A D V I S O R Y S E R V I C E S. Web Application Assessment

Similar documents
Web Application Penetration Testing

Web Security, Summer Term 2012

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Certified Secure Web Application Engineer

Web Application Security. OWASP 11 th August, The OWASP Foundation Basic SQL injection Basic Click Jacking

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Notes From The field

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

CSWAE Certified Secure Web Application Engineer

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web Application Security. Philippe Bogaerts

Introduction to Ethical Hacking

Web Security. Thierry Sans

WEB APPLICATION PENETRATION TESTING VERSION 2

WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Application Attacks

Securing Your Company s Web Presence

Web Application Vulnerabilities: OWASP Top 10 Revisited

Practical Automated Web Application Attack Techniques Justin Clarke Gotham Digital Science Gotham Digital Science Ltd

Solutions Business Manager Web Application Security Assessment

Web Penetration Testing

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CSE 127 Computer Security

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

SQL Injection Attacks and Defense

Exploiting and Defending: Common Web Application Vulnerabilities

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Application vulnerabilities and defences

Tiger Scheme SST Standards Web Applications

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Application security : going quicker

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

IronWASP (Iron Web application Advanced Security testing Platform)

HP 2012 Cyber Security Risk Report Overview

RiskSense Attack Surface Validation for Web Applications

GOING WHERE NO WAFS HAVE GONE BEFORE

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

An analysis of security in a web application development process

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Mavituna Security Ltd. Finance House, 522A Uxbridge Rd. Pinner. HA5 3PU / UK

Introduction to InfoSec SQLI & XSS (R10+11) Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Programming Paper Solution (Chapter wise)

Sichere Software vom Java-Entwickler

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Information Security. Gabriel Lawrence Director, IT Security UCSD

Human vs Artificial intelligence Battle of Trust

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Web Applications Penetration Testing

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

The OWASP Foundation

Andrew van der Stock OWASP Foundation

OWASP Broken Web Application Project. When Bad Web Apps are Good

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan

EasyCrypt passes an independent security audit

Online Intensive Ethical Hacking Training

SECURITY TRENDS & VULNERABILITIES REVIEW WEB APPLICATIONS

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Certified Secure Web Application Security Test Checklist

Web Application Security GVSAGE Theater

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

WEB APPLICATION PENETRATION TESTING EXTREME VERSION 1

Penetration Testing. James Walden Northern Kentucky University

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

Preparing for the Cross Site Request Forgery Defense

COMP9321 Web Application Engineering

CIS 4360 Secure Computer Systems XSS

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

CTF Workshop. Crim Synopsys, Inc. 1

Your Turn to Hack the OWASP Top 10!

SOMA: Mutual Approval for Included Content On Web Pages. Terri Oda, Glenn Wurster, P. C. van Oorschot, Anil Somayaji

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion

Web basics: HTTP cookies

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Welcome to the OWASP TOP 10

OWASP TOP 10. By: Ilia

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Web Application Threats and Remediation. Terry Labach, IST Security Team

ShiftLeft. Real-World Runtime Protection Benchmarking

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

epldt Web Builder Security March 2017

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Curso: Ethical Hacking and Countermeasures

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Certified Secure Web Application Secure Development Checklist

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Transcription:

A D V I S O R Y S E R V I C E S Web Application Assessment March 2009

Agenda Definitions Landscape of current web applications Required skills Attack surface Scope Methodology Soft skills 2

Definitions Black box testing White box testing Grey box testing What about code reviews? 3

Landscape Typical Application Client Javascript, VB, ActionScript AJAX/JSON user experience Server C#, VB, PHP, Java, ColdFusion, Perl, Ruby Web services SOAP, WSDL, UDDI Database Oracle, MySQL, MS SQL, Postgres LDAP AD, Novell, Sun Does this list scare you? 4

All this and more RegEx URL, Hex, Base64, Unicode encoding HTML encoding SQL syntax XML LDAP All of this in addition to the basics like HTML, CSS, HTTP, HTTPS, IIS/Apache, SSL 5

RegEx Examples ^SELECT S%65L%65CT ^(?!000)([0-6]\d{2} 7([0-6]\d 7[012]))([ -]?)(?!00)\d\d\3(?!0000)\d{4}$ '[0-9]\{1,3\}\.[0-9]\{1,3\}.[0-9]\{1,3\}.[0-9]\{1,3\}' 6

Encoding Examples or 1=1 %27%6f%72%20%31%3d%31%2d%2d password cgfzc3dvcmq= 7

Attack Surface Client Browser, AJAX, Flash, Plugins Server Web server (Apache, IIS, Sun One) Web Application Forms Cookies Query parameters File upload/download Contact Us functionality Business logic Concurrency Web services 8

Start with the Scope Take a monumental task, and confine it URL or IP Address Client-side, or just server/application? What to test for? How to perform those tests? 9

Methodology Reconnaissance Document Mapping Document Plan Document Test Document Exploit Document 10

Reconnaissance External (e.g. Google) From the site Platform (e.g. Windows/IIS) Development technology(ies) (e.g..net with JavaScript) SSL and weak ciphers Robots.txt and crossdomain.xml Map the application (spider) Enumerate directory/files Determine functionality Locate entry points Look for comments and hidden fields 11

Tools Landscape Gooscan Fierce Maltego Web Scanners Nikto Burp Appscan Hailstorm Focussed tools General Web Assessment Tools Burp Suite WebScarab Firefox Addons Firebug & Firecookie TamperData JSView OWASP LiveCD Samurai HTTPrint Wmap DirBuster SSLDigger 12

Post Information Gathering Analyze accumulated results from all tools Document the application Look for areas of vulnerability: Authentication/Authorization Cookie Attributes Expires, Path, Domain, and Secure Traversal Injection XSS CSRF Application logic Concurrency Race Conditions 13

Post Information Gathering (2) Determine how users are authenticated, and look for user contexts to reverse engineer the authorization scheme Document the important web functions, associated pages, and parameters Document the application and logic flow Use all of this information to create a plan of exploit, to seek out vulnerabilities 14

Finding the Cool Stuff Automated vs Manual Let s avoid the flame wars! This is where the methodology helps Let the automated tools do some of the digging and heavy lifting for you That still leaves plenty for you to manually test 15

What is the cool stuff? Injection XSS CSRF 16

SQLi Assumptions: You know the basics of SQL You know the basics of SQLi 3 Classes: Inband Out of band Inferential How do you test for it? How do you validate? 17

SQLi Starts at Home Source: http://xkcd.com/327/ 18

SQL Injection Types Error Ask the DB a question that will produce an error, and examine the error to glean information. Union Use SQL Union statement to combine two Select statements. Useful for data extraction Blind Ask the DB only True/False questions, and measure the response based on the type of page returned, or the time it took to respond. 19

SQLi Tools Mieliekoek.pl Will use the output from HTTrack for its target list; Looks for ODBC in the output; Configurable SQLi syntax SQLMap Python command line tool; Blind and Union SQLi; Can use Burp or WebScarab logs for targets list Wapiti Set of Python scripts for testing SQLi, CRLF, XSS, and others; Absinthe GUI tool that can aid in the download of schema and contents of a database; Does not find SQL injection points; Uses blind injection techniques or error based for SQL Server SQL Inject Me Firefox addon to test for error based SQLi SQLiX OWASP Perl command line tool to test for error based and blind SQL injection; It can run exploits as well SQL Power Injector -.Net based tool to find and exploit SQLi; Focuses on blind injection, but does not try to locate the vulnerability 20

Mitigating and Preventing SQLi Validating input or 1=1-- or 2=2-- or 1 in (select @@version)-- Parameterized queries Stored procedures really? Web application firewalls really? 21

Other Injection Types LDAP XPATH OS Tools? How do you test for it? 22

Cross Site Scripting (XSS) Reflected vs. Stored Which is more dangerous? DOM-based XSS How do you test for these? Automated tools? 23

Cross Site Request Forgery How does this differ from XSS? Subtle Preventable How do you test for it? 24

XSS and CSRF Understand Same-Origin Policy Understand Adobe s recent Cross-domain policy Understand the nuances of these policies, and how different browsers interpret those nuances 25

Soft Skills Documentation Understand risk, business risk Communication Scope Testing windows, methodology, etc. Expectations Time management 26

References: Advanced SQL Injection In SQL Server Applications by Chris Anley (NGS Software) Advanced SQL Injection by Joe McCray Web Application Disassembly with ODBC Error Messages by David Litchfield Cross Site Scripting Explained by Amit Klein Cross Site Request Forgeries: Exploitation and Prevention by Zeller and Felton OWASP Web Site OWASP Testing Guide v3 27

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback