Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Don’t Teach Developers Security Caleb Sima Armorize Technologies.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

SEC835 OWASP Top Ten Project.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Workshop 3 Web Application Security Li Weichao March

NOWASP Mutillidae 2.3.x An open-source web pen-testing environment for security training, practice, instruction, and you Jeremy Druin Information Security.

OWASP Zed Attack Proxy Project Lead

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

The OWASP Way Understanding the OWASP Vision and the Top Ten.

Security Management prepared by Dean Hipwell, CISSP

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

WWW 安全國立暨南國際大學資訊管理學系陳彥錚. WWW 安全 Web security is important for E-Commerce. Previous studies: –SSL –SET –Web server security Application-level security.

OWASP Top 10 from a developer’s perspective John Wilander, OWASP/Omegapoint, IBWAS’10.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

PV213 EIS in Practice: 09 – Security, Configuration management 1 PV213 Enterprise Information Systems in Practice 09 – Security, Configuration management.

OWASP OWASP top 10 - Agenda  Background  Risk based  Top 10 items 1 – 6  Live demo  Top 10 items 7 – 10  OWASP resources.

Securing Java Applications

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Ken De Souza KWSQA, April 2016 V. 1.0

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Web Application Security

Web Application Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Securing Your Web Application in Azure with a WAF

TOPIC: Web Security (Part-4)

WEB APPLICATION TESTING

Vulnerability Chaining Every Low Issue Has its big impact

Penetration Testing following OWASP

Finding and Fighting the Causes of Insecure Applications

Cross-Site Forgery

1. ASSOCILATE DEGREE PROGRAM Application Attacks SUBMITTED TO: Fatima Ashiq SUBMITTED By: University Of Central Punjab Farooq Sardar (V1F16ASOC0012) Adnan.

Bill Riggins III OWASP Orlando Co-Chapter Lead

Riding Someone Else’s Wave with CSRF

امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری

Finding and Fighting the Causes of Insecure Applications

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Lecture 27 Security I April 4, 2018 Open news web sites.

Presentation transcript:

Security testing of study information system Security team: Matis Alliksoo Alo Konno Urmo Lihten Taavi Podzuks Sander Saarm

Current situation  Our study information system is developed inhouse.  This is used by 10 applied universities.  There are more than active users and more than can log in.

Current situation (2)  Technical information  Php5 zend framework  Mysql batabase  Linux operating system  There are 3 servers  Live system Web frontend  Live system database  Development server (Web frontend and database)

Problem  Study information systems security has been tested only by developers, this is not a good practice. This should be done by external testers.

Goals 1.Study what web vulnerabilitis are and how to use them, because we did not have any experience in pen-testing. 2.Learn about web tesing framework environments and how to use them. 3.Find out best tools to work with and test on Damn Vulnerable Web Application and later on the study information system. 4.Finding vulnerabilities in the study infromation system. 5.Document our work.

Top 10 Web Vulnerabilities  A1: Injection (SQL, PHP, ….)  A2: Cross-Site Scripting (XSS)  A3: Broken Authentication and Session Management  A4: Insecure Direct Object References  A5: Cross-Site Request Forgery (CSRF)  A6: Security Misconfiguration  A7: Insecure Cryptographic Storage  A8: Failure to Restrict URL Access  A9: Insufficient Transport Layer Protection  A10: Unvalidated Redirects and Forwards

Used/tested web testing frameworks Samurai Web Testing Framework 1.BurpSuite 2.Fireforce 3.Cookie editor 4.Dvwa (redirected to BackTrack 5 R2) Backtrack 5 R2 1.BurpSuite 2.Subgraph Vega 3.Wapiti 4.W3af 5.Nessus 6.Owasp-zap

Windows tools  Acunetix Web Vulnerability Scanner

Cross Site Request Forgery We started with generating html POST request to change authenticated user language.

Cross Site Request Forgery (2) Next we made a html POST request what uses USER_ID to change authenticated users password.

Changing Administator password 1.Found out USER_ID of the administator by checking administators picture URL in study information system. 2.We created html request and uploaded it to a trusted webserver as.jpg, to fool the administator. 3.Tricked administrator to log into the study information system by telling something is wrong in study information system. 4.For explanation of the problem we told him to check the fake screenshot (sent him the infected URL) 5.As he opened it his password changed automatically and he was kicked out of the system. 6.Issue was obviously very quickly fixed.

Failure to Restrict URL Access  Found vulnerability in URL, where students can see other students’ grades just by changing USER_ID in PDF download URL.  This failure was found knowing the vulnerabilitys and by randomly testing all pages.  This data is very sensitive and it was fixed immidiately.

Results  Got overview of most commonly used vulnerabilities and how to use them in testing.  Learned how to use different pen-testing tools and web test environments.  Study information system is now free of couple critical bugs.  Documentation:

Thank you for listening! Questions?