Presentation is loading. Please wait.

Presentation is loading. Please wait.

Search, Explore and Rescue

Published bySharon Shanna Snow Modified over 7 years ago

Similar presentations

Presentation on theme: "Search, Explore and Rescue"— Presentation transcript:

1 Search, Explore and Rescue
Sebastian Agachie

2 About me Sebastian Agachie Ethical hacker @ Centric
Security Discipline Coordinator Application Developer / Scrum Master Security, Pentests, Trainings, Compliancy

3 Agenda Introduction 1. The Three Pillars of Security
2. Security Testing: Security Testing: Quiz Game of RedTeam Search, explore and rescue vs Search and exploit Search, explore and rescue: OWASP Examples 3. Acunetix: What, Why, How? 4. Q&A?

4 The Three Pillars of Security
Security C.I.A

5 The Three Pillars of Security
Confidentiality

6 The Three Pillars of Security
Integrity

7 The Three Pillars of Security
Availability

8 The Three Pillars of Security
Confidentiality (prevent disclosure of information or data to unauthorized individuals or system) Integrity (methods and actions taken to protect the information for unauthorized alteration or revision) Availability (communications systems and data being ready for use when legitimate users need them)

9 Speaking about "3" Pillars
Security Triangle

10 Security Testing Let's play a game!
Use your phone and navigate to Enter the Game PIN  Enter a game Nickname Find your name on the screen Answer correct to the questions and win points The faster and correct you respond the more points you get.

11 Security Testing Search, explore and rescue vs Search and exploit Tester (security) vs Ethical Hacker

12 Search, explore and rescue: OWASP

13 OWASP TOP 10

14 OWASP TOP 10

15 A1- INJECTION How? String query = “SELECT user_id FROM user_data WHERE “user_name=‘ “ + req.getParameter(“user”)+”’AND user_password =‘ “ +req.getParameter(“password”) +” ‘ “; SELECT user_id FROM user_data WHERE user_name= ‘ ‘or 1=1 -- AND user_password=“superstrongpassword”

16 A1- INJECTION Types of Injections SQL - Structured Query Language
HQL - Hibernate Query Language LDAP -  Lightweight Directory Access Protocol  XPath   XQuery   XSLT - Xtensible Stylesheet Language Transformations XML   OS command injection - and many more.

17 Security Testing - Injection ---- Data Validation Testing ----:
Testing for SQL Injection Oracle Testing MySQL Testing SQL Server Testing Testing PostgreSQL MS Access Testing Testing for NoSQL injection Testing for LDAP Injection Testing for ORM Injection Testing for XML Injection Testing for SSI Injection Testing for XPath Injection IMAP/SMTP Injection Testing for Code Injection Testing for Local File Inclusion Testing for Remote File Inclusion Testing for Command Injection Testing for HTML Injection Testing for CSS Injection More on OWASP Injections:

18 A2 - Broken authentication and session management
How? Hardcoded passwords Unlimited login attempts Use passwords less than 7 characters, preferably digits only Resend this at every request preferably Nonexistent logging mechanism No session management, it never expires, just keep sending the password.

19 A2 - Broken authentication and session management
(I.)A.A.A.

20 A2 - Broken authentication and session management
Identifications – knowing who you are (username, password) - “Knocking at the gate” Authentication – provides a way of identifying a user, typically by having the user enter a valid name and valid password before access is granted. Authorization – determines if a user has the authority to issue different kind of role based commands Accounting/Nonrepudiation – measures the resources a user consumes during access(log every action)

21 Security Testing - BASM ---- Identity Management Testing ----:
Test Role Definitions Test User Registration Process Test Account Provisioning Process Testing for Account Enumeration and Guessable User Account Testing for Weak or unenforced username policy Test Permissions of Guest/Training Accounts Test Account Suspension/Resumption Process

22 Security Testing - BASM ---- Authentication Testing ----:
Testing for Credentials Transported over an Encrypted Channel Testing for default credentials Testing for Weak lock out mechanism Testing for bypassing authentication schema Test remember password functionality Testing for Browser cache weakness Testing for Weak password policy Testing for Weak security question/answer Testing for weak password change or reset functionalities Testing for Weaker authentication in alternative channel

23 Security Testing - BASM ----Authorization Testing ----:
Testing Directory traversal/file include Testing for bypassing authorization schema Testing for Privilege Escalation Testing for Insecure Direct Object References

24 Security Testing - BASM ----Session Management Testing ----:
Testing for Bypassing Session Management Schema Testing for Cookies attributes Testing for Session Fixation Testing for Exposed Session Variables Testing for Cross Site Request Forgery Testing for logout functionality Test Session Timeout Testing for Session puzzling

25 A3 - Cross-Site Scripting (XSS)
HOW? >< <requestvalidation = OFF!>  <script> <img> <html>

26 Security Testing - XSS ---- Data Validation Testing ----:
Testing for Clickjacking Testing for Cross Site Flashing Testing for DOM based Cross Site Scripting (><) Testing for JavaScript Execution Testing for Reflected Cross Site Scripting Testing for Stored Cross Site Scripting

27 A4 - Insecure Direct Object References
How? /myapp/config /myapp/services 

28 Security Testing – IDOR - :
Analysis of Error Codes Analysis of Stack Traces Identify application entry points Map execution paths through application Fingerprint Web Application Framework Fingerprint Web ApplicationMap Application Architecture

29 A5 - Security Misconfiguration
How? Server-side security (webserver port 80) Default credentials Open directories Stack trances enabled

30 Security Testing - Security Misconfiguration -:
Test Network/Infrastructure Configuration Test Application Platform Configuration Test File Extensions Handling for Sensitive Information Backup and Unreferenced Files for Sensitive Information Enumerate Infrastructure and Application Admin Interfaces Test HTTP Methods Test HTTP Strict Transport Security Test RIA cross domain policy

31 A6 - Sensitive Data Exposure
How? No SSL (or weak existing one - F Class certificates) Transport encryption 512 bit Credentials and information transport made in clear text

32 Security Testing - Sensitive Data Exposure -:
Testing for Weak SSL/TSL Ciphers, Insufficient Transport Layer Protection Testing for Padding Oracle Testing for Sensitive information sent via unencrypted channels Error Handling Analysis of Error Codes Analysis of Stack Traces

33 A7 - Missing Function Level Access Control
How? Make use of IFRAME / Adobe modules /Admin/ -> = Admin /phpMyAdmin/

34 Security Testing - Missing Level Access Control -
Conduct Search Engine Discovery and Reconnaissance for Information Leakage Fingerprint Web Server Review Webserver Metafiles for Information Leakage Enumerate Applications on Webserver Review Webpage Comments and Metadata for Information Leakage ....Also IDOR Tests

35 A8 - Cross-Site Request Forgery (CSRF)
How? <form method=“GET” action=“Actions/Transfer/”> <input name=“from” value=“You”> <input name=“to” value=“Me”> <input name=“value” value=“10000”> <input name=“currency” value=“EUR”> <form>

36 Security Testing – CSRF -
Testing for Client Side URL Redirect Testing for Client Side Resource Manipulation Test Cross Origin Resource Sharing Test data validation Test Upload of Unexpected File Types Test Upload of Malicious Files

37 A9 - Using Known Vulnerable Components
How? External libraries Javascript Jquery Adobe and the list continues

38 Security Testing - Vulnerable Components -
Verify components versions Check components for vulnerabilities via web

39 A10 - Unvcalidated Redirects and Forwards

40 Security Testing - Redirects and Forwards -
Testing for Client Side URL Redirect

41 Security Testing - Additional Tests:
Data Validation Testing Testing for HTTP Verb Tampering Testing for HTTP Parameter pollution Testing for Buffer overflow Testing for Heap overflow Testing for Stack overflow Testing for Format string Testing for incubated vulnerabilities Testing for HTTP Splitting/Smuggling Client Side Testing Testing WebSockets Test Web Messaging Test Local Storage Business Logic Testing Test Business Logic Data Validation Test Ability to Forge Requests Test Integrity Checks Test for Process Timing Test Number of Times a Function Can be Used Limits Testing for the Circumvention of Work Flows Test Defenses Against Application Mis-use Test Upload of Unexpected File Types Test Upload of Malicious Files

42 Software solutions for testers

43 WhY? What? How? Why do we need it? What does it do?
How shall we use it?

44 WhY? What? How? Improve yourself
Because…..Websites and web applications No security fines Some firewalls and SSL provide no protection against web application hacking

45 WhY? What? How? Most web applications are custom-made
Web application security remains the most critical Automated web application security testing tool Create confidence among testers and rise the level of security awareness

46 WhY? What? How? Web Vulnerability Scanner (Server Headers, Port Scanner, Owasp10, Directories etc.) Web Services Scanner Crawling processes Subdomain Scanner

47 HTTP Editor, HTTP Sniffer, HTTP Fuzzer Blind SQL Injector
WhY? What? How? HTTP Editor, HTTP Sniffer, HTTP Fuzzer Blind SQL Injector Authentication Tester Compare Results Report generator

48 WhY? What? How? Remote access to Acunetix Server
Login with your domain credentials Open Acunetix Web Vulnerability Scanner 10.0  Start a new scan (single or resumed scan – select/define profiles  -  optimize technologies – login sequence – Start scan) Generate Report Resumed scan after you crawled the web application Default profile covers most of the vulnerabilities but can take a while to be finished False technologies selected may influence the end result You can define a login sequence and save it

49 WhY? What? How? Start a new scan

50 Select the type of scan (single or resumed scan)
WhY? What? How? Select the type of scan (single or resumed scan)

51 Select/define profiles
WhY? What? How? Select/define profiles

52 Optimize technologies
WhY? What? How? Optimize technologies

53 WhY? What? How? Define Login sequence

54 Scanning in progress WhY? What? How?
Pressing on a vulnerability will display useful information and advises on how you can mitigate the threat

55 WhY? What? How? Generate Report

56 Use Acunetix at a specific time interval
Recommendations Use Acunetix only after you security test (exploratory) the application; Acunetix can verify what you already discovered and give you confidence. It doesn’t replace security testing!! Use Acunetix on a different environment (not production, test, demo, dev etc.) Security environment (There is a chance that Acunetix may interfere with the build) Use Acunetix at a specific time interval Not for every text box that is added to the application

57 WhY? What? How?

58

59 Thank you!

Download ppt "Search, Explore and Rescue"

Similar presentations

Webgoat.

Webgoat.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Security Assessment and Vulnerability Assessment.

Web Application Security Assessment and Vulnerability Assessment.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google