Tweet
Tweet

Slide 1

Slide 1 text

Getting started with Security Testing Of Web applications! - Abinaya and Sravanthi

Slide 2

Slide 2 text

Why is security even important?

Slide 3

Slide 3 text

Few Hacks and Breaches of 2016 - Union Bank was hacked - Millions of google accounts hit with Gooligan malware - LinkedIn

Slide 4

Slide 4 text

OWASP

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

1. INJECTION - Any source of data can be an injection Vector - Often found in SQL,XPATH or NoSQL queries - It occurs when application sends untrusted data to the interpreter, - For example, Attacker can execute malicious SQL statements that control a web application’s database server.

Slide 7

Slide 7 text

Example

Slide 8

Slide 8 text

Select * from accounts where userId = ‘10’ OR ‘1’=’1’ --’ and password = ‘something’ Executed query: Select * from accounts where userId = ‘10’ OR ‘1’=’1’ URL: http://example.com/app/accountView?id=10' or '1'='1

Slide 9

Slide 9 text

How to prevent? - Use parameterised queries - Escaping inputs before adding them to the query - Whitelist input validations

Slide 10

Slide 10 text

2. BROKEN AUTHENTICATION AND SESSION MANAGEMENT - Authentication details are not protected - Easily guessable credentials - Session IDs in URL - Session IDs don’t time out - Passwords, Session IDs and credentials are sent over unencrypted connections

Slide 11

Slide 11 text

Example http://onlinepurchase.com/products/discount/jsessionid=82ASDFASDFASDASDF2/ product=pendrive

Slide 12

Slide 12 text

How to prevent ? - Enforce strong password policies - Restricted number of attempts to login - Session IDs should be random and complicated - Add no cache tags for authentication pages

Slide 13

Slide 13 text

3. CROSS SITE SCRIPTING - Injects client-side scripts into web pages - Primarily used Javascript

Slide 14

Slide 14 text

Example alert(“I am hacking!”) alert(document.cookie)

Slide 15

Slide 15 text

How to prevent? - Sanitisation or validation of user input - Use HttpOnly flag in the HTTP response header

Slide 16

Slide 16 text

4. BROKEN ACCESS CONTROL - Grant access to functions and contents for specific users - Administrative interfaces that allow site administrators to manage a site over the Internet

Slide 17

Slide 17 text

Example http://www.brokenaccess.com/users/john/product/1/edit http://www.brokenaccess.com/users/john/product/1/delete

Slide 18

Slide 18 text

How to prevent? - Check access - Get access control matrix - File permissions - Insecure IDs Function 1 Function 2 Function 3 User 1 Yes No Yes User 2 Yes Yes No

Slide 19

Slide 19 text

5. SECURITY MISCONFIGURATION - It arises when security settings are defined, implemented and maintained as defaults/ not set to secure values - Can happen at any level - Platform - Webserver - Application server - Database - Framework

Slide 20

Slide 20 text

Example - Directory listing is not disabled on server - Returning error stack trace to the user from app server - Removing sample applications that come with app servers - Provide proper access permissions on all web folders

Slide 21

Slide 21 text

How to prevent? - Disable default accounts and change passwords - Disable/Remove unnecessary files/features - Avoid display of stack-trace to users - Keep software up-to-date

Slide 22

Slide 22 text

6. SENSITIVE DATA EXPOSURE - When the sensitive information is not adequately protected - Ex: passwords, session tokens, credit card data - Exposing sensitive token in public source code - Old/ weak cryptographic algorithm used

Slide 23

Slide 23 text

Example 100 millions user records of Russia’s social networking site “VK.com”

Slide 24

Slide 24 text

How to prevent? - Don’t store sensitive data - Use strong encryption algorithm - Use of HTTPS on authenticated pages - Set nocache headers to browsers

Slide 25

Slide 25 text

7. INSUFFICIENT ATTACK PROTECTION (NEW) - No protection against brute force password attacks - No logging of login attempts - No logging of session initiation or completion - Provide quick fixes

Slide 26

Slide 26 text

Example Attacker uses automated tool like OWASP ZAP to detect vulnerabilities and possibly exploit them

Slide 27

Slide 27 text

8. CROSS SITE REQUEST FORGERY (CSRF) - Forcing the authenticated user to execute unwanted actions on web application

Slide 28

Slide 28 text

How to prevent? - Use proper CSRF tokens - Avoid simultaneous browsing while logged into an application

Slide 29

Slide 29 text

9. USING COMPONENTS WITH KNOWN VULNERABILITIES - Component can be OS, CMS, web server, plug-ins or library

Slide 30

Slide 30 text

Example - OpenSSL cryptographic software library has a memory leak bug - Reuters, one of the biggest news agency got hacked because of vulnerable version of WordPress

Slide 31

Slide 31 text

How to prevent? - Identify vulnerability in the components that are being used - Upgrade the components to newer versions

Slide 32

Slide 32 text

10. UNDERPROTECTED APIS - Use of API’s has exploded in modern software to the point that even browser web applications are often written in JS and use API’S to get data. - Client software is easily reversed and communications interpreted. - Testing API’s is similar to testing other web applications

Slide 33

Slide 33 text

Example - A banking domain app that connects to an XML API for account information and performing transactions

Slide 34

Slide 34 text

How to prevent - Ensure that you have secured communications between the client and your API - Strong authentication schemes - Implement access control scheme - Protect against injection of all forms

Slide 35

Slide 35 text

Security Testing Tools

Slide 36

Slide 36 text

DEMO ON ZED ATTACK PROXY

Slide 37

Slide 37 text

Questions? Concerns? Ideas?