Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Similar documents
Web Application Security. Philippe Bogaerts

Aguascalientes Local Chapter. Kickoff

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Application Penetration Testing

Your Turn to Hack the OWASP Top 10!

Web Application Threats and Remediation. Terry Labach, IST Security Team

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

OWASP Top 10 The Ten Most Critical Web Application Security Risks

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Certified Secure Web Application Engineer

C1: Define Security Requirements

Sichere Software vom Java-Entwickler

Copyright

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Welcome to the OWASP TOP 10

CSWAE Certified Secure Web Application Engineer

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

F5 Application Security. Radovan Gibala Field Systems Engineer

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

1 About Web Security. What is application security? So what can happen? see [?]

Solutions Business Manager Web Application Security Assessment

Securing Your Company s Web Presence

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Application vulnerabilities and defences

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

EasyCrypt passes an independent security audit

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

TIBCO Cloud Integration Security Overview

OWASP TOP 10. By: Ilia

Introduction to Ethical Hacking

Security Course. WebGoat Lab sessions

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Applications Security

Application Layer Security

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

COMP9321 Web Application Engineering


OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Security. Thierry Sans

CIS 4360 Secure Computer Systems XSS

WebGoat& WebScarab. What is computer security for $1000 Alex?

COMP9321 Web Application Engineering

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

Bank Infrastructure - Video - 1

Exploiting and Defending: Common Web Application Vulnerabilities

GOING WHERE NO WAFS HAVE GONE BEFORE

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Curso: Ethical Hacking and Countermeasures

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Application Security Approach

SECURITY TESTING. Towards a safer web world

Web Application Vulnerabilities: OWASP Top 10 Revisited

WEB SECURITY: XSS & CSRF

Web Application Security GVSAGE Theater

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

WebGoat Lab session overview

OpenID Security Analysis and Evaluation

eb Security Software Studio

COMP9321 Web Application Engineering

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

HP 2012 Cyber Security Risk Report Overview

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Web Security. Web Programming.

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

CSCD 303 Essential Computer Security Fall 2017

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Simplifying Application Security and Compliance with the OWASP Top 10

16th Annual Karnataka Conference

CSCE 813 Internet Security Case Study II: XSS

Secure Development Guide

Application. Security. on line training. Academy. by Appsec Labs

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

A D V I S O R Y S E R V I C E S. Web Application Assessment

Information Security. Gabriel Lawrence Director, IT Security UCSD

Web Applications Penetration Testing

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

6-Points Strategy to Get Your Application in Security Shape

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Certified Secure Web Application Security Test Checklist

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Transcription:

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1

Who is this guy? Andrew Muller (Ionize) IT Security consultant to the stars Chapter Leader of Canberra OWASP Project Leader of OWASP Testing Guide Member of IT 012 04 Security Techniques Member of IT 015 26 What s he talking about? Background Issues Methodologies Tools Common vulnerabilities Canberra, Australia 2

Why security testing? Why security testing? Canberra, Australia 3

Why security testing? Why is this happening? Functional requirements are KING Security is a non functional requirement and diminishes usability Some of the dysfunction is cultural Canberra, Australia 4

How do we fix it? Where does security fit? Canberra, Australia 5

Perception of Security Perception of Developers Canberra, Australia 6

Perception of Business Security testing methodologies Most of us have a robust test cycle System and integration testing is methodical Security testing hasn t been so rigourous Security is just another set of test cases Canberra, Australia 7

Security testing methodologies What do we want from a methodology? Accountability What was tested? Where are the results? Repeatability Will the next test be the same as this one? Thoroughness How do I know everything has been tested? Canberra, Australia 8

Tools Several HTTP intercepting proxies Webscarab Paros BurpSuite Tamperdata (Firefox plugin) Test Automation There are bunch of commercial tools IBM AppScan HP s WebInspect Aspect s Acunetix And free tools Burp Suite (also offers commercial version) Paros Nikto So which one is the best? Canberra, Australia 9

Test Automation SAMATE Software Assurance Metrics And Tool Evaluation (http://samate.nist.gov) Found that the best tools find 33% of software vulnerabilities. All of the tools together could detect 50% of software vulnerabilities. Sorry, how much? Canberra, Australia 10

OWASP Top 10 2010 Injection Flaws Cross Site Scripting (XSS) Broken Authentication and Session Management Insecure Direct Object Reference Cross Site Request Forgery (CSRF) Security Misconfiguration Insecure Cryptographic Storage Failure to Restrict URL Access Insufficient Transport Layer Protection Unvalidated Redirects and Forwards Injection occurs when user supplied data is sent to an interpreter as part of a command or query. XSS flaws occur whenever an application takes user supplied data and sends it to a web browser without first validating or encoding that content. Account credentials and session tokens are often not properly protected. A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. A CSRF attack forces a logged on victim's browser to send a pre authenticated request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the benefit of the attacker. Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Web applications rarely use cryptographic functions properly to protect data and credentials. Frequently, an application only protects sensitive functionality by preventing the display of links or URLs to unauthorized users. Applications frequently fail to encrypt network traffic when it is necessary to protect sensitive communications. Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages Reflected Cross Site Scripting An attack needs user interaction Identify parameter inputs that are reflected to the browser <SCRIPT SRC=http://www.kimjong-un.com/ronery.js></SCRIPT> <SCRIPT>alert( xss )</SCRIPT> <IMG SRC= javascript:alert( xss ); > Canberra, Australia 11

Cross Site Scripting detection Stored Cross Site Scripting Same as reflected but persistent Watering hole attack Visit website and browser is compromised Usual suspects are guestbooks and user comments Canberra, Australia 12

SQL injection Identify probable inputs to database queries Login pages Search pages SQL injection detection Canberra, Australia 13

SQL injection detection Detection is as simple as The inclusion of this query delimiter throws an exception Standard SQL injection Consider a typical authentication database query SELECT * FROM Users WHERE Username='$username' AND Password='$password Username input is ' or 1=1-- Query becomes SELECT * FROM Users WHERE Username='' or 1=1-- ' AND Password='$password Query is always true, usually authenticating as the first record in the Users table Canberra, Australia 14

User enumeration Common/default usernames admin, test, guest Guessable username structure Developer/tester accounts in production Error responses from login application Invalid user Invalid password Bypass authentication schema Forced browsing Only the login page verifies login status Parameter modification http://server/login.asp?authenticated=no Session identifier prediction SQL injection Canberra, Australia 15

Bypass session management schema Session is typically implemented using cookies Cookie collection What generates and consumes cookies? Cookie analysis Session token structure and predictability Cookie structure and lifetime Cookie manipulation Session fixation Session cookie set upon accessing application New session cookie not set upon successful authentication Session cookie can be fixed using other vulnerabilities Canberra, Australia 16

Cross Site Request Forgery Trick an authenticated to execute a malicious action Login as a valid user Have user execute pregenerated request to perform function Canberra, Australia 17

Canberra, Australia 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback