SlideShare a Scribd company logo

Web Application Security Testing - Aware in BugDay Bangkok 2012

Prathan Dansakulcharoenkit
Prathan Dansakulcharoenkit

The document discusses web application security testing. It covers what vulnerabilities should be tested for, common methodologies and tools for testing, and prioritizing vulnerabilities based on risk. Specific vulnerabilities covered include SQL injection, cross-site scripting, and authentication issues. Popular tools mentioned are Burp Suite, Paros, WebScarab, Fiddler, and Skipfish. The document also discusses the OWASP Top 10 list of vulnerabilities and estimating risk based on likelihood and impact.

Technology
1 of 25
Download to read offline
“Quality is the link to Success” Copyright © 2012 Aware Corporation Ltd.
Agenda • What kind of application security vulnerabilities should be tested? • Methodology for testing • Open source tools available • Prioritizing application security defects Copyright © 2012 Aware Corporation Ltd.
Testing Security in Web Applications Copyright © 2012 Aware Corporation Ltd.
Case Studies Copyright © 2012 Aware Corporation Ltd.
Web Application Security Testing Copyright © 2012 Aware Corporation Ltd.
Different Security Standards Copyright © 2012 Aware Corporation Ltd.
OWASP Top 10 OWASP (Open Web Application Security Project) is an organization that provides unbiased and practical, cost-effective information about computer and Internet applications. Project members include a variety of security experts from around the world who share their knowledge of vulnerabilities, threats, attacks and countermeasures. http://www.owasp.org Copyright © 2012 Aware Corporation Ltd.
OWASP Top 10 Testing Information Gathering Configuration Web Services Management Divided in 9 Sub Categories Denial of Authentication And Service 66 Controls Data Session Validation Management Business Authorization Logic Copyright © 2012 Aware Corporation Ltd.
Top Attacks • SQL Injection – SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. • Cross Site Scripting – Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users. • Authentication – Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions Copyright © 2012 Aware Corporation Ltd.
SQL Injection Account: SKU: 1. Application presents a Account: form to the attacker Application Layer Knowledge Mgmt Communication HTTP Legacy Systems Administration Bus. Functions HTTP DB Table SKU: E-Commerce Web Services Transactions SQL response 2. Attacker sends an Directories  Accounts Databases request Finance   APPLICATION query   ATTACK  attack in the form data Custom Code 3. Application forwards "SELECT * FROM accounts WHERE attack to the database in Human Resrcs App Server acct=‘’ OR 1=1-- a SQL query ’" 4. Database runs query Billing Web Server Hardened OS containing attack and Network Layer Account Summary sends encrypted results Acct:5424-6066-2134-4334 back to application Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 5. Application decrypts Firewall Firewall Acct:4128-0004-1234-0293 data as normal and sends results to the user Copyright © 2012 Aware Corporation Ltd.
Cross Site Scripting 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Copyright © 2012 Aware Corporation Ltd.
Authentication Copyright © 2012 Aware Corporation Ltd.
Tools Overview Copyright © 2012 Aware Corporation Ltd.
Tools • Proxies – Burp Suite – Paros – WebScarab – Fiddler • FoxyProxy plugin • Open source scanners – Skipfish Copyright © 2012 Aware Corporation Ltd.
Burp Suite http://portswigger.net/proxy/ Copyright © 2012 Aware Corporation Ltd.
Foxy Proxy https://addons.mozilla.org/en-US/firefox/addon/2464/ Copyright © 2012 Aware Corporation Ltd.
Skip Fish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/ Copyright © 2012 Aware Corporation Ltd.
Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
Tools Demonstration Copyright © 2012 Aware Corporation Ltd.
RISK • Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Risk = Likelihood * Impact Copyright © 2012 Aware Corporation Ltd.
Prioritizing RISK Copyright © 2012 Aware Corporation Ltd.
Threat Risk D amage potential R eproducibility E xploitability A ffected users D iscoverability Copyright © 2012 Aware Corporation Ltd.
Copyright © 2012 Aware Corporation Ltd.
Copyright © 2012 Aware Corporation Ltd.

Recommended

Building reliable systems from unreliable components
Building reliable systems from unreliable componentsBuilding reliable systems from unreliable components
Building reliable systems from unreliable components
Arnon Rotem-Gal-Oz
 
Tech Ed 09 - Arc302 - Analysis and Architecture
Tech Ed 09 - Arc302 - Analysis and ArchitectureTech Ed 09 - Arc302 - Analysis and Architecture
Tech Ed 09 - Arc302 - Analysis and Architecture
mhessinger
 
Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement Management
Noam Bunder
 
Eska cds
Eska cdsEska cds
Eska cds
ESKADENIA Software
 
Jentrata b2b gateway
Jentrata b2b gatewayJentrata b2b gateway
Jentrata b2b gateway
Wayne Bingham
 
Connectivity for a Smarter Planet
Connectivity for a Smarter PlanetConnectivity for a Smarter Planet
Connectivity for a Smarter Planet
Prolifics
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1
Sivadon Chaisiri
 
CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...
CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...
CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...
ServiceVirtualization.Com
 

Recommended

Building reliable systems from unreliable components
Building reliable systems from unreliable componentsBuilding reliable systems from unreliable components
Building reliable systems from unreliable components
Arnon Rotem-Gal-Oz
 
Tech Ed 09 - Arc302 - Analysis and Architecture
Tech Ed 09 - Arc302 - Analysis and ArchitectureTech Ed 09 - Arc302 - Analysis and Architecture
Tech Ed 09 - Arc302 - Analysis and Architecture
mhessinger
 
Compliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement ManagementCompliance and Governance Through Complex Entitlement Management
Compliance and Governance Through Complex Entitlement Management
Noam Bunder
 
Eska cds
Eska cdsEska cds
Eska cds
ESKADENIA Software
 
Jentrata b2b gateway
Jentrata b2b gatewayJentrata b2b gateway
Jentrata b2b gateway
Wayne Bingham
 
Connectivity for a Smarter Planet
Connectivity for a Smarter PlanetConnectivity for a Smarter Planet
Connectivity for a Smarter Planet
Prolifics
 
02 Ms Online Identity Session 1
02 Ms Online Identity Session 102 Ms Online Identity Session 1
02 Ms Online Identity Session 1
Sivadon Chaisiri
 
CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...
CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...
CA John Michelsen - Oracle OpenWorld 2012 - "ServiceVirtualization Reality is...
ServiceVirtualization.Com
 
Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
vijaychn
 
Maintenance Best Practices for Service Oriented
Maintenance Best Practices for Service OrientedMaintenance Best Practices for Service Oriented
Maintenance Best Practices for Service Oriented
aliraza786
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
Novell
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001
jucaab
 
Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001
jucaab
 
Cloud factory overview
Cloud factory overviewCloud factory overview
Cloud factory overview
gstaley
 
Systems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManagerSystems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManager
Advanced Logic Industries
 
InduSoft Web Studio e Dream Report
InduSoft Web Studio e Dream ReportInduSoft Web Studio e Dream Report
InduSoft Web Studio e Dream Report
AVEVA
 
Connections Administration Toolkit - Product Presentation
Connections Administration Toolkit - Product PresentationConnections Administration Toolkit - Product Presentation
Connections Administration Toolkit - Product Presentation
TIMETOACT GROUP
 
Cybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-IDCybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-ID
abelsonp
 
Managing Enterprise Services through Service Versioning & Governance - Impact...
Managing Enterprise Services through Service Versioning & Governance - Impact...Managing Enterprise Services through Service Versioning & Governance - Impact...
Managing Enterprise Services through Service Versioning & Governance - Impact...
Prolifics
 
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
virtual-campus
 
SOA Summer School: Best of SOA Summer School – Encore Session
SOA Summer School: Best of SOA Summer School – Encore Session SOA Summer School: Best of SOA Summer School – Encore Session
SOA Summer School: Best of SOA Summer School – Encore Session
WSO2
 
Emulex OneCommand Management Framework
Emulex OneCommand Management Framework Emulex OneCommand Management Framework
Emulex OneCommand Management Framework
Emulex Corporation
 
Oracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management PackOracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management Pack
Fumiko Yamashita
 
Final review presentation
Final review presentationFinal review presentation
Final review presentation
Rahid Abdul Kalam
 
Service Oriented Architecture (SOA) [1/5] : Introduction to SOA
Service Oriented Architecture (SOA) [1/5] : Introduction to SOAService Oriented Architecture (SOA) [1/5] : Introduction to SOA
Service Oriented Architecture (SOA) [1/5] : Introduction to SOA
IMC Institute
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Venus-c: Using open source clouds in eScience
Venus-c: Using open source clouds in eScienceVenus-c: Using open source clouds in eScience
Venus-c: Using open source clouds in eScience
OW2
 
Oracle SOA Suite Overview - Integration in a Service-Oriented World
Oracle SOA Suite Overview - Integration in a Service-Oriented WorldOracle SOA Suite Overview - Integration in a Service-Oriented World
Oracle SOA Suite Overview - Integration in a Service-Oriented World
OracleContractors
 
I Phone Dev
I Phone DevI Phone Dev
I Phone Dev
rajivmordani
 
Introduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source FrameworkIntroduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source Framework
Thanachart Numnonda
 

More Related Content

What's hot

Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
vijaychn
 
Maintenance Best Practices for Service Oriented
Maintenance Best Practices for Service OrientedMaintenance Best Practices for Service Oriented
Maintenance Best Practices for Service Oriented
aliraza786
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001
jucaab
 
Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001
jucaab
 
Managing Enterprise Services through Service Versioning & Governance - Impact...
Managing Enterprise Services through Service Versioning & Governance - Impact...Managing Enterprise Services through Service Versioning & Governance - Impact...
Managing Enterprise Services through Service Versioning & Governance - Impact...
Prolifics
 
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
virtual-campus
 

What's hot (14)

Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
Tech Executives Risk Mgmt And It Gov Frm Iam Persp Nov13
 
Maintenance Best Practices for Service Oriented
Maintenance Best Practices for Service OrientedMaintenance Best Practices for Service Oriented
Maintenance Best Practices for Service Oriented
 
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
How to Implement Cloud Security: The Nuts and Bolts of Novell Cloud Security ...
 
Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001Soa cloud con8968_pdf_8968_0001
Soa cloud con8968_pdf_8968_0001
 
Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001Soa con8642 pdf_8642_0001
Soa con8642 pdf_8642_0001
 
Cloud factory overview
Cloud factory overviewCloud factory overview
Cloud factory overview
 
Systems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManagerSystems Resource Management with NetIQ AppManager
Systems Resource Management with NetIQ AppManager
 
InduSoft Web Studio e Dream Report
InduSoft Web Studio e Dream ReportInduSoft Web Studio e Dream Report
InduSoft Web Studio e Dream Report
 
Connections Administration Toolkit - Product Presentation
Connections Administration Toolkit - Product PresentationConnections Administration Toolkit - Product Presentation
Connections Administration Toolkit - Product Presentation
 
Cybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-IDCybercom Enhanced Security Platform, CESP-ID
Cybercom Enhanced Security Platform, CESP-ID
 
Managing Enterprise Services through Service Versioning & Governance - Impact...
Managing Enterprise Services through Service Versioning & Governance - Impact...Managing Enterprise Services through Service Versioning & Governance - Impact...
Managing Enterprise Services through Service Versioning & Governance - Impact...
 
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
S-CUBE LP: Service Level Agreement based Service infrastructures in the conte...
 
SOA Summer School: Best of SOA Summer School – Encore Session
SOA Summer School: Best of SOA Summer School – Encore Session SOA Summer School: Best of SOA Summer School – Encore Session
SOA Summer School: Best of SOA Summer School – Encore Session
 
Emulex OneCommand Management Framework
Emulex OneCommand Management Framework Emulex OneCommand Management Framework
Emulex OneCommand Management Framework
 

Similar to Web Application Security Testing - Aware in BugDay Bangkok 2012

OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Oracle SOA Suite Overview - Integration in a Service-Oriented World
Oracle SOA Suite Overview - Integration in a Service-Oriented WorldOracle SOA Suite Overview - Integration in a Service-Oriented World
Oracle SOA Suite Overview - Integration in a Service-Oriented World
OracleContractors
 
Dell open stack powered cloud solution introduce & crowbar demo cosug-2012
Dell open stack powered cloud solution introduce & crowbar demo cosug-2012Dell open stack powered cloud solution introduce & crowbar demo cosug-2012
Dell open stack powered cloud solution introduce & crowbar demo cosug-2012
OpenCity Community
 
Resource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor NetworkResource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor Network
Thomas Pham
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
rsnarayanan
 
Federal Cloud Computing Initiative
Federal Cloud Computing InitiativeFederal Cloud Computing Initiative
Federal Cloud Computing Initiative
GovCloud Network
 
Guy Nirpaz Next Gen App Servers
Guy Nirpaz Next Gen App ServersGuy Nirpaz Next Gen App Servers
Guy Nirpaz Next Gen App Servers
deimos
 
Supply Chain Management System
Supply Chain Management SystemSupply Chain Management System
Supply Chain Management System
guest631b66
 

Similar to Web Application Security Testing - Aware in BugDay Bangkok 2012 (20)

Oracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management PackOracle Enterprise Manager SOA Management Pack
Oracle Enterprise Manager SOA Management Pack
 
Final review presentation
Final review presentationFinal review presentation
Final review presentation
 
Service Oriented Architecture (SOA) [1/5] : Introduction to SOA
Service Oriented Architecture (SOA) [1/5] : Introduction to SOAService Oriented Architecture (SOA) [1/5] : Introduction to SOA
Service Oriented Architecture (SOA) [1/5] : Introduction to SOA
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Venus-c: Using open source clouds in eScience
Venus-c: Using open source clouds in eScienceVenus-c: Using open source clouds in eScience
Venus-c: Using open source clouds in eScience
 
Oracle SOA Suite Overview - Integration in a Service-Oriented World
Oracle SOA Suite Overview - Integration in a Service-Oriented WorldOracle SOA Suite Overview - Integration in a Service-Oriented World
Oracle SOA Suite Overview - Integration in a Service-Oriented World
 
I Phone Dev
I Phone DevI Phone Dev
I Phone Dev
 
Introduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source FrameworkIntroduction to SOA & its Open Source Framework
Introduction to SOA & its Open Source Framework
 
Dell open stack powered cloud solution introduce & crowbar demo cosug-2012
Dell open stack powered cloud solution introduce & crowbar demo cosug-2012Dell open stack powered cloud solution introduce & crowbar demo cosug-2012
Dell open stack powered cloud solution introduce & crowbar demo cosug-2012
 
Ria Enterprise
Ria EnterpriseRia Enterprise
Ria Enterprise
 
Resource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor NetworkResource Oriented Architecture in Wireless Sensor Network
Resource Oriented Architecture in Wireless Sensor Network
 
Federated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The CloudFederated Identity Architectures Integrating With The Cloud
Federated Identity Architectures Integrating With The Cloud
 
Microsoft Dynamics GP 2013 - Mejoras
Microsoft Dynamics GP 2013 - MejorasMicrosoft Dynamics GP 2013 - Mejoras
Microsoft Dynamics GP 2013 - Mejoras
 
CloudStack Collaboration Conference 12; Refactoring cloud stack
CloudStack Collaboration Conference 12; Refactoring cloud stackCloudStack Collaboration Conference 12; Refactoring cloud stack
CloudStack Collaboration Conference 12; Refactoring cloud stack
 
APIGATEWAY in Microservices
APIGATEWAY in MicroservicesAPIGATEWAY in Microservices
APIGATEWAY in Microservices
 
Federal Cloud Computing Initiative
Federal Cloud Computing InitiativeFederal Cloud Computing Initiative
Federal Cloud Computing Initiative
 
Guy Nirpaz Next Gen App Servers
Guy Nirpaz Next Gen App ServersGuy Nirpaz Next Gen App Servers
Guy Nirpaz Next Gen App Servers
 
Azure Services Platform
Azure Services PlatformAzure Services Platform
Azure Services Platform
 
Continuous Integration and Continuous Delivery to Facilitate Web Service Testing
Continuous Integration and Continuous Delivery to Facilitate Web Service TestingContinuous Integration and Continuous Delivery to Facilitate Web Service Testing
Continuous Integration and Continuous Delivery to Facilitate Web Service Testing
 
Supply Chain Management System
Supply Chain Management SystemSupply Chain Management System
Supply Chain Management System
 

More from Prathan Dansakulcharoenkit

The audacity of quality requirement-non functional testing- Aware in BugDay B...
The audacity of quality requirement-non functional testing- Aware in BugDay B...The audacity of quality requirement-non functional testing- Aware in BugDay B...
The audacity of quality requirement-non functional testing- Aware in BugDay B...
Prathan Dansakulcharoenkit
 
How to live with agile - Aware in BugDay Bangkok 2012
How to live with agile - Aware in BugDay Bangkok 2012How to live with agile - Aware in BugDay Bangkok 2012
How to live with agile - Aware in BugDay Bangkok 2012
Prathan Dansakulcharoenkit
 
Writing Effective Bug Report - BugDay Bangkok 2012
Writing Effective Bug Report - BugDay Bangkok 2012Writing Effective Bug Report - BugDay Bangkok 2012
Writing Effective Bug Report - BugDay Bangkok 2012
Prathan Dansakulcharoenkit
 
Test Case and User Story - BugDay Bangkok 2012
Test Case and User Story - BugDay Bangkok 2012Test Case and User Story - BugDay Bangkok 2012
Test Case and User Story - BugDay Bangkok 2012
Prathan Dansakulcharoenkit
 

More from Prathan Dansakulcharoenkit (20)

QA Talk in Chiang Mai Community of Practice Meet Up 1/2017
QA Talk in Chiang Mai Community of Practice Meet Up 1/2017QA Talk in Chiang Mai Community of Practice Meet Up 1/2017
QA Talk in Chiang Mai Community of Practice Meet Up 1/2017
 
IMC Monthly Talk: 10 ข้อที่ควรจะต้องทำในการเริ่มต้นนำ Agile for Software Deve...
IMC Monthly Talk: 10 ข้อที่ควรจะต้องทำในการเริ่มต้นนำ Agile for Software Deve...IMC Monthly Talk: 10 ข้อที่ควรจะต้องทำในการเริ่มต้นนำ Agile for Software Deve...
IMC Monthly Talk: 10 ข้อที่ควรจะต้องทำในการเริ่มต้นนำ Agile for Software Deve...
 
PROJECT MANAGEMENT TRAINING 09-22-2011
PROJECT MANAGEMENT TRAINING 09-22-2011PROJECT MANAGEMENT TRAINING 09-22-2011
PROJECT MANAGEMENT TRAINING 09-22-2011
 
tpse-sprint3r-software-testing-you-know-maybe
tpse-sprint3r-software-testing-you-know-maybetpse-sprint3r-software-testing-you-know-maybe
tpse-sprint3r-software-testing-you-know-maybe
 
SPRINT3R-SWPSDLC2556-CLOSING
SPRINT3R-SWPSDLC2556-CLOSINGSPRINT3R-SWPSDLC2556-CLOSING
SPRINT3R-SWPSDLC2556-CLOSING
 
Introduction to Scrum version 3.1
Introduction to Scrum version 3.1Introduction to Scrum version 3.1
Introduction to Scrum version 3.1
 
SPRINT3R-MY-CITY
SPRINT3R-MY-CITYSPRINT3R-MY-CITY
SPRINT3R-MY-CITY
 
อไจล์ ๑๐๑ รุ่น ๓.๐
อไจล์ ๑๐๑ รุ่น ๓.๐อไจล์ ๑๐๑ รุ่น ๓.๐
อไจล์ ๑๐๑ รุ่น ๓.๐
 
Geek Academy Introduction to Agile
Geek Academy Introduction to AgileGeek Academy Introduction to Agile
Geek Academy Introduction to Agile
 
Sprint3 r agile101-introduction-18052556
Sprint3 r agile101-introduction-18052556Sprint3 r agile101-introduction-18052556
Sprint3 r agile101-introduction-18052556
 
hello-my-name-is-software-testing-v2-pdf
hello-my-name-is-software-testing-v2-pdfhello-my-name-is-software-testing-v2-pdf
hello-my-name-is-software-testing-v2-pdf
 
Opening Session of BugDay Bangkok 2012
Opening Session of BugDay Bangkok 2012Opening Session of BugDay Bangkok 2012
Opening Session of BugDay Bangkok 2012
 
The audacity of quality requirement-non functional testing- Aware in BugDay B...
The audacity of quality requirement-non functional testing- Aware in BugDay B...The audacity of quality requirement-non functional testing- Aware in BugDay B...
The audacity of quality requirement-non functional testing- Aware in BugDay B...
 
How to live with agile - Aware in BugDay Bangkok 2012
How to live with agile - Aware in BugDay Bangkok 2012How to live with agile - Aware in BugDay Bangkok 2012
How to live with agile - Aware in BugDay Bangkok 2012
 
Achieving Zero Defect with Agile Methods BugDay Bangkok 2012 โดย Varokas Pan...
Achieving Zero Defect with Agile Methods BugDay Bangkok 2012 โดย Varokas Pan...Achieving Zero Defect with Agile Methods BugDay Bangkok 2012 โดย Varokas Pan...
Achieving Zero Defect with Agile Methods BugDay Bangkok 2012 โดย Varokas Pan...
 
Hyper Productivity BugDay Bangkok 2012 - โดย Chokchai Phatharamalai
Hyper Productivity BugDay Bangkok 2012 - โดย Chokchai Phatharamalai Hyper Productivity BugDay Bangkok 2012 - โดย Chokchai Phatharamalai
Hyper Productivity BugDay Bangkok 2012 - โดย Chokchai Phatharamalai
 
ออกแบบ Test Cases เพื่อทำ Non-Functional Test โดย คุณณรงค์ จันทร์สร้อย
ออกแบบ Test Cases เพื่อทำ Non-Functional Test โดย คุณณรงค์ จันทร์สร้อยออกแบบ Test Cases เพื่อทำ Non-Functional Test โดย คุณณรงค์ จันทร์สร้อย
ออกแบบ Test Cases เพื่อทำ Non-Functional Test โดย คุณณรงค์ จันทร์สร้อย
 
Writing Effective Bug Report - BugDay Bangkok 2012
Writing Effective Bug Report - BugDay Bangkok 2012Writing Effective Bug Report - BugDay Bangkok 2012
Writing Effective Bug Report - BugDay Bangkok 2012
 
Test Case and User Story - BugDay Bangkok 2012
Test Case and User Story - BugDay Bangkok 2012Test Case and User Story - BugDay Bangkok 2012
Test Case and User Story - BugDay Bangkok 2012
 
Data, Information and Analyst
Data, Information and AnalystData, Information and Analyst
Data, Information and Analyst
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 

Web Application Security Testing - Aware in BugDay Bangkok 2012

  • 1. “Quality is the link to Success” Copyright © 2012 Aware Corporation Ltd.
  • 2. Agenda • What kind of application security vulnerabilities should be tested? • Methodology for testing • Open source tools available • Prioritizing application security defects Copyright © 2012 Aware Corporation Ltd.
  • 3. Testing Security in Web Applications Copyright © 2012 Aware Corporation Ltd.
  • 4. Case Studies Copyright © 2012 Aware Corporation Ltd.
  • 5. Web Application Security Testing Copyright © 2012 Aware Corporation Ltd.
  • 6. Different Security Standards Copyright © 2012 Aware Corporation Ltd.
  • 7. OWASP Top 10 OWASP (Open Web Application Security Project) is an organization that provides unbiased and practical, cost-effective information about computer and Internet applications. Project members include a variety of security experts from around the world who share their knowledge of vulnerabilities, threats, attacks and countermeasures. http://www.owasp.org Copyright © 2012 Aware Corporation Ltd.
  • 8. OWASP Top 10 Testing Information Gathering Configuration Web Services Management Divided in 9 Sub Categories Denial of Authentication And Service 66 Controls Data Session Validation Management Business Authorization Logic Copyright © 2012 Aware Corporation Ltd.
  • 9. Top Attacks • SQL Injection – SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. • Cross Site Scripting – Cross-site scripting (XSS) is a type of computer insecurity vulnerability typically found in Web applications (such as web browsers through breaches of browser security) that enables attackers to inject client-side script into Web pages viewed by other users. • Authentication – Authentication and session management includes all aspects of handling user authentication and managing active sessions. Authentication is a critical aspect of this process, but even solid authentication mechanisms can be undermined by flawed credential management functions Copyright © 2012 Aware Corporation Ltd.
  • 10. SQL Injection Account: SKU: 1. Application presents a Account: form to the attacker Application Layer Knowledge Mgmt Communication HTTP Legacy Systems Administration Bus. Functions HTTP DB Table SKU: E-Commerce Web Services Transactions SQL response 2. Attacker sends an Directories  Accounts Databases request Finance   APPLICATION query   ATTACK  attack in the form data Custom Code 3. Application forwards "SELECT * FROM accounts WHERE attack to the database in Human Resrcs App Server acct=‘’ OR 1=1-- a SQL query ’" 4. Database runs query Billing Web Server Hardened OS containing attack and Network Layer Account Summary sends encrypted results Acct:5424-6066-2134-4334 back to application Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 5. Application decrypts Firewall Firewall Acct:4128-0004-1234-0293 data as normal and sends results to the user Copyright © 2012 Aware Corporation Ltd.
  • 11. Cross Site Scripting 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Copyright © 2012 Aware Corporation Ltd.
  • 12. Authentication Copyright © 2012 Aware Corporation Ltd.
  • 13. Tools Overview Copyright © 2012 Aware Corporation Ltd.
  • 14. Tools • Proxies – Burp Suite – Paros – WebScarab – Fiddler • FoxyProxy plugin • Open source scanners – Skipfish Copyright © 2012 Aware Corporation Ltd.
  • 15. Burp Suite http://portswigger.net/proxy/ Copyright © 2012 Aware Corporation Ltd.
  • 16. Foxy Proxy https://addons.mozilla.org/en-US/firefox/addon/2464/ Copyright © 2012 Aware Corporation Ltd.
  • 17. Skip Fish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/ Copyright © 2012 Aware Corporation Ltd.
  • 18. Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
  • 19. Cheat Sheet Copyright © 2012 Aware Corporation Ltd.
  • 20. Tools Demonstration Copyright © 2012 Aware Corporation Ltd.
  • 21. RISK • Discovering vulnerabilities is important, but just as important is being able to estimate the associated risk to the business. Risk = Likelihood * Impact Copyright © 2012 Aware Corporation Ltd.
  • 22. Prioritizing RISK Copyright © 2012 Aware Corporation Ltd.
  • 23. Threat Risk D amage potential R eproducibility E xploitability A ffected users D iscoverability Copyright © 2012 Aware Corporation Ltd.
  • 24. Copyright © 2012 Aware Corporation Ltd.
  • 25. Copyright © 2012 Aware Corporation Ltd.