Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010.

Similar presentations


Presentation on theme: "Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010."— Presentation transcript:

1 Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010

2 Agenda What kind of application security vulnerabilities should be tested? Methodology for testing Open source tools available Prioritizing application security defects

3 In the news...

4 the Solution?

5 AND NO Not in the Cloud!

6 Web Application Security Testing

7 OWASP Top 10 list

8 SQL Injection Cross Site Scripting Authentication Top attacks

9 Firewall Hardened OSWeb ServerApp Server Firewall DatabasesLegacy SystemsWeb ServicesDirectoriesHuman ResrcsBilling Custom Code APPLICATION ATTACK Network Layer Application Layer AccountsFinanceAdministrationTransactionsCommunicationKnowledge MgmtE-CommerceBus. Functions HTTP request  SQL query  DB Table   HTTP response   "SELECT * FROM accounts WHERE acct=‘’ OR 1=1-- ’" 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query Account Summary Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Account: SKU: Account: SKU: SQL Injection

10 Application with stored XSS vulnerability 32 Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the DOM and cookies Custom Code Accounts Finance AdministrationTransactionsCommunicationKnowledge MgmtE-CommerceBus. Functions Cross-Site Scripting

11 Authentication

12 Tools Overview

13 Tools Proxies Burp Suite Paros WebScarab Fiddler FoxyProxy plugin Open source scanners Skipfish

14 Burp Suite http://portswigger.net/proxy/

15 FoxyProxy Browser Plugin https://addons.mozilla.org/en-US/firefox/addon/2464/

16 Skipfish http://code.google.com/p/skipfish/ A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content.

17 Cheat Sheet

18 Quick Cheat Sheet

19 Cheat Sheet

20 AppSec Tools Demonstration

21 Prioritizing

22 D R E A D amage potential eproducibility xploitability ffected users iscoverability Threat Risk

23 Scoring 0-3 = D R E A D } 0-15 Total

24 Severity Rating Low Medium High Critical 1-7 8-10 11-14 15

25 Threat Risk Modeling STRIDE (Microsoft) OWASP Risk Ranking Trike CVSS

26 Questions?

27 Thanks!


Download ppt "Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010."

Similar presentations


Ads by Google