SlideShare une entreprise Scribd logo

The 3 Top Techniques for Web Security Testing Using a Proxy

TEST Huddle
TEST Huddle

View on-demand webinar - https://testhuddle.com/the-3-top-techniques-for-web-security-testing-using-a-proxy/

Logiciels
1  sur  34
Télécharger pour lire hors ligne
Three Techniques for Web Security Testing Using a Proxy Paco Hope, Cigital paco@cigital.com Twitter: @pacohope
About Me • Consultant 13 years • Software security: code, design, risk • Financial, gaming, retail • Source code, architecture, security testing • (ISC)² European Advisory Council • CISSP and CSSLP exam item author • Author: 2 books + 1 chapter • OWASP Mobile Top Ten contributor • BS and MS in Computer Science • Passionate about software testers as an untapped resource in software security
Goals • Understand the proxy • HTTP and HTTPS • How to configure and run it • Intercept some requests and modify them • Intercept some replies and modify them
Functional Testing vs. Security Testing Testing against the design/requirements is not enough: Stories, Requirements, Features, Design Actual implementation Missing features (found in functional testing) Potential security vulnerabilities (not found in functional tests) Boundary condition analysis (edge and corner cases) Security testers must think “outside the box”
HTTP IN A NUTSHELL
Requests and Responses GET / HTTP/1.1 Host: www.cigital.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,applicati on/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 03 Jul 2014 10:24:38 GMT Server: Apache X-Powered-By: PHP/5.5.10 X-Pingback: http://www.cigital.com/xmlrpc.php Link: <http://www.cigital.com/>; rel=shortlink Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 27893 [HTML document] Client¹ Sends Server Responds ¹ ”client” can be a browser, mobile device, or anything making HTTP requests
HTTP Requests GET /training/ HTTP/1.1 Host: www.cigital.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,applicat ion/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.cigital.com/ Cookie: __utma=269626595.872944553.1402325345.14 02909557.1404383087.3; [truncated...] Connection: keep-alive Structure o Method/path/protocol version o Headers • User-agent and referrer may not always be there • Browser includes all the cookies it has for the site to which it connects
HTTP/1.1 200 OK Date: Thu, 20 Mar 2014 17:05:51 GMT Server: Apache/1.2.34 (Debian) X-Powered-By: PHP/1.2.3-4+deb7u7 X-Pingback: http://www.cigital.com/xmlrpc.php Link: <http://www.cigital.com/?p=4370>; rel=shortlink Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Set-Cookie: name=value Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT Connection: Keep-Alive [HTML document] Structure: • Headers first • Blank line • Content Response codes: • 200 OK • 404 Not Found HTTP Responses
URL Encoding http://example.com/test?url=http://www.cigital.com/ à http://example.com/test?url=http%3A%2F%2Fwww.cigital.com %2F Important to consider when modifying requests in web security tests: http://www.example.com/request.php?param1=abc+123&param2=A&B param1 = param2 = URL encoding is applied in HTTP messages to URL parameters and HTML form data. “abc 123” “A”
RESTful Web Services • Parameters are usually a part of the path: http://example.com/customers/1234 • HTTP methods used: RESTful web services use HTTP in a slightly different way to normal web pages: Method Resource collection Resource item GET List items in collection Get representation of item PUT Replace collection Update/replace item POST Create item in collection Create sub-item under current item DELETE Delete entire collection Delete item Resource  collection Resource  item
Cookies • Are sent back with all requests to the domain from which they were set • Are stored by client (mobile phone, browser, etc.) and used until they expire • Survive browser/computer/device restart • Session cookies have no expiration and live as long as the browser process is running
Server  response HTTP/1.1 200 OK … Set-Cookie: session=id; secure; httpOnly Set-Cookie: cookie2=persistent; Expires=Wed, 09 Jun 2021 10:18:14 GMT Subsequent  client  request GET /index.html HTTP/1.1 … Cookie: session=id; cookie2=persistent Cookies
Detour into HTTPS (TLS/SSL) • Simply protects the channel from eavesdroppers • Modest authenticity check on web server • If the app is buggy/vulnerable, then TLS just makes connections opaque • Example: • 4 people in a coffee shoppe/at the office on the same wifi • One goes to a web site • What can the others see?
Standard HTTP GET /office/document.html GET /office/docu ment.html HTTP
With HTTPS GET /office/document.html VG9wIDMg V2ViIFNlY3V yaXR5IFRlc 3Rpbmcg HTTPS
Vulnerabilities and HTTPS GET /vulnerable/thing HTTP GET /vulnerable/thing HTTPS
PROXIES
HTTP Proxies • Speed up Internet access • Filter undesirable or malicious content • Prevent data leakage • Provide anonymity Intermediaries between clients and servers and may be used for several good reasons:
HTTP Proxy Types Three main types of HTTP proxies: Forward proxy Reverse proxy Open proxy
What We’re Doing: Local Proxy Your Browser Proxy The Network / Internet Web Site to Test Inside Your Computer / Laptop
Another Possibility Your Browser Proxy The Network / Internet Web Site to Test Inside Your Computer / Laptop Mobile Device
ROADMAP • INSTALL • CONFIGURE • PITFALLS • RUN
Installing • Two proxies worth considering • ZAP (“Zed Attack Proxy”) from OWASP • 100% Free • https://www.owasp.org/index.php/OWASP_Zed_Atta ck_Proxy_Project • Burp Suite: commercial • Free Version (lacks advanced security tools) • £239 / $349 / €329 per user per year • https://www.portswigger.net/ We’ll look at Burp today
BUILDING SECURITY IN Demo 1 WebGoat and Burp Config 1. Start WebGoat 2. Start Burp 3. Disable Intercept 4. Change Burp Port 5. Configure Firefox 6. Do a couple requests 7. Examine them
• Most software uses your operating system proxy settings • You might not have rights to change it • It’s a pain to test when EVERYTHING YOU DO goes through the proxy Why I Use Firefox for Proxy-Based Testing
• Lots of apps use port 8080 • Tomcat • WebGoat • Specialist software • Proxy (Burp/ZAP) is often easier to change • Setting the OS proxy is disruptive • Might need to set “upstream proxy” to use your corporate proxy Other Possible Pitfalls
What Is Proxying Good For? • Bypassing client-side protections • Exploring client-side behaviour • Examining data in transit
BUILDING SECURITY IN Demo 2 Intercept and Tamper With a Request 1. Improper Error Handling Lesson 2. Intercept the Login Request 3. Remove the Password Parameter
BUILDING SECURITY IN Demo 3 Intercept a Response 1. WebGoat AJAX -> XML 2. Load Lesson 3. Turn on Intercept 4. Submit Account Number 5. Intercept Request 6. Intercept Response 7. Edit Response 8. Forward Edited Response
CONCLUSIONS • INSTALL • CONFIGURE • PITFALLS • RUN
• This is way off the “happy path” • Allows better coverage of errors, edge cases, etc. • Bypasses client-side checks The Value of A Proxy
• Manual testing • Can spend a lot of time for few (spectac- ular) results • May require deep insight into the app Disadvantages
Resources in This Webinar Resource URL Burp Suite https://portswigger.net/ OWASP WebGoat https://github.com/WebGoat OWASP Zed AttackProxy (ZAP) https://www.owasp.org/index.php/OWASP_Zed_ Attack_Proxy_Project Firefox Web Browser https://mozilla.com/
The best time to plant an oak tree was twenty years ago. The next best time is now. —Ancient Proverb Paco Hope, CISSP, CSSLP paco@cigital.com Twitter: @pacohope

Recommandé

Continuous everything
Continuous everythingContinuous everything
Continuous everythingTEST Huddle
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Automated Testing Using Selenium
Automated Testing Using SeleniumAutomated Testing Using Selenium
Automated Testing Using SeleniumTechWell
 
Nonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the CoinNonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the CoinTechWell
 
Become a Performance Diagnostics Hero
Become a Performance Diagnostics HeroBecome a Performance Diagnostics Hero
Become a Performance Diagnostics HeroTechWell
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentTechWell
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 

Recommandé

Continuous everything
Continuous everythingContinuous everything
Continuous everythingTEST Huddle
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security TestingTEST Huddle
 
Automated Testing Using Selenium
Automated Testing Using SeleniumAutomated Testing Using Selenium
Automated Testing Using SeleniumTechWell
 
Nonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the CoinNonfunctional Testing: Examine the Other Side of the Coin
Nonfunctional Testing: Examine the Other Side of the CoinTechWell
 
Become a Performance Diagnostics Hero
Become a Performance Diagnostics HeroBecome a Performance Diagnostics Hero
Become a Performance Diagnostics HeroTechWell
 
IoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentIoT Software Testing Challenges: The IoT World Is Really Different
IoT Software Testing Challenges: The IoT World Is Really DifferentTechWell
 
AppSec is Eating Security
AppSec is Eating SecurityAppSec is Eating Security
AppSec is Eating SecurityAlex Stamos
 
AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015AppSec Pipeline - Velcocity NY 2015
AppSec Pipeline - Velcocity NY 2015Matt Tesauro
 
AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
30 of the best free software test tools in 60 minutes by Jess Lancaster
30 of the best free software test tools in 60 minutes by Jess Lancaster30 of the best free software test tools in 60 minutes by Jess Lancaster
30 of the best free software test tools in 60 minutes by Jess LancasterQA or the Highway
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Real Devices or Emulators: Wen to use What for Automated Testing
Real Devices or Emulators: Wen to use What for Automated TestingReal Devices or Emulators: Wen to use What for Automated Testing
Real Devices or Emulators: Wen to use What for Automated TestingSauce Labs
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Peer Code Review: In a Nutshell
Peer Code Review: In a NutshellPeer Code Review: In a Nutshell
Peer Code Review: In a NutshellAtlassian
 
Continuous Integration, the minimum viable product
Continuous Integration, the minimum viable productContinuous Integration, the minimum viable product
Continuous Integration, the minimum viable productJulian Simpson
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
Colorful world-of-visual-automation-testing-latest
Colorful world-of-visual-automation-testing-latestColorful world-of-visual-automation-testing-latest
Colorful world-of-visual-automation-testing-latestOnur Baskirt
 
From Sage 500 to 1000 ... Performance Testing myths exposed
From Sage 500 to 1000 ... Performance Testing myths exposedFrom Sage 500 to 1000 ... Performance Testing myths exposed
From Sage 500 to 1000 ... Performance Testing myths exposedTrust IV Ltd
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Mobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CDMobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CDGlobalLogic Ukraine
 
Ciprian balea automated performance-testing
Ciprian balea automated performance-testingCiprian balea automated performance-testing
Ciprian balea automated performance-testingRomania Testing
 
SDLC. QA Role
SDLC. QA RoleSDLC. QA Role
SDLC. QA Roleeleksdev
 
Mob Testing: Better Products Through Diversity
Mob Testing: Better Products Through DiversityMob Testing: Better Products Through Diversity
Mob Testing: Better Products Through DiversityTEST Huddle
 
Can virtualization transform your API lifecycle?
Can virtualization transform your API lifecycle?Can virtualization transform your API lifecycle?
Can virtualization transform your API lifecycle?TEST Huddle
 

Contenu connexe

Tendances

AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityMatt Tesauro
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Matt Tesauro
 
30 of the best free software test tools in 60 minutes by Jess Lancaster
30 of the best free software test tools in 60 minutes by Jess Lancaster30 of the best free software test tools in 60 minutes by Jess Lancaster
30 of the best free software test tools in 60 minutes by Jess LancasterQA or the Highway
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Dinis Cruz
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsMike Brittain
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
Real Devices or Emulators: Wen to use What for Automated Testing
Real Devices or Emulators: Wen to use What for Automated TestingReal Devices or Emulators: Wen to use What for Automated Testing
Real Devices or Emulators: Wen to use What for Automated TestingSauce Labs
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterMatt Tesauro
 
Peer Code Review: In a Nutshell
Peer Code Review: In a NutshellPeer Code Review: In a Nutshell
Peer Code Review: In a NutshellAtlassian
 
Continuous Integration, the minimum viable product
Continuous Integration, the minimum viable productContinuous Integration, the minimum viable product
Continuous Integration, the minimum viable productJulian Simpson
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityMatt Tesauro
 
Colorful world-of-visual-automation-testing-latest
Colorful world-of-visual-automation-testing-latestColorful world-of-visual-automation-testing-latest
Colorful world-of-visual-automation-testing-latestOnur Baskirt
 
From Sage 500 to 1000 ... Performance Testing myths exposed
From Sage 500 to 1000 ... Performance Testing myths exposedFrom Sage 500 to 1000 ... Performance Testing myths exposed
From Sage 500 to 1000 ... Performance Testing myths exposedTrust IV Ltd
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0Dinis Cruz
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.Matt Tesauro
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0Dinis Cruz
 
Mobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CDMobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CDGlobalLogic Ukraine
 
Ciprian balea automated performance-testing
Ciprian balea automated performance-testingCiprian balea automated performance-testing
Ciprian balea automated performance-testingRomania Testing
 
SDLC. QA Role
SDLC. QA RoleSDLC. QA Role
SDLC. QA Roleeleksdev
 

Tendances (20)

AppSec Pipelines and Event based Security
AppSec Pipelines and Event based SecurityAppSec Pipelines and Event based Security
AppSec Pipelines and Event based Security
 
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
Making Continuous Security a Reality with OWASP’s AppSec Pipeline - Matt Tesa...
 
30 of the best free software test tools in 60 minutes by Jess Lancaster
30 of the best free software test tools in 60 minutes by Jess Lancaster30 of the best free software test tools in 60 minutes by Jess Lancaster
30 of the best free software test tools in 60 minutes by Jess Lancaster
 
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
Start with passing tests (tdd for bugs) v0.5 (22 sep 2016)
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
Continuous Deployment: The Dirty Details
Continuous Deployment: The Dirty DetailsContinuous Deployment: The Dirty Details
Continuous Deployment: The Dirty Details
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
Real Devices or Emulators: Wen to use What for Automated Testing
Real Devices or Emulators: Wen to use What for Automated TestingReal Devices or Emulators: Wen to use What for Automated Testing
Real Devices or Emulators: Wen to use What for Automated Testing
 
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things BetterTaking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
Taking AppSec to 11: AppSec Pipeline, DevOps and Making Things Better
 
Peer Code Review: In a Nutshell
Peer Code Review: In a NutshellPeer Code Review: In a Nutshell
Peer Code Review: In a Nutshell
 
Continuous Integration, the minimum viable product
Continuous Integration, the minimum viable productContinuous Integration, the minimum viable product
Continuous Integration, the minimum viable product
 
Taking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into securityTaking the Best of Agile, DevOps and CI/CD into security
Taking the Best of Agile, DevOps and CI/CD into security
 
Colorful world-of-visual-automation-testing-latest
Colorful world-of-visual-automation-testing-latestColorful world-of-visual-automation-testing-latest
Colorful world-of-visual-automation-testing-latest
 
From Sage 500 to 1000 ... Performance Testing myths exposed
From Sage 500 to 1000 ... Performance Testing myths exposedFrom Sage 500 to 1000 ... Performance Testing myths exposed
From Sage 500 to 1000 ... Performance Testing myths exposed
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.DevSecOps Fundamentals and the Scars to Prove it.
DevSecOps Fundamentals and the Scars to Prove it.
 
NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0NodeJS security - still unsafe at most speeds - v1.0
NodeJS security - still unsafe at most speeds - v1.0
 
Mobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CDMobile Apps development best practices. TDD, CI, CD
Mobile Apps development best practices. TDD, CI, CD
 
Ciprian balea automated performance-testing
Ciprian balea automated performance-testingCiprian balea automated performance-testing
Ciprian balea automated performance-testing
 
SDLC. QA Role
SDLC. QA RoleSDLC. QA Role
SDLC. QA Role
 

En vedette

Mob Testing: Better Products Through Diversity
Mob Testing: Better Products Through DiversityMob Testing: Better Products Through Diversity
Mob Testing: Better Products Through DiversityTEST Huddle
 
Can virtualization transform your API lifecycle?
Can virtualization transform your API lifecycle?Can virtualization transform your API lifecycle?
Can virtualization transform your API lifecycle?TEST Huddle
 
Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...
Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...
Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...TEST Huddle
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your RoleTEST Huddle
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012DefCamp
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceMasoud Kalali
 
ANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTING
ANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTINGANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTING
ANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTINGEditor IJMTER
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computingPrince Chandu
 

En vedette (11)

Mob Testing: Better Products Through Diversity
Mob Testing: Better Products Through DiversityMob Testing: Better Products Through Diversity
Mob Testing: Better Products Through Diversity
 
Can virtualization transform your API lifecycle?
Can virtualization transform your API lifecycle?Can virtualization transform your API lifecycle?
Can virtualization transform your API lifecycle?
 
Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...
Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...
Isabel Evans - Working Ourselves out of a Job: A Passion For Improvement - Eu...
 
Thinking Through Your Role
Thinking Through Your RoleThinking Through Your Role
Thinking Through Your Role
 
OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012OWASP Overview of Projects You Can Use Today - DefCamp 2012
OWASP Overview of Projects You Can Use Today - DefCamp 2012
 
Confess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practiceConfess 2013: OWASP Top 10 and Java EE security in practice
Confess 2013: OWASP Top 10 and Java EE security in practice
 
ANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTING
ANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTINGANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTING
ANALYSIS OF SOFTWARE SECURITY TESTING TECHNIQUES IN CLOUD COMPUTING
 
Security Development Lifecycle Tools
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Basic Server PPT (THDC)
Basic Server PPT (THDC)Basic Server PPT (THDC)
Basic Server PPT (THDC)
 
Data security in cloud computing
Data security in cloud computingData security in cloud computing
Data security in cloud computing
 

Similaire à The 3 Top Techniques for Web Security Testing Using a Proxy

Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Denim Group
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionCASCouncil
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Mohammed Adam
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumSteven Miller
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCAlexandre Gouaillard
 
Building SharePoint Single Page Applications Using AngularJS
Building SharePoint Single Page Applications Using AngularJSBuilding SharePoint Single Page Applications Using AngularJS
Building SharePoint Single Page Applications Using AngularJSSharePointInstitute
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Zack Meyers
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...Amazon Web Services
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software DeploymentGong Haibing
 
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...Stamo Petkov
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsAnthony D Hendricks
 
Performance management
Performance managementPerformance management
Performance managementAlan Lok
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseNetSPI
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 

Similaire à The 3 Top Techniques for Web Security Testing Using a Proxy (20)

Burpsuite yara
Burpsuite yaraBurpsuite yara
Burpsuite yara
 
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
Threat Modeling the CI/CD Pipeline to Improve Software Supply Chain Security ...
 
OTG-Recon
OTG-ReconOTG-Recon
OTG-Recon
 
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and SolutionHeartbleed Bug Vulnerability: Discovery, Impact and Solution
Heartbleed Bug Vulnerability: Discovery, Impact and Solution
 
Android Penetration Testing - Day 3
Android Penetration Testing - Day 3Android Penetration Testing - Day 3
Android Penetration Testing - Day 3
 
Cloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming CurriculumCloud Computing in Systems Programming Curriculum
Cloud Computing in Systems Programming Curriculum
 
Real-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTCReal-Time Communication Testing Evolution with WebRTC
Real-Time Communication Testing Evolution with WebRTC
 
Building SharePoint Single Page Applications Using AngularJS
Building SharePoint Single Page Applications Using AngularJSBuilding SharePoint Single Page Applications Using AngularJS
Building SharePoint Single Page Applications Using AngularJS
 
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshopDevSecCon Singapore 2019: Workshop - Burp extension writing workshop
DevSecCon Singapore 2019: Workshop - Burp extension writing workshop
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
AWS re:Invent 2016: Amazon CloudFront Flash Talks: Best Practices on Configur...
 
Web security
Web securityWeb security
Web security
 
A Byte of Software Deployment
A Byte of Software DeploymentA Byte of Software Deployment
A Byte of Software Deployment
 
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...Deploy secure, scalable, and highly available web apps with Azure Front Door ...
Deploy secure, scalable, and highly available web apps with Azure Front Door ...
 
Splunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shellsSplunk: Forward me the REST of those shells
Splunk: Forward me the REST of those shells
 
Performance management
Performance managementPerformance management
Performance management
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
Security for devs
Security for devsSecurity for devs
Security for devs
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 

Plus de TEST Huddle

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureTEST Huddle
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar TEST Huddle
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway TEST Huddle
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in ScrumTEST Huddle
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsTEST Huddle
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkTEST Huddle
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsTEST Huddle
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?TEST Huddle
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of UsTEST Huddle
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)TEST Huddle
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesTEST Huddle
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?TEST Huddle
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageTEST Huddle
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersTEST Huddle
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?TEST Huddle
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfullyTEST Huddle
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey TEST Huddle
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsTEST Huddle
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0TEST Huddle
 
New Model Testing: A New Test Process and Tool
New Model Testing: A New Test Process and ToolNew Model Testing: A New Test Process and Tool
New Model Testing: A New Test Process and ToolTEST Huddle
 

Plus de TEST Huddle (20)

Why We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- AccentureWhy We Need Diversity in Testing- Accenture
Why We Need Diversity in Testing- Accenture
 
Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar Keys to continuous testing for faster delivery euro star webinar
Keys to continuous testing for faster delivery euro star webinar
 
Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway Why you Shouldnt Automated But You Will Anyway
Why you Shouldnt Automated But You Will Anyway
 
Being a Tester in Scrum
Being a Tester in ScrumBeing a Tester in Scrum
Being a Tester in Scrum
 
Leveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional TestsLeveraging Visual Testing with Your Functional Tests
Leveraging Visual Testing with Your Functional Tests
 
Using Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test WorkUsing Test Trees to get an Overview of Test Work
Using Test Trees to get an Overview of Test Work
 
Big Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New HeightsBig Data: The Magic to Attain New Heights
Big Data: The Magic to Attain New Heights
 
Will Robots Replace Testers?
Will Robots Replace Testers?Will Robots Replace Testers?
Will Robots Replace Testers?
 
TDD For The Rest Of Us
TDD For The Rest Of UsTDD For The Rest Of Us
TDD For The Rest Of Us
 
Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)Scaling Agile with LeSS (Large Scale Scrum)
Scaling Agile with LeSS (Large Scale Scrum)
 
Creating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger EnterprisesCreating Agile Test Strategies for Larger Enterprises
Creating Agile Test Strategies for Larger Enterprises
 
Is There A Risk?
Is There A Risk?Is There A Risk?
Is There A Risk?
 
Are Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test CoverageAre Your Tests Well-Travelled? Thoughts About Test Coverage
Are Your Tests Well-Travelled? Thoughts About Test Coverage
 
Growing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for TestersGrowing a Company Test Community: Roles and Paths for Testers
Growing a Company Test Community: Roles and Paths for Testers
 
Do we need testers on agile teams?
Do we need testers on agile teams?Do we need testers on agile teams?
Do we need testers on agile teams?
 
How to use selenium successfully
How to use selenium successfullyHow to use selenium successfully
How to use selenium successfully
 
Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey Testers & Teams on the Agile Fluency™ Journey
Testers & Teams on the Agile Fluency™ Journey
 
Practical Test Strategy Using Heuristics
Practical Test Strategy Using HeuristicsPractical Test Strategy Using Heuristics
Practical Test Strategy Using Heuristics
 
Using Selenium 3 0
Using Selenium 3 0Using Selenium 3 0
Using Selenium 3 0
 
New Model Testing: A New Test Process and Tool
New Model Testing: A New Test Process and ToolNew Model Testing: A New Test Process and Tool
New Model Testing: A New Test Process and Tool
 

Dernier

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 

Dernier (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 

The 3 Top Techniques for Web Security Testing Using a Proxy

  • 1. Three Techniques for Web Security Testing Using a Proxy Paco Hope, Cigital paco@cigital.com Twitter: @pacohope
  • 2. About Me • Consultant 13 years • Software security: code, design, risk • Financial, gaming, retail • Source code, architecture, security testing • (ISC)² European Advisory Council • CISSP and CSSLP exam item author • Author: 2 books + 1 chapter • OWASP Mobile Top Ten contributor • BS and MS in Computer Science • Passionate about software testers as an untapped resource in software security
  • 3. Goals • Understand the proxy • HTTP and HTTPS • How to configure and run it • Intercept some requests and modify them • Intercept some replies and modify them
  • 4. Functional Testing vs. Security Testing Testing against the design/requirements is not enough: Stories, Requirements, Features, Design Actual implementation Missing features (found in functional testing) Potential security vulnerabilities (not found in functional tests) Boundary condition analysis (edge and corner cases) Security testers must think “outside the box”
  • 6. Requests and Responses GET / HTTP/1.1 Host: www.cigital.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,applicati on/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive HTTP/1.1 200 OK Date: Thu, 03 Jul 2014 10:24:38 GMT Server: Apache X-Powered-By: PHP/5.5.10 X-Pingback: http://www.cigital.com/xmlrpc.php Link: <http://www.cigital.com/>; rel=shortlink Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Content-Length: 27893 [HTML document] Client¹ Sends Server Responds ¹ ”client” can be a browser, mobile device, or anything making HTTP requests
  • 7. HTTP Requests GET /training/ HTTP/1.1 Host: www.cigital.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 Accept: text/html,application/xhtml+xml,applicat ion/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.cigital.com/ Cookie: __utma=269626595.872944553.1402325345.14 02909557.1404383087.3; [truncated...] Connection: keep-alive Structure o Method/path/protocol version o Headers • User-agent and referrer may not always be there • Browser includes all the cookies it has for the site to which it connects
  • 8. HTTP/1.1 200 OK Date: Thu, 20 Mar 2014 17:05:51 GMT Server: Apache/1.2.34 (Debian) X-Powered-By: PHP/1.2.3-4+deb7u7 X-Pingback: http://www.cigital.com/xmlrpc.php Link: <http://www.cigital.com/?p=4370>; rel=shortlink Vary: Accept-Encoding Content-Type: text/html; charset=UTF-8 Set-Cookie: name=value Set-Cookie: name2=value2; Expires=Wed, 09 Jun 2021 10:18:14 GMT Connection: Keep-Alive [HTML document] Structure: • Headers first • Blank line • Content Response codes: • 200 OK • 404 Not Found HTTP Responses
  • 9. URL Encoding http://example.com/test?url=http://www.cigital.com/ à http://example.com/test?url=http%3A%2F%2Fwww.cigital.com %2F Important to consider when modifying requests in web security tests: http://www.example.com/request.php?param1=abc+123&param2=A&B param1 = param2 = URL encoding is applied in HTTP messages to URL parameters and HTML form data. “abc 123” “A”
  • 10. RESTful Web Services • Parameters are usually a part of the path: http://example.com/customers/1234 • HTTP methods used: RESTful web services use HTTP in a slightly different way to normal web pages: Method Resource collection Resource item GET List items in collection Get representation of item PUT Replace collection Update/replace item POST Create item in collection Create sub-item under current item DELETE Delete entire collection Delete item Resource  collection Resource  item
  • 11. Cookies • Are sent back with all requests to the domain from which they were set • Are stored by client (mobile phone, browser, etc.) and used until they expire • Survive browser/computer/device restart • Session cookies have no expiration and live as long as the browser process is running
  • 12. Server  response HTTP/1.1 200 OK … Set-Cookie: session=id; secure; httpOnly Set-Cookie: cookie2=persistent; Expires=Wed, 09 Jun 2021 10:18:14 GMT Subsequent  client  request GET /index.html HTTP/1.1 … Cookie: session=id; cookie2=persistent Cookies
  • 13. Detour into HTTPS (TLS/SSL) • Simply protects the channel from eavesdroppers • Modest authenticity check on web server • If the app is buggy/vulnerable, then TLS just makes connections opaque • Example: • 4 people in a coffee shoppe/at the office on the same wifi • One goes to a web site • What can the others see?
  • 16. Vulnerabilities and HTTPS GET /vulnerable/thing HTTP GET /vulnerable/thing HTTPS
  • 18. HTTP Proxies • Speed up Internet access • Filter undesirable or malicious content • Prevent data leakage • Provide anonymity Intermediaries between clients and servers and may be used for several good reasons:
  • 19. HTTP Proxy Types Three main types of HTTP proxies: Forward proxy Reverse proxy Open proxy
  • 20. What We’re Doing: Local Proxy Your Browser Proxy The Network / Internet Web Site to Test Inside Your Computer / Laptop
  • 21. Another Possibility Your Browser Proxy The Network / Internet Web Site to Test Inside Your Computer / Laptop Mobile Device
  • 23. Installing • Two proxies worth considering • ZAP (“Zed Attack Proxy”) from OWASP • 100% Free • https://www.owasp.org/index.php/OWASP_Zed_Atta ck_Proxy_Project • Burp Suite: commercial • Free Version (lacks advanced security tools) • £239 / $349 / €329 per user per year • https://www.portswigger.net/ We’ll look at Burp today
  • 24. BUILDING SECURITY IN Demo 1 WebGoat and Burp Config 1. Start WebGoat 2. Start Burp 3. Disable Intercept 4. Change Burp Port 5. Configure Firefox 6. Do a couple requests 7. Examine them
  • 25. • Most software uses your operating system proxy settings • You might not have rights to change it • It’s a pain to test when EVERYTHING YOU DO goes through the proxy Why I Use Firefox for Proxy-Based Testing
  • 26. • Lots of apps use port 8080 • Tomcat • WebGoat • Specialist software • Proxy (Burp/ZAP) is often easier to change • Setting the OS proxy is disruptive • Might need to set “upstream proxy” to use your corporate proxy Other Possible Pitfalls
  • 27. What Is Proxying Good For? • Bypassing client-side protections • Exploring client-side behaviour • Examining data in transit
  • 28. BUILDING SECURITY IN Demo 2 Intercept and Tamper With a Request 1. Improper Error Handling Lesson 2. Intercept the Login Request 3. Remove the Password Parameter
  • 29. BUILDING SECURITY IN Demo 3 Intercept a Response 1. WebGoat AJAX -> XML 2. Load Lesson 3. Turn on Intercept 4. Submit Account Number 5. Intercept Request 6. Intercept Response 7. Edit Response 8. Forward Edited Response
  • 31. • This is way off the “happy path” • Allows better coverage of errors, edge cases, etc. • Bypasses client-side checks The Value of A Proxy
  • 32. • Manual testing • Can spend a lot of time for few (spectac- ular) results • May require deep insight into the app Disadvantages
  • 33. Resources in This Webinar Resource URL Burp Suite https://portswigger.net/ OWASP WebGoat https://github.com/WebGoat OWASP Zed AttackProxy (ZAP) https://www.owasp.org/index.php/OWASP_Zed_ Attack_Proxy_Project Firefox Web Browser https://mozilla.com/
  • 34. The best time to plant an oak tree was twenty years ago. The next best time is now. —Ancient Proverb Paco Hope, CISSP, CSSLP paco@cigital.com Twitter: @pacohope