web application security & testing
Post on 28-Nov-2014
1.628 Views
Preview:
DESCRIPTION
TRANSCRIPT
Web Application Security Sreenath Sasikumar
QBurst
Who am I ?
www.MakeMeResume.com/@sreenath
Take Away
• Understanding web application security
• How to security test web applications
• Mitigating web application security risks
• Open source tools
How web applications work
Understanding web security
Security testing web applications
• Information Gathering • Configuration Management Testing • Authentication Testing • Session Management Testing • Authorization Testing • Business Logic Testing • Data Validation Testing • Denial of Service Testing
Information Gathering
www.google.com/robots.txt
Spiders Robots and Crawlers
Search Engine Discovery
Google Hacking
• site • cache • inurl • filetype
How to: Manual HackSearch
Identify Application Entry points
• GET • POST • Cookies • Server Parameters • Files
How to: Tamper Data, WebScarab, ZAP
Web Application Fingerprinting
How to: Nikto Vulnerability Scanners
Application Discovery
Different Base URL • www.example.com/abc
Different port • www.example.com:8000
Different sub domain ( Virtual host ) • abc.example.com
How to: Zap, WebSlayer
Analysis of Error Code
Configuration Management
SSL Testing
Identify ssl ports and services How strong is you cipher?
How to: Nmap -sV, Nessus, OpenSSL
Configuration Management Testing
• Infrastructure Configuration Management
• Application Configuration Management
Old, Backup & Unreferenced Files
User-agent: * Disallow: /Admin Disallow: /uploads Disallow: /backup Disallow: /~jbloggs
How to: HackSearch, Webslayer
Testing for HTTP Methods
• HEAD • GET • POST • PUT • DELETE • TRACE • OPTIONS • CONNECT
How to: Netcat Nikto
Authentication Testing
Credentials transport over an encrypted channel
Prevent man in the middle attack
Testing for user enumeration
Error Messages/Notifications
"Sorry, please enter a valid password" "Sorry, please enter a valid username" "Sorry, this user does not exist" "Sorry, this user is no longer active"
Testing for Guessable Users & BruteForce Attacks
How to: John the Ripper Hydra
Testing for CAPTCHA
Testing Session & Cookies
Authorization Testing
Testing for privilege escalation
• vertical escalation • horizontal escalation
www.example.com/?user=1&groupID=2
Business Logic Testing
Data Validation Testing
Injections
SQL
XSS
• SQL Injection • XSS Injection • LDAP Injection • XML Injection • HTML Injection • SSI Injection • ORM Injection • XPath Injection • IMAP/SMTP Injection • Buffer Overflow
Testing for Denial of Service
Testing for SQL Wildcard Attacks
SELECT * FROM Article WHERE Content LIKE '%foo%'
SELECT TOP 10 * FROM Article WHERE Content LIKE '%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()
$*R"_)][%](%[x])%a][$*"£$-9]_%'
Testing for DoS Locking Customer Accounts
Open Source Tools
Nikto Nessus W3AF ZAP WebSlayer Netcat Nmap Skipfish Hydra Mozilla Firefox addons Lots & lots more...
PenQ - Security testing browser
Questions ?
top related