Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands on Demonstration for Testing Security in Web Applications

Published byJaliyah Pitt Modified over 9 years ago

Similar presentations

Presentation on theme: "Hands on Demonstration for Testing Security in Web Applications"— Presentation transcript:

1 Hands on Demonstration for Testing Security in Web Applications
Aaron Weaver August 2010

2 Agenda What kind of application security vulnerabilities should be tested? Methodology for testing Open source tools available Prioritizing application security defects

3 In the news...

4 the Solution?

5 AND NO Not in the Cloud!

6 Web Application Security Testing

7 OWASP Top 10 list

8 Top attacks SQL Injection Cross Site Scripting Authentication

9 "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
SQL Injection Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker Account Summary Acct: Acct: Acct: Acct: HTTP response  DB Table  HTTP request Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce SQL query Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer 2. Attacker sends an attack in the form data APPLICATION ATTACK Custom Code 3. Application forwards attack to the database in a SQL query App Server 4. Database runs query containing attack and sends encrypted results back to application Web Server Hardened OS Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

10 Cross-Site Scripting 1 Attacker sets the trap – update my profile
Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

11 Authentication

12 Tools Overview

13 Tools Proxies Burp Suite Paros WebScarab Fiddler FoxyProxy plugin
Open source scanners Skipfish

14 Burp Suite

15 FoxyProxy Browser Plugin

16 * External untrusted embedded content.
Skipfish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content.

17 Cheat Sheet

18 Quick Cheat Sheet

19 Cheat Sheet

20 AppSec Tools Demonstration

21 Prioritizing

22 Threat Risk D R E A D amage potential eproducibility xploitability
• If a threat exploit occurs, how much damage will be caused? ◦ 0 = Nothing ◦ 5 = Individual user data is compromised or affected. ◦ 10 = Complete system or data destruction Reproducibility • How easy is it to reproduce the threat exploit? ◦ 0 = Very hard or impossible, even for administrators of the application. ◦ 5 = One or two steps required, may need to be an authorized user. ◦ 10 = Just a web browser and the address bar is sufficient, without authentication. Exploitability • What is needed to exploit this threat? ◦ 0 = Advanced programming and networking knowledge, with custom or advanced attack tools. ◦ 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. ◦ 10 = Just a web browser Affected Users • How many users will be affected? ◦ 0 = None ◦ 5 = Some users, but not all ◦ 10 = All users Discoverability • How easy is it to discover this threat? ◦ 0 = Very hard to impossible; requires source code or administrative access. ◦ 5 = Can figure it out by guessing or by monitoring network traces. ◦ 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine. ◦ 10 = The information is visible in the web browser address bar or in a form. E xploitability A ffected users D iscoverability

23 Scoring D } R 0-15 E 0-3 = Total A D

24 Severity Rating Low 1-7 Medium 8-10 High 11-14 Critical 15

25 Threat Risk Modeling STRIDE (Microsoft) OWASP Risk Ranking Trike CVSS

26 Questions?

27 Thanks!

Download ppt "Hands on Demonstration for Testing Security in Web Applications"

Similar presentations

Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.

August 1, 2006 Software Security. August 1, 2006 Essential Facts Software Security != Security Features –Cryptography will not make you secure. –Application.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Multiple Tiers in Action

Multiple Tiers in Action
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Hands-On Ethical Hacking and Network Defense

Hands-On Ethical Hacking and Network Defense
Security Scanning OWASP Education Nishi Kumar Computer based training

Security Scanning OWASP Education Nishi Kumar Computer based training
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google