1. Security testing
prepared by Tatiana
Semenchenko
Minsk 2013

2. Why invest in testing now
instead of just responding to an
attack after it happens?

3. Negatively impacts by an attack:
Loss of customer confidence
Harm to your brand
Disturbance to your online means of revenue
collection
Web-site downtime, time loss and expenditures in
repairing damage done (reinstalling services,
restoring from backups)
Cost associated with securing web applications
against future attacks
Related legal fees and implications for having such
lax security measures in place

4. Security testing
Security testing is a process to
determine that an information system
protects data and maintains functionality
as intended.

5. Purposes of security testing
Finding out loopholes that can cause loss
of important information and allow any
intruder enter into the system.
Improving the current system and also
ensuring that the system will work for
longer time.
Ensuring that people in your organization
understand and obey security policies.

6. Security Concepts
Confidentiality – not public access
Authentication
– passwords
Authorization – permissions
Integrity
– no unwilled changes
Availability – any time as need
Non-repudiation –
recipient cannot deny
having received the message

7. Main definitions:
Threat: "A potential violation of security" - ISO 7498-2
Impact: consequences for an organization or
environment when an attack is realized, or weakness is
present.
Attack: a well-defined set of actions that, if
successful, would result in either damage to an asset, or
undesirable operation.
Vulnerability: is a weakness which allows an
attacker to reduce a system's information assurance.
Weakness: a type of mistake in software that, in
proper conditions, could contribute to the introduction of
vulnerabilities within that software.

8. National Vulnerabilities Database
CVE (Common Vulnerabilities and Exposures)
http://nvd.nist.gov
/

9. Vulnerabilities Classification
by SDLC Phase
SDLC (Software Development Life Cycle)
Phase of SDLC
Categories of
Vulnerabilities
Example
Designing
Design vulnerabilities
TCP/IP vulnerabilities
Implementation
Implementation
vulnerabilities
buffer overflow
Operation
Configuration
vulnerabilities
Password less then 6
symbols

10. SQL Injection
SQL injection is a code injection technique,
mostly known as an attack vector for websites
but can be used to attack any type of SQL
database.

11. SQL Injection (continuance)
Attacker can login without entering ‘password’.

12. Сross Site Sсriрting
Cross-site scripting (XSS) enables attackers to
inject client-side script into Web pages viewed by
other users.
Non-Persistent XSS Attack
Attack requires a user to visit the specially crafted
link by the attacker. When the user visit the link, the
crafted code will get executed by the user’s browser.
Persistent XSS Attack
Code injected by the attacker will be stored in a
secondary storage device (mostly on a database).
The damage caused by Persistent attack is more
than the non-persistent attack.

13. Example 1 of CSS
<html>
<body>
<h1>New Job Posting</h1>
<h2> Job Description</h2>
<hr/>
Secure Web Developer Needed
<body>
<html>
--------------------------------------------<html>
<body>
<h1>New Job Posting</h1>
<h2> Job Description</h2>
<hr/>
Secure Web Developer Needed
<script>/*something evil*/</script>
<body>
<html>

14. Example 2 of CSS
<script>alert()</script>
Overlay the Login screen with their own, allowing attacks to harvest
Usernames and Passwords.

15. Social Engineering
Social Engineering is a psychological manipulation of
people into performing actions or divulging confidential
information.
Phishing is a social engineering technique of fraudulently
obtaining private information.
What to look for in a phishing email
Generic greeting
Forged link (for ex. http instead of https)
Requests personal information
Sense of urgency

16. Vulnerabilities 2011-2012

17. Specific vulnerabilities for websites
on different programming languages
2011-2012
PHP
ASP.NET
JAVA
Cross-Site Request Forgery
73 %
35 %
35 %
SQL Injection
61 %
22 %
-
Cross-Site Scripting
43 %
39 %
-
Insufficient Anti-Automation
42 %
35 %
-
Path Traversal
42%
-
Application Misconfiguration
-
17 %
29 %
Insufficient Authorization
-
-
41 %
Insufficient Authentication
-
-
29 %
OS Commanding
-
-
29 %

18. Vulnerabilities 2011-2012

19. Security testing cycle
Risk assessment - creating a threat model
Security auditing - using the threat model to
probe the system design
Vulnerability scanning - using software to
probe the system implementation.
Penetration testing - trying to hack into the
system, either externally or internally.
Operational testing - some or all of the above
after the system is in production.

20. Vulnerability scanning
Network Scanning Software identifies weak
networking device settings (e.g., vulnerable ports left open,
default passwords)
Web Application Scanning software identifies weak
web application settings, failure to implement patches to
known web application vulnerabilities etc.
Database Scanning Software
identifies similar
weaknesses in database management systems and
database applications.
One list of Scanning Software and Vendors can be found at:
http://www.timberlinetechnologies.com/products/vulnerability.html

21. Penetration testing
Network
Outside (Internet) / Inside (Intranet)
Information for tester
Black-box / White-box
Information for Staff
Black Hat / White Hat
Cпециальное ПО — программы, реализующие
обнаруженные уязвимости, т. н. «эксплойты».
Metasploit Framework - распространенный программный
продукт c открытым исходным кодом.
http://www.metasploit.com/

22. Fuzzing
Fuzz testing or fuzzing is a software
testing technique, often automated or semiautomated, that involves providing invalid,
unexpected, or random data to the inputs of a
computer program.
Can be useful in generating data for Code-Injections.

23. ‘Security Test Plan’
A security evaluation should be performed for the
software.
Security requirements should be established for the
software development and/or operations and
maintenance (O&M) processes.
Each software review, or audit should include an
evaluation of the security requirements.
A configuration management and corrective
action process is in place to provide security for the
existing software.
Any proposed changes should do not inadvertently
create security violations or vulnerabilities.
Physical security for the software should be adequate.

24. Check List for Security testing
•
•
•
1. Try to directly access bookmarked web page without login to the system.
2. Verify that system should restrict you to download the file without sign in on the system.
3. Verify that previous accessed pages should not accessible after log out i.e. Sign out and then press the Back
button to access the page accessed before.
•
4. Check the valid and invalid passwords, password rules say cannot be less than 6 characters, user id and password
cannot be the same etc.
•
5. Verified that important i.e. sensitive information such as passwords, ID numbers, credit card numbers, etc should
not get displayed in the input box when typing. They should be encrypted and in asterix format.
•
6 .Check Is bookmarking disabled on secure pages? Bookmarking Should be disabled on secure pages.
•
7. Check Is Right Click, View, Source disabled? Source code should not be visible to user.
•
8. Is there an alternative way to access secure pages for browsers under version 3.0, since SSL is not compatible
with those browsers?
•
9. Check does your server lock out an individual who has tried to access your site multiple times with invalid
login/password information?
•
10. Verify the timeout condition, after timeout user should not able to navigate through the site.
•
11. Check Are you prevented from doing direct searches by editing content in the URL?
•
12. Verify that relevant information should be written to the log files and that information should be traceable.
•
13. In SSL verify that the encryption is done correctly and check the integrity of the information.
•
14. Verify that restricted page should not be accessible by user after session time out.
•
15. ID / password authentication, the same account on different machines cannot log on at the same time. So at a
time only one user can login to the system with a user id.
•
16. ID / password authentication methods entered the wrong password several times and check if the account gets
locked.
•
17. Add or modify important information (passwords, ID numbers, credit card number, etc.). Check if it gets
reflected immediately or caching the old values.
•
18. Verify that Error Message does not contain malicious info so that hacker will use this information to hack web
site.
http://tfortesting.wordpress.com/category/scecurity-testing/

25. Security testing
Security testing
is a process to determine that an information system
protects data and maintains functionality as intended.
Main security concepts:
Confidentiality
Integrity
Availability
Main security testing methods:
Vulnerability scanning
Penetration testing

26. Links:
1. http://www.securitylab.ru/blog/personal/evteev/30927.php
2. http://www.fiddlerontheroot.com/why-its-important
3. http://en.wikipedia.org/wiki/Software_security_assurance
4. http://www.phishtank.com/what_is_phishing.php
5. http://www.youtube.com/watch?v=1eQd7GCOpp4
6. http://www.altoros.com/security_and_load_testing.html
7. http://cwe.mitre.org/documents/glossary/index.html#Weakness