See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)

1. WhatYou Need to Know About Web
App Security Testing in 2018
Ken De Souza
STP Community Webinar, January 2018
V. 1.4
Twitter: @kgdesouz
blog.tkee.org

2. Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html

4. GET https://[redacted].com/orchestration_1111/gdc/
BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/
Paris&TimeFrom=2014-09-27T09:15:21

6. GET https://[redacted].com/orchestration_1111/gdc/
BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/
Paris&TimeFrom=2014-09-27T09:15:21

7. Source: https://youtu.be/Nt33m7G_42Q

8. CVE-2017-5638
March 2017
CVE-2017-9805
4 September 2017

9. Source: https://www.theguardian.com/us-news/2017/sep/07/equifax-credit-breach-hack-social-security, https://
nakedsecurity.sophos.com/2017/09/08/equifax-data-breach-what-you-need-to-know/

10. Source: https://github.com/mazen160/struts-pwn_CVE-2017-9805

11. Source: ‪https://news.ycombinator.com/item?id=15233399

12. Source: https://krebsonsecurity.com/
2017/09/ayuda-help-equifax-has-my-data/

13. This is a practical / experience talk.
These are the tools I use on a daily(ish)
basis when I'm testing software.
Your mileage may vary.

14. This topic is HUGE
The tools don’t replace thinking.

15. Common terminology
Learn something about the threats
Demos of tools
Explain the risks to stake holders
Where to go next

16. "security, just like disaster recovery, is a
lifestyle, not a checklist"
This is not a black and white problem
Source: https://news.ycombinator.com/item?id=11323849

17. STRIDE(identification)
DREAD(classification)
OWASP Top 10 (attack vectors)

18. OWASP ZAP
(Web application vulnerability analysis)
Dependency Check
(3rd party vulnerability analysis)

19. nmap / Wireshark / tcpdump
(network analysis)
Microsoft Threat
Modeling
(communication)

20. Application
Security
Risks
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

21. STRIDE
Spoofing Tampering Repudiation
Information
Disclosure
Denial of
Service
Elevation of
Privilege
Source: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx

22. Sources: https://www.owasp.org/index.php/Application_Threat_Modeling
http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx
Type Security Control Examples
Spoofing Authentication I am Spartacus
Tampering Integrity Looks like Johnny got an A!
Repudiation
Non-
Repudiation
Didn’t Johnny have a B?
Information
disclosure
Confidentiality Johnny’s SSN is…
Denial of
service
Availability Please try again later.
Elevation of
privilege
Authorization sudo rm –rf /home/johnny

23. DREAD
Damage Reproducibility Exploitability
Affected
users
Discoverability
Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx

24. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view….
DREAD
Parameter
Rating Rationale
Damage
Potential
5
An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 2
Easily exploitable by automated tools found on
the Internet.
Affected Users 1 Affects critical administrative users
Discoverability 1
Affected page “admin.aspx” easily guessed by
an attacker.
Overall Rating 3.8

25. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view…
DREAD
Parameter
Rating Rationale
Damage
Potential
10
An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 10
Easily exploitable by automated tools found on
the Internet.
Affected Users 10 Affects critical administrative users
Discoverability 10
Affected page “admin.aspx” easily guessed by
an attacker.
Overall Rating 10

26. STRIDE /
DREAD
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

27. OWASP Top 10,
2017
Source: https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf

28. OWASP Top 10
Open Web Application Security Project

29. A1: Injection
http://example.com/app/accountView?
id='
A2: Broken Authentication
Using known passwords (from various
public lists)
Allowing insecure (not strong)
passworrd (e.g.: Password1)
A3: Sensitive Data Exposure
SSL not being used
Meltdown
Bad programming
A4: XML External Entities
(new)
<node attrib='foo''/>
A5: Broken Access Control http://example.com/app/accountInfo?
acct=notmyacct
Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

30. A6: Security
Misconfiguration
Default admin account enabled;
directories shown on site;
Stack traces shown to users;
A7: Cross Site Scripting
(XSS)
<script>alert('test');</script>
A8: Insecure Deserialization
(new)
Typical data tampering attacks, such
as access-control-related attacks,
where existing data structures are
used but the content is changed.
A9: Using Components with
known vulnerability
Not patching your 3rd party sh*t
A10: Insufficient Logging &
Monitoring (new)
Monitoring unauthorized access;
Alerting on potential breaches;
Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

31. nmap
crt.sh
dig

32. nmap
what ports are open? Where can you attack?
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

34. Source: crt.sh

35. Source: dig -f shopify-urls.txt +noall +answer

36. Source: shodan.io

37. Wireshark
tcpdump

38. Network packet / protocol analysis tool
Allows users to capture network traffic
from any interface, like Ethernet,Wifi,
Bluetooth, USB, etc

39. Why use Wireshark?
It is a great tool to debug your
environment
Help to examine potential security
problems

41. docker run -e
"SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080
"dhatanian/ticketmagpie"
This container has LOTS of vulnerabilities,
designed for learning about web security
Source: Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie)

42. Wireshark
Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

43. Demo

46. tcpdump:
Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

47. Why use tcpdump?
Use this when you can’t use
Wireshark
Great for servers

48. tcpdump -lnni eth0
-w dump -s 65535 host web01
and port 80

49. OWASP ZAP

50. Why use OWASP ZAP?
Can be used to find many of the top 10
exploits
Can be quick integrated into you manual
or automated workflow
Can be used in active or passive mode

51. OWASP ZAP
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

55. Demo

56. Dependency Check

57. What is it?
Checks your application for 3rd party
software
Looks to see if there are any known
vulnerabilities and gives you suggestions
on how to fix them

60. Threat Modeling

61. What is it?
A way to analyze and communicate
security related problems
This is a much larger topic than we have
time for
… but I’ll give you the basics

62. Why do this?
To explain to management
To explain to customers
To explain to developers, architects, etc.
With the tools I just showed you, you now
have the basics to be able to build a model

63. Threat Modeling:
Communicating it…
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.

64. Threat Modeling
Step 1: Enumerate
– Product functionality
– Technologies used
– Processes
– Listening ports
– Process to port mappings
– Users processes that running
– 3rd party applications / installations

65. Threat Modeling
Step 2: Data flow with boundaries
Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat-
modeling-you-apps.aspx

66. Demo

67. Threat Modeling
Can be done at various stages of the SDLC
https://www.checkmarx.com/wp-content/uploads/2014/10/SecurityintheSDLC.png

68. netstat
nslookup
ps
browser dev tools
BurpSuite

69. All these tools, help to answer the question
Is your application secure?

70. Where to go next?

74. Bug bounties

75. Practice
https://thetestdoctor.wordpress.com/2016/10/11/introducing-ticket-magpie/

76. Practice
https://xss-game.appspot.com

77. To conclude…

78. Be aware and prepare yourself for the
worst.
Coming up with a plan is important
Understanding attack vectors is
important

79. Thanks!

81. References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/
preventing-csrf-with-samesite-cookie-attribute/
• Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/
security-ninjas-opensource
• Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-
web-application-a-case-study
• Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx
• Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://
www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-
vulnerabilities
• Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-
application-threat-modelling-by-example
• The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/
• Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx
• Struts Bug Explained: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability-
what-you-need-to-know/