how to do security testing

2. How To Do Security Testing ?

3. Process
Threat model / Testing / Filtering
& Reporting / Automation
Standard
Testing guide / Testing category
Test
Testing type / Testing strategy /
Open source tools

4. Before we start a security test ...
Reporting
● Filter issues
● Assess vulnerabilities
● Report and tracking
Threat Modeling
● Identify business objectives
● Understand your application
● Define threat models
Security Testing
● OWASP Testing Guide V4
● OWASP Application Security
Verification Standard (ASVS) 3.0
● (OWASP Top 10)
● Choose testing scope
● Choose testing strategy

5. Threat Modeling
Business
Impact
Asset-centric
Software-centricAttacker-centric

6. OWASP Testing Guide V4
https://www.owasp.org/index.php/Testing_Checklist

7. Testing Strategies
SAST
Static Application
Security Testing
IAST
Interactive Application
Security Testing
DAST
Dynamic Application
Security Testing

8. OWASP Testing Guide V4

9. OWASP Testing Guide V4
● Information Gathering
● Configuration and Deploy Management Testing
● Identity Management Testing
● Authentication Testing
● Authorization Testing
● Session Management Testing
● Data Validation Testing
● Error Handling
● Cryptography
● Business Logic Testing
● Client Side Testing

10. Network information
Domain / Subdomain / IP
Server information
Service / Framework / Version /
Language
Architecture
API service / Database / Cache
/ Cluster
Information Gathering

11. Information Gathering
Tools
dig / curl / whois
Nmap / Sn1per / Burp
Fingerprint /
Information leakage
OSINT
Google hacking (https://www.exploit-db.com/google-hacking-database)
Shodan (https://www.shodan.io/) / Censys (https://censys.io/)

13. ● Configuration
○ Cloud config
○ Web server config
○ Infrastructure config
○ …
● Deployment
○ Logging
○ File extensions handling
■ .git/ / .env / .DS_Store /
index.php.swp
○ Backup files
■ backup.zip / /uploads, …
○ Admin panel
Configuration and Deploy Management Testing

14. AWS S3 Information Leak
https://github.com/nagwww/s3-leaks

15. ● Config - SAST
○ Nginx configuration static analyzer:
https://github.com/yandex/gixy
○ kube-hunter:
https://github.com/aquasecurity/kube
-hunter
○ DAST: S3 scanner
● Deployment - DAST
○ Nikto2, ZAP, …
○ Self design
Configuration and Deploy Management Testing

16. ID & Auth & Auz & Session Management Testing

17. ID & Auth & Auz & Session Management Testing
Role definitions /
Account enumeration
Password policy /
Authentication schema Brute forcing
(Rate limit / Captcha)
Directory traversal
getUserProfile.jsp?item=../../../etc/passwd
Bypassing Authorization
X-Forwarded-For: 127.0.0.1Session lifecycle /
Cookie flags / CSRF

18. ID & Auth & Auz & Session Management Testing
● Tools
○ DirBuster
○ Burp, ZAP
○ Behave, Custom tools
● Roles and permission list
● API ACL testing
● Session lifecycle

19. Data Validation Testing
Cross Site Scripting (XSS)
HTTP Parameter pollution
SQL Injection /
NoSQL Injection /
Code Injection /
Command Injection /
XML Injection /
CRLF Injection / …

20. ● DAST Tools
○ sqlmap
○ Xsser
○ Nikto 2, Arachni
○ Burp, ZAP
○ ...
○ https://github.com/infobyte/faraday/w
iki/Plugin-List#list
● Too heavy
○ Know your tools
○ Split testing items
○ Choose target scope
○ Tool configuration
● Your Brain
Data Validation Testing

21. https://example.com/index.php?p=123

22. Data Validation Testing
● ?p=123’
● ?p=“><script>alert(1)</script>
● ?p=123&p=456
● ?p[]=123
● POST p=123
● ?p=string
● ?p=../../../../etc/passwd%00
● ?p=123|ls
● ?p=%0d%0a
● ?token=123
● …
https://example.com/index.php?p=123

23. Observe
Parameter name / Path name /
Response code, text
SAST
Coding Style / Source code
analysis
Graybox
SAST + DAST
Data Validation Testing

24. Error Handling & Cryptography & Client Side Testing
● Response code, Error message, DEBUG message
● Transport Layer Protection
○ https://www.ssllabs.com/ssltest/
● Client Side
○ XSS
○ JS execution
○ CORS
○ Clickjacking
● React Framework

25. Business Logic Testing
● Business logic data validation
● Race condition
● Timing attack
○ Response time of correct username & invalid username
● Tools
○ Behave

26. Software Composition Analysis (SCA)
● Do you trust 3rd party libraries ?
● Tools
○ JS libraries: https://retirejs.github.io/retire.js/
○ 3rd party libraries: https://snyk.io/
○ Container analysis: https://github.com/coreos/clair
○ Vuls: https://github.com/future-architect/vuls

27. After security testing ...

28. Vulnerability Assessment, Filtering and Report
● Filter
○ False positive, duplicate issues
● Risk Assessment
○ Common Vulnerability Scoring System (CVSS) 3.0
● Report
○ Severity, Priority, Description, Impact
○ Fix suggestion
● Integrated tools
○ DefectDojo:
https://github.com/DefectDojo/django-DefectDojo
○ JackHammer:
https://github.com/olacabs/jackhammer
○ Faraday: https://github.com/infobyte/faraday
Report
Assess
Filter

29. Golden Pipeline

30. Summary
Reporting
● Filter issues
● Assess vulnerabilities
● Report and tracking
Threat Modeling
● Identify business objectives
● Understand your application
● Define threat models
Security Testing
● OWASP Testing Guide V4
● OWASP Application Security
Verification Standard (ASVS) 3.0
● (OWASP Top 10)
● Choose testing scope
● Choose testing strategy