SlideShare une entreprise Scribd logo

Web Security Testing Training With Examples

Télécharger en tant que PPTX, PDF
Alwin Thayyil
Alwin Thayyil

This slide is for people who are new to security testing. This shows the basic examples to perform web application attacks.

Technologie
1  sur  47
Security Testing Training With Examples ALWIN JOSEPH THAYYIL
What is Security Testing • Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. • It also helps in detecting all possible security risks in the system and help developers in fixing these problems through coding • Security testing is vital for e-commerce website that store sensitive customer information like credit cards.
Why web application security is of high importance • Web applications are increasing day by day • Most web applications are vulnerable. • 98 % of the web applications are vulnerable . • 78 % of easily exploitable weakness occur in web applications.
Types of web application vulnerabilities  Security Testing is deemed successful when the below attributes of an application are intact • Authentication • Authorization • Client side attacks • Command Execution • Information Disclosure • Logical Attacks
Authentication – Stealing user account identities  The Authentication section covers attacks that target a websites method of validating the identity of a user.  To confirm that something or someone is authentic – true to the claims.  The digital identity of a user is validated and verified.  Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.  Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.  Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.
Authorization – illegal access to applications  The Authorization section covers attacks that target a web sites method of determining if a user has the necessary permissions to perform a requested action.  Is the Person allowed to do this operation  Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.  Credential / Session Prediction is a method of hijacking or impersonating a user .
Client side attacks – illegal execution of foreign code • Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.  Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.
Command Execution – hijacks control of web application  SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.  Buffer Overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
Information Disclosure – shows sensitive data to attackers  The Information Disclosure section covers attacks designed to acquire system specific information about a web site.  Information leakage : Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.  Path traversal : The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
Logical Attacks – interfere with application usage  Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms.  Denial of Service (DoS) attacks prevent a web site from serving normal user activity.
Burp Suite  Burp Suite is an integrated platform for performing security testing of web applications.  The Burp Suite is made up of tools
Burp Suite  Proxy: It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.  Spider: Burp Spider is a tool for mapping web applications.  Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications.  Intruder: For performing powerful customized attacks to find and exploit unusual vulnerabilities.  Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses.  Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data.  Limitations of tools: Unrealistic expectations from the tool & People depend on the tool a lot.
Configure your browser
Brute force attack (Ex For Authentication vulnerabilities) • Brute Force Attack  Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in.  The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts.
Brute force attack (Ex For Authentication vulnerabilities) This is a web application having vulnerabilities. I am going to explain brute force attack with the help of burp suite.
Brute force attack Then send it to intruder
Brute force attack
Brute force attack Then select the payloads and attack type.
Brute force attack  Give the payload 1 datas. Here in this example I had given only some values actually you can upload username and password lists from outside.
Brute force attack Give the payload 2 datas and from intruder give the attack.
Brute force attack Check the request and response of payloads having maximum length variation
Brute force attack Now the brute force attack is successfully launched with the username admin and password password.
Password Passing to server( Ex for Information leakage ) • Password Passing to server The password should be encrypted while being transmitted over the network. In the below example password between server and client is being passed in clear text during the registration process.
Session Hijacking (Ex for Session Management) This test is to check whether the cookie can be reused in another computer during the log-in phase. 1. Login in the application and capture the request in that valid session along with the authenticated URL:
Session Hijacking (Ex for Session Management) Then copy it to a notepad
Session Hijacking (Ex for Session Management) • Open the new browser and go to the authenticated URL captured in step 1. Then, capture the request and replace the cookie with earlier captured cookie value:
Session Hijacking (Ex for Session Management) Successfully launched the session hijacking attack.
Directory Scanning (Ex for Authorization)  This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.  http://demo.guru99.com/Security/SEC_V1/index.php  A small example for directory scanning can be shown from this site  Here the login credentials are user id: 1303 and pass:Guru99.  This is an ordinary customer login, having the rights to view his payments fund transfer etc. he is not having the permission to add, edit or delete other customers data. Enter the below url in the browser and check Now customer can add new customers.  http://demo.guru99.com/Security/SEC_V1/customer/addcustomerpage.php  I hope you checked it and understand how to perform it.
File uploads  Only valid files should be permitted for uploading.  http://demo.guru99.com/Security/SEC_V1/customer/contactus.php  In the above link the upload file menu, currently accepts any file format including exe,php, js, etc. A malicious user can upload a virus or executable file and using  The file size should also be checked so that users do not upload large files which would eat up the server space.
Forceful browsing A malicious user can access the complete application from different browsers without login. How to perform: Log in to an application then copy the url now paste it in another browser and check whether user is logging in or redirected to the login page. Recommendation: The application must implement proper session/cookie management on the server side, to ensure strict access control. This would avoid any user in directly copy-pasting of the link to get unauthorized access into the internal pages.
Audi trail Implementation  An Audit trail should be incorporated in the application, where all user activities have to be logged.
Phishing attacks  Phishing. It is a technique that uses trickery and deceit to obtain private data from users. A hacker may try to impersonate a genuine website such as yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.  http://bank.83answers.com/  http://demo.guru99.com/Security/SEC_V1/index.php
SQL Injection  SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution.  The targeted site to perform sql injection is dvwa
SQL Injection  Enter User ID, click submit and intercept the request with Burp Suite Proxy. The next step is sending the request to Burp Suite Intruder (click right on the request and choose “Send to Intruder”).
SQL Injection  A penetration tester can create his own list of payloads or use an existing one. Exemplary payloads can be found, for example, in Kali Linux (penetration testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let’s use SQL.txt from this location to test the parameter id for SQL injection vulnerability.
SQL Injection  It might suggest that more data was read from the database. Let’s check the response for this payload.
SQL Injection  As we can see, this payload can be used to extract first names and surnames of all users from the database.
XSS  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.  There are two types of injection active and passive.
XSS How to test XSS:  Visit the page of the website you wish to test for XSS vulnerabilities  Enter some appropriate input in to the web application and submit the request.
XSS  Alternatively, return to the Proxy "Intercept" tab and right click on the request to bring up the context menu.  Click "Send to Repeater".
XSS  Go to the "Repeater" tab.  Here we can input various XSS payloads in to the input field of a web application. We can test various inputs by editing the "Value" of the appropriate parameter in the "Raw" or "Params" tabs.
XSS  The "Response" section of the "Repeater" tab shows the response from the server.
XSS  Ensure that "Intercept is off" in the Proxy "Intercept" tab and go to your browser.  Enter the payload into the input field and submit the request.  Assess the response in the browser to check that the payload has performed as expected.
Dos attack A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, Consider a functionality (such as registration) which typically does not require authentication. An attacker can easily place a heavy load on the server by simulate multiple registration operations and by feeding in arbitrarily huge input data through the registration fields, thus placing further load on the server and also consuming database connections. This could cause the server to crash or slow down to a crawl.
Other Security Checks • Session Time out • Session should terminate when user is gone through an error page • Auto fill should be off • Check whether application is able to view the authenticated page using back button of the browser • Check whether It is possible to view the contents of the authenticated pages by fetching the page from the browser cache memory and history. • User should not have the option to remember password as this may give unauthorized access to malicious users.
References  https://www.owasp.org/index.php/  dvwa  http://searchsecurity.techtarget.com/  http://demo.guru99.com/Security/SEC_V1/index.php
THANK YOU

Recommandé

Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 

Recommandé

Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Burp suite
Burp suiteBurp suite
Burp suiteSOURABH DESHMUKH
 
Penetration testing
Penetration testingPenetration testing
Penetration testingAmmar WK
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationshipn|u - The Open Security Community
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
Command injection
Command injectionCommand injection
Command injectionpenetration Tester
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 

Contenu connexe

Tendances

What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?ONE BCG
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testingEngr Md Yusuf Miah
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Security testing
Security testingSecurity testing
Security testingbaskar p
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing RomSoft SRL
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 

Tendances (20)

What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Analysis of web application penetration testing
Analysis of web application penetration testingAnalysis of web application penetration testing
Analysis of web application penetration testing
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Security testing
Security testingSecurity testing
Security testing
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Command injection
Command injectionCommand injection
Command injection
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
Security testing
Security testingSecurity testing
Security testing
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Owasp zap
Owasp zapOwasp zap
Owasp zap
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Security Testing
Security TestingSecurity Testing
Security Testing
 

Similaire à Web Security Testing Training With Examples

Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxInfosectrain3
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfDigital Auxilio Technologies
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...appsec
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET Journal
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Manjyot Singh
 

Similaire à Web Security Testing Training With Examples (20)

Security Testing
Security TestingSecurity Testing
Security Testing
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
C01461422
C01461422C01461422
C01461422
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
 
T04505103106
T04505103106T04505103106
T04505103106
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
 

Dernier

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Dernier (20)

Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 

Web Security Testing Training With Examples

  • 1. Security Testing Training With Examples ALWIN JOSEPH THAYYIL
  • 2. What is Security Testing • Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. • It also helps in detecting all possible security risks in the system and help developers in fixing these problems through coding • Security testing is vital for e-commerce website that store sensitive customer information like credit cards.
  • 3. Why web application security is of high importance • Web applications are increasing day by day • Most web applications are vulnerable. • 98 % of the web applications are vulnerable . • 78 % of easily exploitable weakness occur in web applications.
  • 4. Types of web application vulnerabilities  Security Testing is deemed successful when the below attributes of an application are intact • Authentication • Authorization • Client side attacks • Command Execution • Information Disclosure • Logical Attacks
  • 5. Authentication – Stealing user account identities  The Authentication section covers attacks that target a websites method of validating the identity of a user.  To confirm that something or someone is authentic – true to the claims.  The digital identity of a user is validated and verified.  Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.  Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.  Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.
  • 6. Authorization – illegal access to applications  The Authorization section covers attacks that target a web sites method of determining if a user has the necessary permissions to perform a requested action.  Is the Person allowed to do this operation  Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.  Credential / Session Prediction is a method of hijacking or impersonating a user .
  • 7. Client side attacks – illegal execution of foreign code • Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.  Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.
  • 8. Command Execution – hijacks control of web application  SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.  Buffer Overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
  • 9. Information Disclosure – shows sensitive data to attackers  The Information Disclosure section covers attacks designed to acquire system specific information about a web site.  Information leakage : Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.  Path traversal : The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
  • 10. Logical Attacks – interfere with application usage  Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms.  Denial of Service (DoS) attacks prevent a web site from serving normal user activity.
  • 11. Burp Suite  Burp Suite is an integrated platform for performing security testing of web applications.  The Burp Suite is made up of tools
  • 12. Burp Suite  Proxy: It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.  Spider: Burp Spider is a tool for mapping web applications.  Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications.  Intruder: For performing powerful customized attacks to find and exploit unusual vulnerabilities.  Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses.  Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data.  Limitations of tools: Unrealistic expectations from the tool & People depend on the tool a lot.
  • 14. Brute force attack (Ex For Authentication vulnerabilities) • Brute Force Attack  Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in.  The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts.
  • 15. Brute force attack (Ex For Authentication vulnerabilities) This is a web application having vulnerabilities. I am going to explain brute force attack with the help of burp suite.
  • 16. Brute force attack Then send it to intruder
  • 18. Brute force attack Then select the payloads and attack type.
  • 19. Brute force attack  Give the payload 1 datas. Here in this example I had given only some values actually you can upload username and password lists from outside.
  • 20. Brute force attack Give the payload 2 datas and from intruder give the attack.
  • 21. Brute force attack Check the request and response of payloads having maximum length variation
  • 22. Brute force attack Now the brute force attack is successfully launched with the username admin and password password.
  • 23. Password Passing to server( Ex for Information leakage ) • Password Passing to server The password should be encrypted while being transmitted over the network. In the below example password between server and client is being passed in clear text during the registration process.
  • 24. Session Hijacking (Ex for Session Management) This test is to check whether the cookie can be reused in another computer during the log-in phase. 1. Login in the application and capture the request in that valid session along with the authenticated URL:
  • 25. Session Hijacking (Ex for Session Management) Then copy it to a notepad
  • 26. Session Hijacking (Ex for Session Management) • Open the new browser and go to the authenticated URL captured in step 1. Then, capture the request and replace the cookie with earlier captured cookie value:
  • 27. Session Hijacking (Ex for Session Management) Successfully launched the session hijacking attack.
  • 28. Directory Scanning (Ex for Authorization)  This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.  http://demo.guru99.com/Security/SEC_V1/index.php  A small example for directory scanning can be shown from this site  Here the login credentials are user id: 1303 and pass:Guru99.  This is an ordinary customer login, having the rights to view his payments fund transfer etc. he is not having the permission to add, edit or delete other customers data. Enter the below url in the browser and check Now customer can add new customers.  http://demo.guru99.com/Security/SEC_V1/customer/addcustomerpage.php  I hope you checked it and understand how to perform it.
  • 29. File uploads  Only valid files should be permitted for uploading.  http://demo.guru99.com/Security/SEC_V1/customer/contactus.php  In the above link the upload file menu, currently accepts any file format including exe,php, js, etc. A malicious user can upload a virus or executable file and using  The file size should also be checked so that users do not upload large files which would eat up the server space.
  • 30. Forceful browsing A malicious user can access the complete application from different browsers without login. How to perform: Log in to an application then copy the url now paste it in another browser and check whether user is logging in or redirected to the login page. Recommendation: The application must implement proper session/cookie management on the server side, to ensure strict access control. This would avoid any user in directly copy-pasting of the link to get unauthorized access into the internal pages.
  • 31. Audi trail Implementation  An Audit trail should be incorporated in the application, where all user activities have to be logged.
  • 32. Phishing attacks  Phishing. It is a technique that uses trickery and deceit to obtain private data from users. A hacker may try to impersonate a genuine website such as yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.  http://bank.83answers.com/  http://demo.guru99.com/Security/SEC_V1/index.php
  • 33. SQL Injection  SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution.  The targeted site to perform sql injection is dvwa
  • 34. SQL Injection  Enter User ID, click submit and intercept the request with Burp Suite Proxy. The next step is sending the request to Burp Suite Intruder (click right on the request and choose “Send to Intruder”).
  • 35. SQL Injection  A penetration tester can create his own list of payloads or use an existing one. Exemplary payloads can be found, for example, in Kali Linux (penetration testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let’s use SQL.txt from this location to test the parameter id for SQL injection vulnerability.
  • 36. SQL Injection  It might suggest that more data was read from the database. Let’s check the response for this payload.
  • 37. SQL Injection  As we can see, this payload can be used to extract first names and surnames of all users from the database.
  • 38. XSS  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.  There are two types of injection active and passive.
  • 39. XSS How to test XSS:  Visit the page of the website you wish to test for XSS vulnerabilities  Enter some appropriate input in to the web application and submit the request.
  • 40. XSS  Alternatively, return to the Proxy "Intercept" tab and right click on the request to bring up the context menu.  Click "Send to Repeater".
  • 41. XSS  Go to the "Repeater" tab.  Here we can input various XSS payloads in to the input field of a web application. We can test various inputs by editing the "Value" of the appropriate parameter in the "Raw" or "Params" tabs.
  • 42. XSS  The "Response" section of the "Repeater" tab shows the response from the server.
  • 43. XSS  Ensure that "Intercept is off" in the Proxy "Intercept" tab and go to your browser.  Enter the payload into the input field and submit the request.  Assess the response in the browser to check that the payload has performed as expected.
  • 44. Dos attack A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, Consider a functionality (such as registration) which typically does not require authentication. An attacker can easily place a heavy load on the server by simulate multiple registration operations and by feeding in arbitrarily huge input data through the registration fields, thus placing further load on the server and also consuming database connections. This could cause the server to crash or slow down to a crawl.
  • 45. Other Security Checks • Session Time out • Session should terminate when user is gone through an error page • Auto fill should be off • Check whether application is able to view the authenticated page using back button of the browser • Check whether It is possible to view the contents of the authenticated pages by fetching the page from the browser cache memory and history. • User should not have the option to remember password as this may give unauthorized access to malicious users.
  • 46. References  https://www.owasp.org/index.php/  dvwa  http://searchsecurity.techtarget.com/  http://demo.guru99.com/Security/SEC_V1/index.php