3. Introduction
• Testing a partial verification process of a system.
• Its main objective is to identify a maximum number of problematic behavior
of the software in order to increase the quality
5. Security flaws
SQL Injection
Vulnerabilities:
• Poor input validation in your Web applications
• Unsafe, dynamically constructed SQL commands
• Over-privileged application logins to the database
• Weak permissions that fail to restrict the application's login to the database
Countermeasures:
• Constrain and sanitize input data.
• Use type safe SQL parameters for data access..
• Use an account that has restricted permissions in the database.
7. Security flaws
Unauthorized Access
Vulnerabilities:
• Lack of authorization in data access code providing unrestricted access
• Over-privileged database accounts
Countermeasures:
• Use principal permission demands to authorize the calling user.
• Use code access security permission demands to authorize the calling code.
• Use limited permissions to restrict the application's login to the database and to prevent
direct table access.
9. Security flaws
Disclosure of sensitive data
Vulnerabilities:
• Clear text credentials passed over the network during SQL authentication
• Unencrypted sensitive application data sent to and from the database server
Countermeasures:
• Install a server certificate on the database server.
• Use an SSL connection between the Web server and database server to protect sensitive
application data.
• Use an IPSec encrypted channel between Web and database server.
10. 4010 3190 9662 53594010 3190 9662 5359
Security flaws
Disclosure of sensitive data - example
11. Security testing involves testing a software in order to identify any flaws and gaps
from security and vulnerability point of view.
Testing
SecurityTesting
12. Security Testing
Security Testing in the coding phase : Unit Tests
₪ Test isolation
₪ Operate at the method d and class level
₪ Written by developers
₪ Executed the most frequently
Tests are run very quickly : issues are identified quickly
High test coverage
Not many security vulnerabilities can be tested
13. Security Testing
Security Testing during the integration and validation phase :
Integrated system Test & Operation Test
₪ Test integration between classes and modules
₪ Test integration between tiers
₪ Written by developers
₪ Executed often, but not as often as unit tests
• Can test in the application server
• Many security vulnerabilities can be tested : Injections, authentification flaws
and authorization flaws
• Some vulnerabilities may not easily tested : XSS, URL filtering performed by
A web server or application firewall
• Not executable as often as unit tests
• Overhead of starting an application server
Integrated system Test
14. Security Testing
Security Testing during the integration and validation phase :
Integrated system Test & Functional acceptance Test
₪ Performed on the external API
₪ Low test coverage
₪ Performed by quality assurance testers
₪ Executed the least frequently
• Full testing of external API
• Security consultants can use tools to script vulnerabilities :
documents vulnerabilities
easy retesting
• Low test coverage
• Developers aren’t include in testing
Functional acceptance Test
16. Security Testing
Methods
Fuzzing Test
Fuzzing is about injecting invalid or random inputs in order
- to reveal unexpected behaviour
- to identify errors and expose potential vulnerabilities.
17. Security Testing
Methods
Fuzzing Test - Process
Input data preparation
Definition of input data
Program preparation
Environment
Preparation
Setup
Data transfer to
application
Reporting
Monitoring
18. Observation of program behavior
Logs
Debuggers (!exploitable...)
Files, processes and network monitors
Virtualization (VMWare)
Source code modifications (breakpoints)
Additional techniques (Valgrind, GuardMalloc)
Combined techniques
Security Testing
Types
Fuzzing Test - Monitoring
21. Security Testing
Types
Fuzzing Test – advantages and disadvantages
Full automatization (in most cases)
Fuzzers find real vulnerabilities
Ability to identify bugs which are hard to find by manual testing
Ability to quickly obtain satisfactory results (first bug)
Inability to find logical bugs
Inability to find complex bugs
Time required for performing test is very hard to specify
22. Security test cases checklist
Security Testing
Input validation
Buffer overflaws
Injection attacks
Disclosure of sensitive data
….
Conduct all data validation on a trusted system (e.g., The server)
Identify all data sources and classify them into trusted and untrusted. Validate all data from
untrusted sources (e.g., Databases, file streams, etc.)
There should be a centralized input validation routine for the application
Specify proper character sets, such as UTF-8, for all sources of input
Encode data to a common character set before validating
All validation failures should result in input rejection
Validate for expected data types
Validate data range
Validate data length
Validate all input against a "white" list of allowed characters, whenever possible
….
23. Security test cases checklist
Security Testing
Access Control
Unauthorized access
Disclosure of sensitive data
Tampering
DOS & DDOS Attacks
…
Restrict access to protected functions to only authorized users
Restrict direct object references to only authorized users
Restrict access to services to only authorized users
Restrict access to application data to only authorized users
Restrict access to user and data attributes and policy information used by access controls
Access controls should fail securely
Deny all access if the application cannot access its security configuration information
Use only trusted system objects, e.g. server side session objects, for making access
authorization decisions
If state data must be stored on the client, use encryption and integrity checking on the server
side to catch state tampering.
….
24. Security test cases checklist
Security Testing
Cryptography practices
Network eavesdropping
Disclosure of sensitive data
…..
All cryptographic functions used to protect secrets from the application user must be
implemented on a trusted system (e.g., The server)
Protect master secrets from unauthorized access
Cryptographic modules should fail securely
All random numbers, random file names, random GUIDs, and random strings should be
generated using the cryptographic module’s approved random number generator when these
random values are intended to be un-guessable
Cryptographic modules used by the application should be compliant to FIPS 140-2 or an
equivalent standard.
Establish and utilize a policy and process for how cryptographic keys will be managed
25. Security test cases checklist
Security Testing
Authentification and Password management
Network eavesdropping
Disclosure of sensitive data
Unauthorized access
….
Require authentication for all pages and resources, except those specifically intended to be
public
All authentication controls must be enforced on a trusted system (e.g., The server)
Establish and utilize standard, tested, authentication services whenever possible
Use a centralized implementation for all authentication controls, including libraries that call
external authentication services
Segregate authentication logic from the resource being requested and use redirection to and
from the centralized authentication control
All authentication controls should fail securely
All administrative and account management functions must be at least as secure as the primary
authentication mechanism
…
26. Security test cases checklist
Security Testing
Data protection
Network eavesdropping
Disclosure of sensitive data
Tampering
Unauthorized access
….
Implement least privilege, restrict users to only the functionality, data and system information
that is required to perform their tasks
Encrypt highly sensitive stored information, like authentication verification data, even on the
server side. Always use well vetted algorithms, see "Cryptographic Practices" for additional
guidance
Protect server-side source-code from being downloaded by a user
Do not store passwords, connection strings or other sensitive information in clear text or in
any non-cryptographically secure manner on the client side
Remove comments in user accessible production code that may reveal backend system or
other sensitive information
Do not include sensitive information in HTTP GET request parameters
…
27. Security test cases checklist
Security Testing
Communication Security
Network eavesdropping
Disclosure of sensitive data
Buffer overflow
DOS attack
Implement encryption for the transmission of all sensitive information
TLS certificates should be valid and have the correct domain name, not be expired, and be
installed with intermediate certificates when required
Failed TLS connections should not fall back to an insecure connection
Utilize TLS connections for all content requiring authenticated access and for all other
sensitive information
Utilize TLS for connections to external systems that involve sensitive information or functions
Utilize a single standard TLS implementation that is configured appropriately
Specify character encodings for all connections
Filter parameters containing sensitive information from the HTTP referer, when linking
to external sites
30. Conclusion
Security testing is an important and integral part of the software developmental process.
You will need to conduct this test to find security loopholes and later close them with
appropriate security measures and techniques
Good morning, the pupose of this presentation is to introduce security testing
We will begin our presentation by an introduction, then we will present some security flaws as well as types and methods to test these flaws and we will finish by a conclusion
Testing is an important part of software development and it is vital to start it as early as possible, its objectives is to find flaws and vulnerabilities of a system
The database is a prime target for application level attacks. The top threats to data access code are:
SQL injection
Disclosure of configuration data
Disclosure of sensitive application data
Disclosure of database schema and connection details
Unauthorized access
Network eavesdropping
An SQL injection attack consists of insertion of either a partial or complete SQL query via the data input or transmitted from the client to the web application.
Common vulnerabilities that make your data access code susceptible to SQL injection attacks include:
To counter SQL injection attacks, be sure to:
For example, Let's say that the original purpose of the code was to create an SQL statement to select information about a user’s credit card,
The SQL above is valid. It will return all rows from the table CreditCard, since WHERE 1equal1 is always true
With inadequate authorization, users may be able to see another user's data and may be able to access other restricted data.
Practices that can allow unauthorized access include:
To prevent unauthorized access:
This example has four users. The users select from a set of resources such as Public Share, Time Card Entry and Account Manager.
Larry should not be allowed to access the Account Manager resource because Larry is not assigned to the required role. However in this example, Larry’s access is allowed in the application.
The main issue is that the application does not implement the access control correctly to verify whether the user Larry is authorized to access Account Manager resource.
The deployment architecture of most applications includes a physical separation of the data access code from the database server. As a result, sensitive data such as application-specific data or database login credentials must be protected from network eavesdroppers.
The following practices increase vulnerability to network eavesdropping:
To limit vulnerability to network eavesdropping:
As shown above, while transmitting a sensitive data through the network , attackers could steal that information,
Therefore we must secure our software, so how to test security software
Security testing is basically a type of software testing that’s done to check whether the application or the product is secured or not. It checks to see if the application is vulnerable to attacks, if anyone hack the system or login to the application without any authorization.
Unit test : test logic in classes by programmers to show code level correctness. They should be fast and not dependend on other parts of the system that you don't intend to test
Integration test : Test communication paths between different parts of the module done by the test department or by developers to show that all modules work correctly together.
Functional acceptance test : test use case scenario's on a limited (specially created) data set done by the test department to show that every specified scenario works as specified.
We can find also other types of security testing such as static, dynamic
Static test : it verifies the security of the software by analyzing either the source code or the compiled application without running the project
Dynamic test : it tests the software in the running mode
We can also find others method for testing software such as fuzzing test
Fuzzing is a method of testing software to find security holes and unexpected behavior of an application, using semirandom data.
The fuzzing process is defined as shown here, First, a generator produces test inputs. Second, the test inputs are delivered to the system under test. The delivery mechanism depends on the type of input that the system processes. Third, the system under test is monitored for crashes and other basic undesirable behavior. Also Reports describes the results of the test could be generated automatically
One can monitor the target application in many ways. Such as monitor for event logs, monitor application crashes using debuggers, monitor using tools of virtualization like vmware etc ,,,
application is tested by a previously prepared fuzzer. Test results are verified by testers. Next, they are sent to programmers. If any errors occur, programmers must fix the application. New build once again must pass the fuzzing process.
Some frameworks are used the fuzzing test such as Peach and sulley, peach can test virtually any system for unknown vulnerabilities. From common test targets to complex proprietary systems, Peach is the fuzzer for the job. The goal of the framework sulley is to simplify not only data representation but to simplify data transmission and target monitoring as well. There are some tools specialized fuzzers such as …
security test cases cheat list or check-list”, for example, can provide simple test cases and attack vectors that can be used by testers to validate exposure to common vulnerabilities,
Input validation is the correct testing of any input; we should verify the data is strongly typed, correct syntax, within length boundaries, contains only permitted characters, or that numbers are correctly signed and within range boundaries
Problems resulting from incorrect input validation :
Access control policies can be specified in programming languages or policy specification languages and implemented in a particular access control implementation. Policies need to be carefully designed and implemented to prevent data from unauthorized access, diclosure of sensitive data dos and ddos attacks etc
The Cryptography Policy sets out when and how encryption should (or should not) be used. It includes protection of personal, confidential and commercially sensitive information and communications, key management, and procedures to ensure encrypted information can be recovered by the organisation if necessary.
Authentication is the process of verification that an individual, entity or website is who it claims to be, Session Management is a process by which a server maintains the state of an entity interacting with it. Sessions are maintained on the server by a session identifier which can be passed back and forward between the client and server when transmitting and receiving requests. Sessions should be unique per user and computationally very difficult to predict
Limit access to data based on the least privilege principal. Encrypt sensitive data and information like stored passwords, connection strings and properly protect decryption keys. We should Make sure all cached or temporary copies of sensitive data are protected from unauthorized access and get purged as soon as they are no longer required,
When transmitting sensitive information, at any tier of the application or network architecture, encryption-in-transit should be used. We should Use a trusted certificate authority to generate public and private keys whenever possible. Moreover, proper security controls must be in place to protect the private keys from unauthorized access.
is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help to automatically find security vulnerabilities in web applications while developing and testing the applications. Its also a great tool for experienced pentesters to use for manual security testing
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc
Secure applications can ensure system safety and security. It can impede attacks by hackers. Security testing is one of the most important tests that you should conduct before introducing it to the commercial domain