Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Break Web Application Security

Published byBarnard Pitts Modified over 5 years ago

Similar presentations

Presentation on theme: "How to Break Web Application Security"— Presentation transcript:

1 How to Break Web Application Security
Erwin Geirnaert Director European Operations Security Innovation

2 Agenda Security Test Checklist Threat Modeling Tools Some examples

3 Security Test Checklist
You need an EXPERIENCED TESTER Create a threat model and a test plan Web application testing <> penetration testing Do not rely ONLY on automated web application security scanners Source code of the web application HELPS Have a Security Tester Toolbox Log everything

4 Threat Modeling Threat modeling
“You cannot test a system until you understand the threats” Threat modeling is the design activity to discover the threats that your application is susceptible to. Threat modeling yields both threats and vulnerabilities and provides ways to perform security testing in order to prioritize the security fixes needed.

5 Threat modeling - Definitions
Threats are possible attacks. Vulnerabilities are security related software errors: A threat is what an attacker might try to do to an asset or through an entry point A vulnerability is a specific security exploit due to an unmitigated threat path

6 Threat modeling - STRIDE
Threats can be classified using the STRIDE classification: Spoofing – lying about identity Tampering – Destroying data Repudiation – Cleaning the steps of an attack/Denying a transaction Information Disclosure – Stealing valuable private data Denial of Service – Stopping an application from providing its basic functionality Escalation of Privileges – Executing code with stolen high privileges Whenever discovering threats the analyst will always think about STRIDE elements

7 Threat modeling – Example of threats
Some threats for Web Video Recoding System Attacker tampers with central video storage Attacker sends malicious input to overrun the video recording client Attacker deletes temporary recordings Attacker remotely executes code in Video web service box

8 Threat modeling - DREAD
Damage potential – what’s the extent of the damage if this vulnerability was to be exploited Reproducibility – how well can the finder reproduce the issue Exploitability – difficulty of taking advantage of the flaw for malicious purpose Affected users – how many or what type of users are affected by the flaw Discoverability – how fast can it be publicly be discovered DREAD is used to analyze the risk of discovered vulnerabilities

9 Attack vectors for web applications
Harvesting User IDs Brute-forcing Accounts Path Truncation Attacks Hidden Path Discovery Application Directory and File Mapping Forceful Browsing Source Code Disclosure Web server vulnerability exploitation Parameter Tampering Cookie Tampering Cross-site Scripting SQL Injection Script Injection Command Injection Encoding Attacks Buffer Overflows Format-string attacks

10 Security Tester Toolbox
Tools are just a way of manipulating web applications They are no silver bullet, a lot of false positives can be the result of automated scan They can be really expensive They can be useful You need to learn how to use them and what the limitations are Internet Explorer can do the job and for free 

11 4 years ago, a limited list of free tools:
Tools in the past 4 years ago, a limited list of free tools: Achilles: local proxy @Stake WebProxy: local proxy& fuzzer, in Java  WebSleuth: plugin for IE, raw requests Whisker: vulnerability scanner Nikto: vulnerability scanner Nessus: didn’t include web vulnerabilities yet But they did the job, only it required more time....

12 Commercial Fault Injection Test Tools
SPI Dynamics WebInspect Sanctum now Watchfire AppScan Kavado Scando AppSecInc AppDetective for Web Apps Cenzic Hailstorm Security Innovation Holodeck NT Objectives NTOSpider Acunetix Web Vulnerability Scanner 2 Compuware DevPartner Fault Simulator Fortify Pen Testing Team Tool @stake Web Proxy 2.0 Burp Intruder Sandsprite Web Sleuth MaxPatrol 7 Syhunt Sandcat Scanner & Miner TrustSecurityConsulting HTTPExplorer Ecyware BlueGreen Inspector NGS Typhon Parasoft WebKing (more QA-type tool)

13 Open Source or Freeware Fault Injection Test Tools
WebScarab (HTTPush, Exodus) Paros Proxy Burp Spider Burp Proxy SPIKE Proxy SPIKE Achilles Proxy Odysseus Proxy Webstretch Proxy Absinthe 1.1 (formerly SQLSqueal) NGS SQL Injection Inference Tool (BH Europe 2005) Internet Explorer HTMLBar Plugin Firefox LiveHTTPHeaders and Developer Tools Sensepost Wikto (Google cached fault-finding) Foundstone Sitedigger (Google cached fault-finding)

14 OWASP - WebScarab Java based: download stand-alone JAR and runtime HTTP Proxy Client-certificates Session analysis Raw request Spider Custum plugins: BeanShell

15 OWASP – WebScarab - Interceptor

16 OWASP – WebScarab – Raw Request

17 OWASP – WebScarab - Spider

18 OWASP – WebScarab – SessionID Analysis

19 OWASP – WebScarab – SessionID Analysis

20 OWASP – WebScarab – Transcoder

21 Some examples Parameter tampering Cross-site-scripting Hidden fields SQL Injection Error messages Google 

22 That’s it… Any Questions? Thank you!

Download ppt "How to Break Web Application Security"

Similar presentations

Module XII Web Application Vulnerabilities

Module XII Web Application Vulnerabilities
Webgoat.

Webgoat.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.

Infosec 2012 | 25/4/12 Application Performance Monitoring Ofer MAOR CTO Infosec 2012.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.

Making the Campus Web Safer: One application at a time Diane Gierisch, Senior Systems Analyst PJ Abrams, CISSP, Senior Systems Analyst Copyright The University.
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Similar presentations

Ads by Google