Application Security Testing A practitioner’s rambling advice & musings.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Web Security Never, ever, trust user inputs Supankar.
Hands on Demonstration for Testing Security in Web Applications
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 4 Application Security Knowledge and Test Prep
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing
PHP Security.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Penetration Testing James Walden Northern Kentucky University.
A Security Review Process for Existing Software Applications
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
Attacking Applications: SQL Injection & Buffer Overflows.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
AppSec USA 2014 Denver, Colorado CMS Hacking 101 Hacking and Securing Popular Open Source Content Management Systems.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Hands-On with RailsGoat WEB APPLICATION SECURITY TESTING.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
A Tale of Two Bugs. This Fall has been bad Let’s look at two CVE AKA “Shellshock” CVE AKA “Drupalgeddon”
CSCE 548 Secure Software Development Taxonomy of Coding Errors.
Web Applications Testing By Jamie Rougvie Supported by.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
TESTING FOR VULNERABILITIES AND APPLICATION SECURITY REVIEW George-Alexandru Andrei CTO BIT SENTINEL.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Web Applications on the battlefield Alain Abou Tass.
Ken De Souza KWSQA, April 2016 V. 1.0
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
“Why is my blog selling boner pills?” An introduction to common web application attacks such as SQLi, XSS and command injection.
Group 18: Chris Hood Brett Poche
WEB APPLICATION TESTING
World Wide Web policy.
Cross-Site Scripting Travis Deyarmin.
WordPress Development Company It is open source content management (CMS) system based on PHP and MySQL. Wordpress have highly competition in the website.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
A Security Review Process for Existing Software Applications
What is a CMS. CMS is content management system CMS is a software that stores content.
Web Hacking: Beginners
Zach Garcia Keith Reiter
CS5123 Software Validation and Quality Assurance
Lecture 27 Security I April 4, 2018 Open news web sites.
Enterprise Class Security Scanner
Presentation transcript:

Application Security Testing A practitioner’s rambling advice & musings

Who am I? Security testing and software development for 13 years Manage a large FIs penetration testing team Blah blah blah

APPLICATION SECURITY TESTING The basics of…

Types of Testing Black box White box Grey box

Step Zero – Reconnaissance What does the app do? What are some assumptions that are made? Platform? Language? Identify the attack surface Etc…

User Inputs Ports Pipes Form inputs Cookies Headers Web Services Etc….

Step One - Test Cases Security testing What if…? – What if I put in a -1 in the transfer amount field? How does it…? – Does the server handle a 10 mb file being uploaded? Will it handle…? Etc…

Step Two - Attacks- aka the fun part Confirmation and refinement of test cases Your first attack is often wrong Tools are great for the low-hanging fruit

Most Useful Tools Your brain Attack proxy (ZAP, Burp, Fiddler, etc…) IDE / Editor Google is your friend Your brain

CODE READING 101

Many different ways Some approaches – User-interface down – Grep – Functional points – Etc…

Some hints Look at APIs being used, and are they correct. – HINT: esc_sql in Wordpress It should be noted that this function will only escape values to be used in strings in the query, as shown in the above example. That is, it only provides escaping for values that will be within quotes (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}.

Hints Continued… ” />  XSS – No encoding – Make sure encoding is correct for the context

Common Vulnerabilities Cross-site Scripting SQL injection Cross-site request forgery File upload

IN THE ENTERPRISE Testing

Types of Environments Large enterprises Consultancies Technology companies Government

What Your Work Looks Like…

Common Drivers Compliance Risk Nation states Business

What does testing look like? Short duration Very little depth (usually) Way too many targets… way too little time – Looked at a different way lots of fun could be had

HOW TO IMPROVE

Obligatory Disclaimer Read the rules Don’t be a Donkey Education purposes

Resources Vulnerable apps Bug bounties CVEs Code check-ins Write your own code!

Questions?

THE LAB

WordPress Background PHP and MySQL Plugins – stored in /wp-content/plugins Themes – stored in /wp-content/themes

VM Has four vulnerable plugins installed – Gravity forms – blind SQLi – Ab-google-map-travel – persistent XSS – Wordpress SEO – blind SQLi – Inboundio-marketing – remote shell upload Read the code Test cases Admin login: – user – bitnami

Useful Links Bug Bounties – – – CVE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.