web application security & testing

Web Application Security Sreenath Sasikumar

QBurst

Who am I ?

www.MakeMeResume.com/@sreenath

Take Away

•  Understanding web application security

•  How to security test web applications

•  Mitigating web application security risks

•  Open source tools

How web applications work

Understanding web security

Security testing web applications

•  Information Gathering •  Configuration Management Testing •  Authentication Testing •  Session Management Testing •  Authorization Testing •  Business Logic Testing •  Data Validation Testing •  Denial of Service Testing

Information Gathering

www.google.com/robots.txt

Spiders Robots and Crawlers

Search Engine Discovery

Google Hacking

•  site •  cache •  inurl •  filetype

How to: Manual HackSearch

Identify Application Entry points

•  GET •  POST •  Cookies •  Server Parameters •  Files

How to: Tamper Data, WebScarab, ZAP

Web Application Fingerprinting

How to: Nikto Vulnerability Scanners

Application Discovery

Different Base URL •  www.example.com/abc

Different port •  www.example.com:8000

Different sub domain ( Virtual host ) •  abc.example.com

How to: Zap, WebSlayer

Analysis of Error Code

Configuration Management

SSL Testing

Identify ssl ports and services How strong is you cipher?

How to: Nmap -sV, Nessus, OpenSSL

Configuration Management Testing

•  Infrastructure Configuration Management

•  Application Configuration Management

Old, Backup & Unreferenced Files

User-agent: * Disallow: /Admin Disallow: /uploads Disallow: /backup Disallow: /~jbloggs

How to: HackSearch, Webslayer

Testing for HTTP Methods

•  HEAD •  GET •  POST •  PUT •  DELETE •  TRACE •  OPTIONS •  CONNECT

How to: Netcat Nikto

Authentication Testing

Credentials transport over an encrypted channel

Prevent man in the middle attack

Testing for user enumeration

Error Messages/Notifications

"Sorry, please enter a valid password" "Sorry, please enter a valid username" "Sorry, this user does not exist" "Sorry, this user is no longer active"

Testing for Guessable Users & BruteForce Attacks

How to: John the Ripper Hydra

Testing for CAPTCHA

Testing Session & Cookies

Authorization Testing

Testing for privilege escalation

•  vertical escalation •  horizontal escalation

www.example.com/?user=1&groupID=2

Business Logic Testing

Data Validation Testing

Injections

SQL

XSS

•  SQL Injection •  XSS Injection •  LDAP Injection •  XML Injection •  HTML Injection •  SSI Injection •  ORM Injection •  XPath Injection •  IMAP/SMTP Injection •  Buffer Overflow

Testing for Denial of Service

Testing for SQL Wildcard Attacks

SELECT * FROM Article WHERE Content LIKE '%foo%'

SELECT TOP 10 * FROM Article WHERE Content LIKE '%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()

$*R"_)][%](%[x])%a][$*"£$-9]_%'

Testing for DoS Locking Customer Accounts

Open Source Tools

Nikto Nessus W3AF ZAP WebSlayer Netcat Nmap Skipfish Hydra Mozilla Firefox addons Lots & lots more...

PenQ - Security testing browser

Questions ?