Demystifying_Application_Security.pdf

Transcript

1. Demystifying Application Security Harsh Bothra

2. Who AM I?

3. Agenda • AppSec 101 • Web vs API vs Mobile

   • The Pentesters’ Approach • The Bug Hunters’ Approach • 7 Golden Rules • Vulnerability Cases • Wrap - Up

4. AppSec - 101

5. What all AppSec Includes? • Web Application Security • Mobile

   Application Security • API Security • Thick Client / Desktop Application Security • Infrastructure Security • Cloud Application Security • IoT/IoE Application Security etc.
6. None

7. Components of AppSec • Scoping the Target • Performing the

   Security Assessment • Automated Assessment with Tools • Manual Assessment ◦ Initial Recon and Enumeration ◦ Unauthenticated Testing ◦ Authenticated Testing ◦ Functionality Specific Testing • Compliance Testing • Reporting • Wrap-up and Read-Out

8. The Pentesters’ Approach

9. The Pentesters’ Approach Housekeeping Items: - Scoping Call - Compliance

   Checks - Reporting with Executive Summary and Risk Profiling - Read Out Call - Post Pentest Support Approach: - Time Boxed Approach (You have to cover 100s of test cases in given pentest timeline and you can not just focus on one or two categories) - Recon → Unauthenticated Testing → Authenticated Testing → Test Case Coverage → Compliance Check Coverage → Final Reporting

10. The Bug Hunters’ Approach

11. The Bug Hunters’ Approach Housekeeping Items: - Selecting a Scope

    - Good at Recon? - Wide Scope - Good at Access Controls? - Multi - Tenant/Multi - Role Applications - Good at Business Logics? - Go for Complex Applications - Good at Server-Side Attacks? - Choose SaaS Products Similarly know what you are good at and approach accordingly. Approach: - No Time Boxing – If you think you found a potential issue, keep trying to exploit it - Often results in fruitful vulns. - Approach test cases that you are most comfortable with. - Report & Reward - Re-testing

12. 7 Golden Rules

13. Rule - 1 Don’t Hunt Blindly.

14. Rule - 2 Value your time - Hunt where you

    get some reward or new skill.

15. Rule - 3 Know your strengths and Approach accordingly

16. Rule - 4 Look out for chaining vulnerabilities for maximizing

    the impact

17. Rule - 5 Explore the target, understand the business logics

    and try breaking them.

18. Rule - 6 Learn, Practice and Start Implementing. Don’t get

    stuck in Lab Mind-set

19. Rule - 7 Seek Help, Collaborate and Enjoy the Process

20. 3 Vulnerability Cases

21. Privilege Escalation via Response Manipulation using Burp Match & Replace

22. Mass Assignment Attacks

23. Race Condition Attacks

24. Bonus: Why you should evaluate every single vulnerability request -

    story of an easy account takeover.

25. Questions?

26. Thank you! :D