See the associated webinar via https://www.softwaretestpro.com/what-you-need-to-know-about-web-app-security-testing-in-2018/ (there is a youtube link here)
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
What You Need to Know About Web App Security Testing in 2018
1. WhatYou Need to Know About Web
App Security Testing in 2018
Ken De Souza
STP Community Webinar, January 2018
V. 1.4
Twitter: @kgdesouz
blog.tkee.org
16. "security, just like disaster recovery, is a
lifestyle, not a checklist"
This is not a black and white problem
Source: https://news.ycombinator.com/item?id=11323849
24. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view….
DREAD
Parameter
Rating Rationale
Damage
Potential
5
An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 2
Easily exploitable by automated tools found on
the Internet.
Affected Users 1 Affects critical administrative users
Discoverability 1
Affected page “admin.aspx” easily guessed by
an attacker.
Overall Rating 3.8
25. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view…
DREAD
Parameter
Rating Rationale
Damage
Potential
10
An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 10
Easily exploitable by automated tools found on
the Internet.
Affected Users 10 Affects critical administrative users
Discoverability 10
Affected page “admin.aspx” easily guessed by
an attacker.
Overall Rating 10
29. A1: Injection
http://example.com/app/accountView?
id='
A2: Broken Authentication
Using known passwords (from various
public lists)
Allowing insecure (not strong)
passworrd (e.g.: Password1)
A3: Sensitive Data Exposure
SSL not being used
Meltdown
Bad programming
A4: XML External Entities
(new)
<node attrib='foo''/>
A5: Broken Access Control http://example.com/app/accountInfo?
acct=notmyacct
Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
30. A6: Security
Misconfiguration
Default admin account enabled;
directories shown on site;
Stack traces shown to users;
A7: Cross Site Scripting
(XSS)
<script>alert('test');</script>
A8: Insecure Deserialization
(new)
Typical data tampering attacks, such
as access-control-related attacks,
where existing data structures are
used but the content is changed.
A9: Using Components with
known vulnerability
Not patching your 3rd party sh*t
A10: Insufficient Logging &
Monitoring (new)
Monitoring unauthorized access;
Alerting on potential breaches;
Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
38. Network packet / protocol analysis tool
Allows users to capture network traffic
from any interface, like Ethernet,Wifi,
Bluetooth, USB, etc
39. Why use Wireshark?
It is a great tool to debug your
environment
Help to examine potential security
problems
40.
41. docker run -e
"SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080
"dhatanian/ticketmagpie"
This container has LOTS of vulnerabilities,
designed for learning about web security
Source: Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie)
42. Wireshark
Look at red/yellow lines between systems
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
50. Why use OWASP ZAP?
Can be used to find many of the top 10
exploits
Can be quick integrated into you manual
or automated workflow
Can be used in active or passive mode
57. What is it?
Checks your application for 3rd party
software
Looks to see if there are any known
vulnerabilities and gives you suggestions
on how to fix them
61. What is it?
A way to analyze and communicate
security related problems
This is a much larger topic than we have
time for
… but I’ll give you the basics
62. Why do this?
To explain to management
To explain to customers
To explain to developers, architects, etc.
With the tools I just showed you, you now
have the basics to be able to build a model
81. References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/
preventing-csrf-with-samesite-cookie-attribute/
• Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/
security-ninjas-opensource
• Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-
web-application-a-case-study
• Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx
• Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://
www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-
vulnerabilities
• Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-
application-threat-modelling-by-example
• The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/
• Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx
• Struts Bug Explained: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability-
what-you-need-to-know/