Demystifying_Application_Security.pdf

Slide 1

Slide 1 text

Demystifying Application Security Harsh Bothra

Slide 2

Slide 2 text

Who AM I?

Slide 3

Slide 3 text

Agenda ● AppSec 101 ● Web vs API vs Mobile ● The Pentesters’ Approach ● The Bug Hunters’ Approach ● 7 Golden Rules ● Vulnerability Cases ● Wrap - Up

Slide 4

Slide 4 text

AppSec - 101

Slide 5

Slide 5 text

What all AppSec Includes? ● Web Application Security ● Mobile Application Security ● API Security ● Thick Client / Desktop Application Security ● Infrastructure Security ● Cloud Application Security ● IoT/IoE Application Security etc.

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Components of AppSec ● Scoping the Target ● Performing the Security Assessment ● Automated Assessment with Tools ● Manual Assessment ○ Initial Recon and Enumeration ○ Unauthenticated Testing ○ Authenticated Testing ○ Functionality Specific Testing ● Compliance Testing ● Reporting ● Wrap-up and Read-Out

Slide 8

Slide 8 text

The Pentesters’ Approach

Slide 9

Slide 9 text

The Pentesters’ Approach Housekeeping Items: - Scoping Call - Compliance Checks - Reporting with Executive Summary and Risk Profiling - Read Out Call - Post Pentest Support Approach: - Time Boxed Approach (You have to cover 100s of test cases in given pentest timeline and you can not just focus on one or two categories) - Recon → Unauthenticated Testing → Authenticated Testing → Test Case Coverage → Compliance Check Coverage → Final Reporting

Slide 10

Slide 10 text

The Bug Hunters’ Approach

Slide 11

Slide 11 text

The Bug Hunters’ Approach Housekeeping Items: - Selecting a Scope - Good at Recon? - Wide Scope - Good at Access Controls? - Multi - Tenant/Multi - Role Applications - Good at Business Logics? - Go for Complex Applications - Good at Server-Side Attacks? - Choose SaaS Products Similarly know what you are good at and approach accordingly. Approach: - No Time Boxing – If you think you found a potential issue, keep trying to exploit it - Often results in fruitful vulns. - Approach test cases that you are most comfortable with. - Report & Reward - Re-testing

Slide 12

Slide 12 text

7 Golden Rules

Slide 13

Slide 13 text

Rule - 1 Don’t Hunt Blindly.

Slide 14

Slide 14 text

Rule - 2 Value your time - Hunt where you get some reward or new skill.

Slide 15

Slide 15 text

Rule - 3 Know your strengths and Approach accordingly

Slide 16

Slide 16 text

Rule - 4 Look out for chaining vulnerabilities for maximizing the impact

Slide 17

Slide 17 text

Rule - 5 Explore the target, understand the business logics and try breaking them.

Slide 18

Slide 18 text

Rule - 6 Learn, Practice and Start Implementing. Don’t get stuck in Lab Mind-set

Slide 19

Slide 19 text

Rule - 7 Seek Help, Collaborate and Enjoy the Process

Slide 20

Slide 20 text

3 Vulnerability Cases

Slide 21

Slide 21 text

Privilege Escalation via Response Manipulation using Burp Match & Replace

Slide 22

Slide 22 text

Mass Assignment Attacks

Slide 23

Slide 23 text

Race Condition Attacks

Slide 24

Slide 24 text

Bonus: Why you should evaluate every single vulnerability request - story of an easy account takeover.