Web Application Penetration Testing

Slides:



Advertisements
Similar presentations
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
Advertisements

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Hands on Demonstration for Testing Security in Web Applications
Web Vulnerability Assessments
OWASP Xenotix XSS Exploit Framework
Vulnerability Testing Approach Prepared By: Phil Cheese Nov 2008.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Static Analysis for Dynamic Assessments Greg Patton | September 2014.
Static Code Analysis and Governance Effectively Using Source Code Scanners.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
What is OWASP OWASP Live CD Live Demo Omar Sherin-OWASP Egypt.
The Business of Penetration Testing
Security Scanning OWASP Education Nishi Kumar Computer based training
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.
A Scanner Sparkly Web Application Proxy Editors and Scanners.
NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
Web Application Security Testing Automation.. Copyright © 2008 Deloitte Touche Tohmatsu. All rights reserved.1 What types of automated testing are there?
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
AppSec USA 2014 Denver, Colorado Customizing Burp Suite Getting the Most out of Burp Extensions.
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.
Paul Butterworth Management Technology Architect
Web Applications Testing By Jamie Rougvie Supported by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
MIS Week 5 Site:
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SOFTWARE TESTING TRAINING TOOLS SUPPORT FOR SOFTWARE TESTING Chapter 6 immaculateres 1.
Defining your requirements for a successful security (and compliance
Topic 5 Penetration Testing 滲透測試
OWASP ASVS for NFTaaS in Financial Services
BruinTech Vendor Meet & Greet December 3, 2015
Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.
Module: Software Engineering of Web Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
WEB APPLICATION TESTING
Cyber Defence Intelligence
API Security Auditing Be Aware,Be Safe
Veritas Content Syndication 2017
Data Virtualization Tutorial… CORS and CIS
Daniel Kouril, Ivo Nutar Masaryk University
Third Party Risk Governance in a Diverse Environment
Penetration Testing following OWASP
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
^ About the.
Relevance of the OWASP Top 10
Penetration Test Debrief
OWASP WebGoat v5 16 April 2010.
How To Land Your Dream Job in Cyber Security
ARTIFICIAL INTELLIGENCE IN SOFTWARE TESTING
Riding Someone Else’s Wave with CSRF
SYSTEMS ANALYSIS & DESIGN
Back to the Future with Information Security How Embedded Devices Have Turned Back the Security Clock James Edge Information Security Specialist.
OWASP Application Security Verification Standard
Hacking web applications
WORKSHOP Establish a Communication and Training Plan
Presentation transcript:

Web Application Penetration Testing Frugal Web Application Penetration Testing v BSides 2017

Who are we? Information Security Consultants Web Application Penetration Testers Padawan Hackers Harshal Chandorkar Natalia Wadden

How did we get here? Take a ride with us…

Lone Soldier Penetration tests executed by vendors include: Severity ratings Risk ratings Scope False positives Quality and POC Cost Let’s see if we can go head to head: Execute pentest Adjust ratings/risks Capture full scope Eliminate false positives Provide POCS

Readying the Army on a Shoestring Budget Interest Desire to Learn Perseverance Technical Skills Assessment Training: Open-Source: FREE (e.g. DVWA, Mutillidae, metasploitable, Security Shepherd) Day-to-day technical challenges (e.g. incident handling, etc.) Hand Holding

Maturing the Program Inventory of your Web Applications Planning Information Gathering Execution of Pentests Reporting Artifacts Metrics for Sr. Management

The Dirty Talk About Time & Money

Gathering Information Discovering Vulnerabilities Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Working with the project team/support team to clearly define scope and rules of engagement Obtain written approval Confirm timing and agree on a schedule

Gathering Information Discovering Vulnerabilities Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Collecting and examining key information Environment Walkthrough Review prior test results if available Obtain Credentials if required

Gathering Information Discovering Vulnerabilities Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Finding existing vulnerabilities using manual and automated techniques OWASP Top 10 Company Specific Business Logic

Gathering Information Discovering Vulnerabilities Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Providing high level findings, detailed report and POC evidence Portswigger Burp Logs SQL Map XSSer

Gathering Information Discovering Vulnerabilities Security Testing Methodology Life Cycle Planning Gathering Information Discovering Vulnerabilities Reporting Findings Walkthrough Walkthrough where findings were found Demonstrate how bad it can be

Webapp Pentesting Tools Frequently used: Portswigger BurpSuite Professional SQLMap Supplemental: XSSer Nikto OWASP Zap

A Few Burp Extenders That We Use CO2 Active Scan ++ CSRF Scanner Code DX Logger++ Software Vulnerability Scanner Software Version Reporter

Webapp Pentest Report

Webapp Pentest Report

Sample: Webapp Pentest Framework based on OWASP Top 10 Web Methods Did the tester note the site allows basic web methods (e.g. “PUT, GET, POST, HEAD, OPTIONS, DELETE”)? Reflected Cross-site Scripting Did the tester input a payload? What was the result? Reflected? Did the tester view the source? Clickjacking/Cross Site Framing (XSF) X-Frame-Option – set to Deny or Same-Origin? HTML iframe POC create? Successfully loaded into the site? CSRF Is the token randomly generated? Did the tester note if CSRF is noted on a GET request? Did the tester create an POC HTML file to execute on the site? Was the file successfully loaded on the site?

Leveraging Burp Extenders With Other Free Tools

Incidents happen, but is it fair to blame us? Understand the incident Review all evidence presented Obtain testers logs Provide proof Understand impact

Webapp Pentest Tracking

Log Extraction

Questions and Takeaways Burp History Converter -> https://github.com/mrts/burp-suite-http-proxy-history-converter Payloads (xss | passwords | directory busters | and more...) -> https://github.com/foospidy/payloads CORS -> https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomains Pentest Resources (web report tracking | database | checklists) -> http://harshdevx.com/codex/ptest.zip General reading -> http://www.adeptus-mechanicus.com/learn/nwadden.php General reading -> http://www.adeptus-mechanicus.com/learn/harshalc.php General reading and download resources -> http://harshdevx.com OWASP Top Ten -> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Burp Suite Support Centre -> https://support.portswigger.net/ DVWA -> https://github.com/ethicalhack3r/DVWA Multiladae -> https://sourceforge.net/projects/mutillidae/ Metasploitable -> https://sourceforge.net/projects/metasploitable/files/Metasploitable2/ SANS -> https://sans.org Other security resources -> https://www.cisecurity.org/cis-benchmarks/

Thank You Harshal Chandokar Natalia Wadden business.harshal@gmail.com @harshdevx ca.linkedin.com/in/harshalchandorkar Harshal Chandokar wadden.natalia@gmail.com @nataliawadden ca.linkedin.com/in/nataliawadden Natalia Wadden DVWA -> http://www.dvwa.co.uk/ burp history converter -> https://github.com/mrts/burp-suite-http-proxy-history-converter payloads (xss | passwords | directory busters | and more...) -> https://github.com/foospidy/payloads cors -> a. https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomains/ b. https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-cross-origin-resource-sharing/ pentest resources (web report tracking | database) -> http://harshdevx.com/codex/ptest.zip general reading -> http://www.adeptus-mechanicus.com/learn/nwadden.php general reading -> http://www.adeptus-mechanicus.com/learn/harshalc.php general reading and download resources -> http://harshdevx.com OWASP Top Ten -> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project Burp Suite Support Centre -> https://support.portswigger.net/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.