • This file if sent by email will be unzipped for ever and bring email server to halt. File Size • 100 times larger files than normal usage will keep your application loading if they attached. • For example try files of size 500MB. 8.6: Malicious Files 57

 Virus Scanners.  Anti Spam Software. 8.6.1: Solution/Defense Mechanism 58

"Unbalanced Quotes `Accent Grave &qout;HTML Entities 'Escaped Quotes 8.7: Illegal Characters 59  Open Reliance Home page.  User view source.  Search for these characters.  Are they escaped ?

 These chars. Should be filtered out from user input to prevent Java script and SQL Injection.  Attacker will guess which chars. Will pass the filter then will try to use. 8.7.1: Solution/Defense Mechanism 60

 Tool Selection depends on the usefulness of any individual tool will depend heavily on your context—particularly the web application’s language and what you most need to protect 9: Web Apps. Security Testing Tools 61

9: Web Apps. Security Testing Tools 62 Web Proxies • Web Scrap – Provided from OWASP. Web Scanners • cURL Inspection tools • Firefox Plugins

 Burp Suite is an integrated platform for performing security testing of web applications.  It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. 9: Burp Suite 64

Burp Suite 66 Contains the following tools 1 Target 2 Proxy 3 Spider 4 Scanner 5 Sequencer 6 Decoder 7 Comparer 8 Extender

 Target : This tool contains detailed information about your target applications, and lets you drive the process of testing for vulnerabilities.  Proxy : This is an intercepting web proxy that operates as man-in-the- middle between the end browser and the target web application. It lets you intercept, inspect and modify the raw traffic passing in both directions. 9.1: Burp Suite 67

 Spider : This is an intelligent application-aware web spider that can crawl an application to locate its content and functionality.  Scanner : [Pro version] - This is an advanced web vulnerability scanner, which can automatically discover numerous types of vulnerabilities. 9.1: Burp Suite 68

 Intruder : This is a powerful tool for carrying out automated customized attacks against web applications. It is highly configurable and can be used to perform a wide range of tasks to make your testing faster and more effective.  Repeater : This is a simple tool for manually manipulating and reissuing individual HTTP requests, and analyzing the application's responses. 9.1: Burp Suite 69

 Sequencer : This is a sophisticated tool for analyzing the quality of randomness in an application's session tokens or other important data items that are intended to be unpredictable.  Decoder : This is a useful tool for performing manual or intelligent decoding and encoding of application data. 9.1: Burp Suite 70

 Comparer : This is a handy utility for performing a visual "diff" between any two items of data, such as pairs of similar HTTP messages.  Extender : This lets you load Burp extensions, to extend Burp's functionality using your own or third-party code. 9.1: Burp Suite 71

 Security vulnerabilities are our shared responsibility (Developers, QA, Tech. Support).  Applying new techniques for your test cases design and implementation reveals more vulnerabilities. 10: Conclusion & Recommendations 72

 Security testing is a hybrid testing methodology.  Running Real time periodic security tests (Using burp scanner) will help to discover new vulnerabilities. 10: Conclusion & Recommendations 73

 Web security testing cookbook, Paco Hope, 2009.  The.Web.Application.Hackers.Handbook, Dafydd Stuttard, 2007.  The myths of security, John Viega, 2009.  Cenzic-Application-Vulnerability-Trends-Report-2013.  ISTQB – Glossery of Temss.  AdvancedSoftwareTesting - Vol3, 2011 11: References - Books 75

 http://portswigger.net/burp/help/  http://www.testfire.net/bank/  http://www.example.com  http://www.testingsecurity.com/  http://code.google.com/p/dvwa/wiki/README 11: References – Websites 76

Web applications security conference slides

More Related Content

What's hot

Similar to Web applications security conference slides

More from Bassam Al-Khatib

Recently uploaded

Web applications security conference slides