Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Security Testing A practitioner’s rambling advice & musings.

Published byLawrence Cummings Modified over 9 years ago

Similar presentations

Presentation on theme: "Application Security Testing A practitioner’s rambling advice & musings."— Presentation transcript:

1 Application Security Testing A practitioner’s rambling advice & musings

2 Who am I? Security testing and software development for 13 years Manage a large FIs penetration testing team Blah blah blah

3 APPLICATION SECURITY TESTING The basics of…

4 Types of Testing Black box White box Grey box

5 Step Zero – Reconnaissance What does the app do? What are some assumptions that are made? Platform? Language? Identify the attack surface Etc…

6 User Inputs Ports Pipes Form inputs Cookies Headers Web Services Etc….

7 Step One - Test Cases Security testing What if…? – What if I put in a -1 in the transfer amount field? How does it…? – Does the server handle a 10 mb file being uploaded? Will it handle…? Etc…

8 Step Two - Attacks- aka the fun part Confirmation and refinement of test cases Your first attack is often wrong Tools are great for the low-hanging fruit

9 Most Useful Tools Your brain Attack proxy (ZAP, Burp, Fiddler, etc…) IDE / Editor Google is your friend Your brain

10 CODE READING 101

11 Many different ways Some approaches – User-interface down – Grep – Functional points – Etc…

12 Some hints Look at APIs being used, and are they correct. – HINT: esc_sql in Wordpress It should be noted that this function will only escape values to be used in strings in the query, as shown in the above example. That is, it only provides escaping for values that will be within quotes (as in field = '{$escaped_value}'). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}.

13 Hints Continued… ” />  XSS – No encoding – Make sure encoding is correct for the context

14 Common Vulnerabilities Cross-site Scripting SQL injection Cross-site request forgery File upload

15 IN THE ENTERPRISE Testing

16 Types of Environments Large enterprises Consultancies Technology companies Government

17 What Your Work Looks Like…

18 Common Drivers Compliance Risk Nation states Business

19 What does testing look like? Short duration Very little depth (usually) Way too many targets… way too little time – Looked at a different way lots of fun could be had

20 HOW TO IMPROVE

21 Obligatory Disclaimer Read the rules Don’t be a Donkey Education purposes

22 Resources Vulnerable apps Bug bounties CVEs Code check-ins Write your own code!

23 Questions?

24 THE LAB

25 WordPress Background PHP and MySQL Plugins – stored in /wp-content/plugins Themes – stored in /wp-content/themes

26 VM Has four vulnerable plugins installed – Gravity forms – blind SQLi – Ab-google-map-travel – persistent XSS – Wordpress SEO – blind SQLi – Inboundio-marketing – remote shell upload Read the code Test cases Admin login: – user – bitnami

27 Useful Links Bug Bounties – https://www.facebook.com/BugBounty https://www.facebook.com/BugBounty – http://www.google.com/about/appsecurity/reward-program/ http://www.google.com/about/appsecurity/reward-program/ – https://hackerone.com/programs https://hackerone.com/programs CVE - https://cve.mitre.org/ https://cve.mitre.org/ https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Download ppt "Application Security Testing A practitioner’s rambling advice & musings."

Similar presentations

Webgoat.

Webgoat.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
PHP Security.

PHP Security.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.

Twin Cities Java User Group Introduction to Writing Secure Web Applications March 9th, 2009 Jason Dean Minnesota Department of Health.

Similar presentations

Ads by Google