Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hands on Demonstration for Testing Security in Web Applications

Similar presentations


Presentation on theme: "Hands on Demonstration for Testing Security in Web Applications"— Presentation transcript:

1 Hands on Demonstration for Testing Security in Web Applications
Aaron Weaver August 2010

2 Agenda What kind of application security vulnerabilities should be tested? Methodology for testing Open source tools available Prioritizing application security defects

3 In the news...

4 the Solution?

5 AND NO Not in the Cloud!

6 Web Application Security Testing

7 OWASP Top 10 list

8 Top attacks SQL Injection Cross Site Scripting Authentication

9 "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
SQL Injection Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" 1. Application presents a form to the attacker Account Summary Acct: Acct: Acct: Acct: HTTP response  DB Table  HTTP request Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce SQL query Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer 2. Attacker sends an attack in the form data APPLICATION ATTACK Custom Code 3. Application forwards attack to the database in a SQL query App Server 4. Database runs query containing attack and sends encrypted results back to application Web Server Hardened OS Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

10 Cross-Site Scripting 1 Attacker sets the trap – update my profile
Application with stored XSS vulnerability Attacker enters a malicious script into a web page that stores the data on the server Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Victim views page – sees attacker profile Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie

11 Authentication

12 Tools Overview

13 Tools Proxies Burp Suite Paros WebScarab Fiddler FoxyProxy plugin
Open source scanners Skipfish

14 Burp Suite

15 FoxyProxy Browser Plugin
https://addons.mozilla.org/en-US/firefox/addon/2464/

16 * External untrusted embedded content.
Skipfish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content.

17 Cheat Sheet

18 Quick Cheat Sheet

19 Cheat Sheet

20 AppSec Tools Demonstration

21 Prioritizing

22 Threat Risk D R E A D amage potential eproducibility xploitability
• If a threat exploit occurs, how much damage will be caused? ◦ 0 = Nothing ◦ 5 = Individual user data is compromised or affected. ◦ 10 = Complete system or data destruction Reproducibility • How easy is it to reproduce the threat exploit? ◦ 0 = Very hard or impossible, even for administrators of the application. ◦ 5 = One or two steps required, may need to be an authorized user. ◦ 10 = Just a web browser and the address bar is sufficient, without authentication. Exploitability • What is needed to exploit this threat? ◦ 0 = Advanced programming and networking knowledge, with custom or advanced attack tools. ◦ 5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools. ◦ 10 = Just a web browser Affected Users • How many users will be affected? ◦ 0 = None ◦ 5 = Some users, but not all ◦ 10 = All users Discoverability • How easy is it to discover this threat? ◦ 0 = Very hard to impossible; requires source code or administrative access. ◦ 5 = Can figure it out by guessing or by monitoring network traces. ◦ 9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine. ◦ 10 = The information is visible in the web browser address bar or in a form. E xploitability A ffected users D iscoverability

23 Scoring D } R 0-15 E 0-3 = Total A D

24 Severity Rating Low 1-7 Medium 8-10 High 11-14 Critical 15

25 Threat Risk Modeling STRIDE (Microsoft) OWASP Risk Ranking Trike CVSS

26 Questions?

27 Thanks!


Download ppt "Hands on Demonstration for Testing Security in Web Applications"

Similar presentations


Ads by Google