hands on demonstration for testing security in web applications aaron weaver august 2010
TRANSCRIPT
![Page 1: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/1.jpg)
Hands on Demonstration for Testing Security in Web Applications
Aaron Weaver August 2010
![Page 2: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/2.jpg)
Agenda
• What kind of application security vulnerabilities should be tested?
• Methodology for testing
• Open source tools available
• Prioritizing application security defects
![Page 3: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/3.jpg)
In the news...
![Page 4: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/4.jpg)
the Solution?
![Page 5: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/5.jpg)
AND NO
Not in the Cloud!
![Page 6: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/6.jpg)
Web Application Security Testing
![Page 7: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/7.jpg)
OWASP Top 10 list
![Page 8: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/8.jpg)
• SQL Injection
• Cross Site Scripting
• Authentication
Top attacks
![Page 9: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/9.jpg)
Fire
wal
l
Hardened OS
Web Server
App Server
Fire
wal
l
Dat
abas
es
Leg
acy
Syst
ems
Web
Ser
vice
s
Dir
ecto
ries
Hum
an R
esrc
s
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wor
k L
ayer
App
licat
ion
Lay
er
Acc
ount
s
Fina
nce
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
t
E-C
omm
erce
Bus
. Fun
ctio
ns
HTTP
requestSQL
queryDB Table
HTTP response
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
1. Application presents a form to the attacker
2. Attacker sends an attack in the form data3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Account:
SKU:
Account:
SKU:
SQL Injection
![Page 10: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/10.jpg)
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acc
ount
s
Fina
nce
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
t
E-C
omm
erce
Bus
. Fun
ctio
ns
Cross-Site Scripting
![Page 11: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/11.jpg)
Authentication
![Page 12: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/12.jpg)
Tools Overview
![Page 13: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/13.jpg)
Tools• Proxies
• Burp Suite
• Paros
• WebScarab
• Fiddler
• FoxyProxy plugin
• Open source scanners
• Skipfish
![Page 15: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/15.jpg)
FoxyProxy Browser Plugin
https://addons.mozilla.org/en-US/firefox/addon/2464/
![Page 16: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/16.jpg)
Skipfish
http://code.google.com/p/skipfish/
A fully automated, active web application security reconnaissance tool
* Server-side SQL injection (including blind vectors, numerical parameters).* Stored and reflected XSS* Directory listing bypass vectors.
* External untrusted embedded content.
![Page 17: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/17.jpg)
Cheat Sheet
![Page 18: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/18.jpg)
Quick Cheat Sheet
![Page 19: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/19.jpg)
Cheat Sheet
![Page 20: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/20.jpg)
AppSec Tools Demonstration
![Page 21: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/21.jpg)
Prioritizing
![Page 22: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/22.jpg)
DRE
A
D
amage potential
eproducibility
xploitability
ffected users
iscoverability
Threat Risk
![Page 23: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/23.jpg)
Scoring
0-3 =
DRE
A
D
} 0-15Total
![Page 24: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/24.jpg)
Severity Rating
Low
Medium
High
Critical
1-7
8-10
11-14
15
![Page 25: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/25.jpg)
Threat Risk Modeling
• STRIDE (Microsoft)
• OWASP Risk Ranking
• Trike
• CVSS
![Page 26: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/26.jpg)
Questions?
![Page 27: Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010](https://reader035.vdocuments.us/reader035/viewer/2022070411/56649c9a5503460f94956e53/html5/thumbnails/27.jpg)
Thanks!