This talk is geared towards QA Analysts who want to start to understand the mindset of the 'hacker', and start thinking about web application security testing concepts.
2. A Quick abstract Growing application complexity, coupled with the exploding increase in application surface area, has resulted in new quality challenges for testers. Some test teams are adopting a tour-based testing methodology because it’s incredibly good at breaking down testing into manageable chunks. However, hackers are paying close attention to systems and developing new targeted attacks to stay one step ahead. Rafal Los takes you inside the hacker’s world, identifying the landmarks hackers target within applications and showing you how to identify the defects they seek out. Learn what “landmarks” are(1), how to identify them from functional specifications(2), and how to tailor negative testing strategies to different landmark categories(3). Test teams, already choked for time and resources and now saddled with security testing, will learn how to pinpoint the defect—from the mountains of vulnerabilities often uncovered in security testing—that could compromise the entire application.
4. The Basics Modern application complexity is increasing “Web 2.0”: creating complex applications High complexity == High risk “Too big to fully test” is a common complaint “Too complex to fully test” too!
5. Why landmark testing Why does landmark-based testing make sense? Testing Optimization Testers’ limited resources Time CPU cycles Manpower
6. Dirty little secret “Isn’t security testing …security’s job?” Actually…no. Testers bring application knowledge traditional security testing lacks.
7. Disclosure of Limitations Every process and methodology has limitations Tour-based testing is subjective Testers are notsecurity experts (or hackers) A cooperativeapproach is required
12. Social reach Attackers know they are more likely to be successful in a client-targeted attack if they can send it to you from a trusted source. You trustyour friends …right? Links sent in tweets [or FaceBook messages] from your friends A company you trust says “this is our latest FREE product!” Google/Bing ads for fake Anti-Virus rampant…
13.
14.
15.
16. Authentication Manipulating an authentication system to allow free access is almost as big a target as faking the authentication scheme Bypassing authentication mechanisms Privilege escalation (horizontal & vertical) Faking authentication schemes (phishing for auth) So many ways this could go wrong
17. Data access The ultimate goal for an attacker is to get some one-on-one quality time with your data-store SQL Injection (#1 threat to online datastores) Poorly coded client-side programs (Flash…) RESTful web services WebService endpoints …
33. Purpose of functional specifications: Lay out application functionality Provide use-cases Business map of application Answer: “What does it do?” Functional specifications
34. QA testers don’t instinctively think like hackers… Work from functional specifications Hints for finding hacker landmarks: Look for changes in privilege or trust Look for application interaction points Look for opportunistic data interaction Follow the money (commerce) Getting the clues
39. This is not a secret... Security testing is overwhelming Most QA teams never test for security defects Security defect testing defaults to “kitchen sink” approach Too many results, too much noise in current testing Failure to test, increase in risk Testing strategies must change
40. Shift your mind to a hacker touring your site or application.
41. Assess your current testing Perform regular analysis of your testing strategy – How does negative testing fit in? Do you have the resources? Are your teams equipped? Can you think like a hacker?
Close your eyes, and imagine you’re in Paris for the first time.You wake up in your hotel room in the early morning, and are preparing to take everything inHow will you plan your next few days in Paris?The answer is that you will likely plan your trip very carefully and deliberately, making sure you hit the high points, tourist locations, and landmarksWeb application software testing is just like this … let’s talk about why.
Attackers target specific things…“Social Reach” – ways to communicate with othersUse your site’s identity to SPAMUse your site’s reputation to SPAMManipulate “friends” networksManipulate “professional” networks“Application I/O” – each input is a possible way to push malicious data into the applicationCross-site scripting {{ DEMO XSS }}CSRF – cross-site request forgeriesSQL Injection“Commerce”Product for free?Manipulate other people’s data/carts“Authentication”If you can break authentication … the game is all but lostAuthentication often only security measure (AuthN)Most likely little authorization (AuthZ)“Data Access”Points where queries are made to a data storeCross-application data retrieval (mash-ups)Encryption, algorithms, etc (especially if stored locally…){{ THE DATA IS THE ULTIMATE TARGET }}