Getting started with security testing of web applications

Transcript

1. Getting started with Security Testing Of Web applications! - Abinaya

   and Sravanthi

2. Why is security even important?

3. Few Hacks and Breaches of 2016 - Union Bank was

   hacked - Millions of google accounts hit with Gooligan malware - LinkedIn

4. OWASP

5. None

6. 1. INJECTION - Any source of data can be an

   injection Vector - Often found in SQL,XPATH or NoSQL queries - It occurs when application sends untrusted data to the interpreter, - For example, Attacker can execute malicious SQL statements that control a web application’s database server.

7. Example

8. Select * from accounts where userId = ‘10’ OR ‘1’=’1’

   --’ and password = ‘something’ Executed query: Select * from accounts where userId = ‘10’ OR ‘1’=’1’ URL: http://example.com/app/accountView?id=10' or '1'='1

9. How to prevent? - Use parameterised queries - Escaping inputs

   before adding them to the query - Whitelist input validations

10. 2. BROKEN AUTHENTICATION AND SESSION MANAGEMENT - Authentication details are

    not protected - Easily guessable credentials - Session IDs in URL - Session IDs don’t time out - Passwords, Session IDs and credentials are sent over unencrypted connections

11. Example http://onlinepurchase.com/products/discount/jsessionid=82ASDFASDFASDASDF2/ product=pendrive

12. How to prevent ? - Enforce strong password policies -

    Restricted number of attempts to login - Session IDs should be random and complicated - Add no cache tags for authentication pages

13. 3. CROSS SITE SCRIPTING - Injects client-side scripts into web

    pages - Primarily used Javascript

14. Example <script>alert(“I am hacking!”)</script> <script>alert(document.cookie)</script>

15. How to prevent? - Sanitisation or validation of user input

    - Use HttpOnly flag in the HTTP response header

16. 4. BROKEN ACCESS CONTROL - Grant access to functions and

    contents for specific users - Administrative interfaces that allow site administrators to manage a site over the Internet

17. Example http://www.brokenaccess.com/users/john/product/1/edit http://www.brokenaccess.com/users/john/product/1/delete

18. How to prevent? - Check access - Get access control

    matrix - File permissions - Insecure IDs Function 1 Function 2 Function 3 User 1 Yes No Yes User 2 Yes Yes No

19. 5. SECURITY MISCONFIGURATION - It arises when security settings are

    defined, implemented and maintained as defaults/ not set to secure values - Can happen at any level - Platform - Webserver - Application server - Database - Framework

20. Example - Directory listing is not disabled on server -

    Returning error stack trace to the user from app server - Removing sample applications that come with app servers - Provide proper access permissions on all web folders

21. How to prevent? - Disable default accounts and change passwords

    - Disable/Remove unnecessary files/features - Avoid display of stack-trace to users - Keep software up-to-date

22. 6. SENSITIVE DATA EXPOSURE - When the sensitive information is

    not adequately protected - Ex: passwords, session tokens, credit card data - Exposing sensitive token in public source code - Old/ weak cryptographic algorithm used

23. Example 100 millions user records of Russia’s social networking site

    “VK.com”

24. How to prevent? - Don’t store sensitive data - Use

    strong encryption algorithm - Use of HTTPS on authenticated pages - Set nocache headers to browsers

25. 7. INSUFFICIENT ATTACK PROTECTION (NEW) - No protection against brute

    force password attacks - No logging of login attempts - No logging of session initiation or completion - Provide quick fixes

26. Example Attacker uses automated tool like OWASP ZAP to detect

    vulnerabilities and possibly exploit them

27. 8. CROSS SITE REQUEST FORGERY (CSRF) - Forcing the authenticated

    user to execute unwanted actions on web application

28. How to prevent? - Use proper CSRF tokens - Avoid

    simultaneous browsing while logged into an application

29. 9. USING COMPONENTS WITH KNOWN VULNERABILITIES - Component can be

    OS, CMS, web server, plug-ins or library

30. Example - OpenSSL cryptographic software library has a memory leak

    bug - Reuters, one of the biggest news agency got hacked because of vulnerable version of WordPress

31. How to prevent? - Identify vulnerability in the components that

    are being used - Upgrade the components to newer versions

32. 10. UNDERPROTECTED APIS - Use of API’s has exploded in

    modern software to the point that even browser web applications are often written in JS and use API’S to get data. - Client software is easily reversed and communications interpreted. - Testing API’s is similar to testing other web applications

33. Example - A banking domain app that connects to an

    XML API for account information and performing transactions

34. How to prevent - Ensure that you have secured communications

    between the client and your API - Strong authentication schemes - Implement access control scheme - Protect against injection of all forms

35. Security Testing Tools

36. DEMO ON ZED ATTACK PROXY

37. Questions? Concerns? Ideas?