More Related Content Similar to Web Application Security Testing - Aware in BugDay Bangkok 2012 (20) More from Prathan Dansakulcharoenkit (20) Web Application Security Testing - Aware in BugDay Bangkok 20121. “Quality is the link to Success”
Copyright © 2012 Aware Corporation Ltd.
2. Agenda
• What kind of application security vulnerabilities should be tested?
• Methodology for testing
• Open source tools available
• Prioritizing application security defects
Copyright © 2012 Aware Corporation Ltd.
7. OWASP Top 10
OWASP (Open Web Application Security Project) is an organization that provides unbiased and
practical, cost-effective information about computer and Internet applications. Project members
include a variety of security experts from around the world who share their knowledge of
vulnerabilities, threats, attacks and countermeasures.
http://www.owasp.org
Copyright © 2012 Aware Corporation Ltd.
8. OWASP Top 10 Testing
Information
Gathering
Configuration
Web Services
Management
Divided in 9 Sub
Categories
Denial of
Authentication
And
Service
66 Controls
Data Session
Validation Management
Business
Authorization
Logic
Copyright © 2012 Aware Corporation Ltd.
9. Top Attacks
• SQL Injection
– SQL injection is a technique used to take advantage of non-validated input
vulnerabilities to pass SQL commands through a Web application for
execution by a backend database.
• Cross Site Scripting
– Cross-site scripting (XSS) is a type of computer insecurity vulnerability
typically found in Web applications (such as web browsers through breaches
of browser security) that enables attackers to inject client-side script into
Web pages viewed by other users.
• Authentication
– Authentication and session management includes all aspects of handling
user authentication and managing active sessions. Authentication is a
critical aspect of this process, but even solid authentication mechanisms can
be undermined by flawed credential management functions
Copyright © 2012 Aware Corporation Ltd.
10. SQL Injection
Account:
SKU:
1. Application presents a
Account:
form to the attacker
Application Layer
Knowledge Mgmt
Communication
HTTP
Legacy Systems
Administration
Bus. Functions
HTTP DB Table SKU:
E-Commerce
Web Services
Transactions
SQL
response
2. Attacker sends an
Directories
Accounts
Databases
request
Finance
APPLICATION
query
ATTACK
attack in the form data
Custom Code
3. Application forwards
"SELECT * FROM
accounts WHERE
attack to the database in
Human Resrcs
App Server acct=‘’ OR 1=1-- a SQL query
’" 4. Database runs query
Billing
Web Server
Hardened OS containing attack and
Network Layer
Account Summary
sends encrypted results
Acct:5424-6066-2134-4334 back to application
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029 5. Application decrypts
Firewall
Firewall
Acct:4128-0004-1234-0293
data as normal and
sends results to the user
Copyright © 2012 Aware Corporation Ltd.
11. Cross Site Scripting
1 Attacker sets the trap – update my profile
Application with
stored XSS
Attacker enters a vulnerability
malicious script into a web
page that stores the data
on the server
Knowledge Mgmt
Communication
Administration
Bus. Functions
E-Commerce
Transactions
2 Victim views page – sees attacker profile
Accounts
Finance
Custom Code
Script runs inside victim’s
browser with full access to
the DOM and cookies
3 Script silently sends attacker Victim’s session cookie
Copyright © 2012 Aware Corporation Ltd.
14. Tools
• Proxies
– Burp Suite
– Paros
– WebScarab
– Fiddler
• FoxyProxy plugin
• Open source scanners
– Skipfish
Copyright © 2012 Aware Corporation Ltd.
15. Burp Suite
http://portswigger.net/proxy/
Copyright © 2012 Aware Corporation Ltd.
16. Foxy Proxy
https://addons.mozilla.org/en-US/firefox/addon/2464/
Copyright © 2012 Aware Corporation Ltd.
17. Skip Fish
A fully automated, active web application security
reconnaissance tool
* Server-side SQL injection (including blind vectors, numerical
parameters).
* Stored and reflected XSS
* Directory listing bypass vectors.
* External untrusted embedded content.
http://code.google.com/p/skipfish/
Copyright © 2012 Aware Corporation Ltd.
18. Cheat Sheet
Copyright © 2012 Aware Corporation Ltd.
19. Cheat Sheet
Copyright © 2012 Aware Corporation Ltd.
21. RISK
• Discovering vulnerabilities is important, but just as
important is being able to estimate the associated risk to
the business.
Risk = Likelihood * Impact
Copyright © 2012 Aware Corporation Ltd.
23. Threat Risk
D amage potential
R eproducibility
E xploitability
A ffected users
D iscoverability
Copyright © 2012 Aware Corporation Ltd.