SlideShare ist ein Scribd-Unternehmen logo

Security Testing For Web Applications

Als PPTX, PDF herunterladen
Vladimir Soghoyan
Vladimir Soghoyan

Causes of vulnerabilities Security testing concepts Security Testing Types Main methods of manual security testing URL manipulation SQL injection XSS (Cross Site Scripting) Automated security testing tools ------------------------------------------------ Created by: Kristina Filipyan Reviewed by: Vladimir Soghoyan Ogma Applications

Technologie
1 von 18
Security Testing For Web Applications Created by: Kristina Filipyan Reviewed by: Vladimir Soghoyan Ogma Applications
Causes of vulnerabilities  Design and development errors  Poor system configuration  Human errors
Security testing concepts  Authentication Determining the act of confirming the truth of an attribute of a datum or entity.  Authorization Determining that a requester is allowed to receive a service or perform an operation.  Confidentiality A security measure which protects the disclosure of data or information to parties other than the intended.  Integrity Whether the intended receiver receives the information or data which is not altered in transmission.  Non-repudiation (session time limitations) Interchange of authentication information with some form of provable time stamp e.g. with session id .
Security Testing Types  Vulnerability Scanning Method to assess computers, computer systems, networks or applications for weaknesses.  Security Scanning Security Scanning is a Vulnerability Scan  Penetration Testing Method of evaluating the security of a computer system or network by simulating an attack  Risk Assessment Risk Assessment involves a security analysis of interviews compiled with research of business, legal, and industry justifications.  Security Auditing Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code.  Ethical Hacking This is basically a number of Penetration Tests on a number of systems on a network segment.
Why Security testing is needed?  To secure financial data while transferring between different system  To secure user data  To find security vulnerabilities in an application
Main methods of manual security testing  URL manipulation  SQL injection  XSS (Cross Site Scripting)
URL manipulation through HTTP GET methods examples  Search for directories making it possible to administer the site: http://target/admin/ http://target/admin.cgi  Search for a script to reveal information about the remote system: http://target/phpinfo.php3  Search for backup copies. The .bak extension is generally used and is not interpreted by servers by default, which can cause a script to be displayed: http://target/.bak
SQL Injection examples  SELECT fieldlist FROM table WHERE field = ‘username@domain.com'';  SELECT fieldlist FROM table WHERE field = 'x' AND email IS NULL; --';  SELECT email, passwd, login_id, full_name FROM table WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';
Cross Site Scripting (XSS)  '';!--"<XSS>=&{()}  <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  <IMG SRC="javascript:alert('XSS');">
XSS Attack example on RockSquare: XSS Input XSS Attack Results
Automated security testing tools:  NMAP (free source) Security scanner used to discover hosts and services on a computer network.  GFI LANguard (licensed) Network Security Scanner and Vulnerability Management Tool.
What is Zenmap ? Zenmap is the official Nmap Security Scanner GUI  Zenmap action shots: Nmap Output Hosts and Posts Topology Host Details
Nmap Output: The “Nmap Output” shows scanning results.
Hosts and Ports “Ports / Hosts” tab shows all the hosts which have that port open filtered, or closed.
Topology The “Topology” tab is an interactive view of the connections between hosts in a network.
Host Details The “Host Details” tab breaks all the information about a single host into a hierarchical display.
The goal of the Nmap  Nmap sends specially crafted packets to the target host and then analyzes the responses.  Nmap can determine the operating system of the target, names and versions of the listening services, estimated uptime, type of device, and presence of a firewall.
Thank You

Empfohlen

Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3vhimsikal
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 

Empfohlen

Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Secure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior - Logging
Secure Code Warrior - LoggingSecure Code Warrior
 
Secure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior - Trust no input
Secure Code Warrior - Trust no inputSecure Code Warrior
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3vhimsikal
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityColin English
 
Session3 data-validation-sql injection
Session3 data-validation-sql injectionSession3 data-validation-sql injection
Session3 data-validation-sql injectionzakieh alizadeh
 
SalemPhilip_ResearchReport
SalemPhilip_ResearchReportSalemPhilip_ResearchReport
SalemPhilip_ResearchReportPhilip Salem
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorizationzakieh alizadeh
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authenticationzakieh alizadeh
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managmentzakieh alizadeh
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_reportChandan Bagai, GWAPT, CEHv8, CCNA
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017ibrahimumer2
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tamperingDilan Warnakulasooriya
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software EngineeringRohitha Liyanagama
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfigurationzakieh alizadeh
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure codeMiva
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modelingzakieh alizadeh
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 

Was ist angesagt? (20)

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
S5-Authorization
S5-AuthorizationS5-Authorization
S5-Authorization
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Session4-Authentication
Session4-AuthenticationSession4-Authentication
Session4-Authentication
 
Security testing
Security testingSecurity testing
Security testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
S8-Session Managment
S8-Session ManagmentS8-Session Managment
S8-Session Managment
 
Session10-PHP Misconfiguration
Session10-PHP MisconfigurationSession10-PHP Misconfiguration
Session10-PHP Misconfiguration
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
Web application security
Web application securityWeb application security
Web application security
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Session2-Application Threat Modeling
Session2-Application Threat ModelingSession2-Application Threat Modeling
Session2-Application Threat Modeling
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Parameter tampering
Parameter tamperingParameter tampering
Parameter tampering
 

Ähnlich wie Security Testing For Web Applications

PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionDaniel Owens
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingRahul Roshan
 
Web Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future MusingsWeb Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future MusingsPort80 Software
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net ProgrammingAdam Getchell
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguageIRJET Journal
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilitiesAleksandar Bozinovski
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017SamsonMuoki
 

Ähnlich wie Security Testing For Web Applications (20)

Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
ieee
ieeeieee
ieee
 
Single Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud ComputingSingle Sign-On security issue in Cloud Computing
Single Sign-On security issue in Cloud Computing
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Web Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future MusingsWeb Server Technologies Part III: Security & Future Musings
Web Server Technologies Part III: Security & Future Musings
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
 
Security testing
Security testingSecurity testing
Security testing
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
Prevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host LanguagePrevention of SQL Injection Attack in Web Application with Host Language
Prevention of SQL Injection Attack in Web Application with Host Language
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 

Mehr von Vladimir Soghoyan

What Are The Advantages and Disadvantages Of Studying And Working Together?
What Are The Advantages and Disadvantages Of Studying And Working Together?What Are The Advantages and Disadvantages Of Studying And Working Together?
What Are The Advantages and Disadvantages Of Studying And Working Together?Vladimir Soghoyan
 

Mehr von Vladimir Soghoyan (9)

Havij
HavijHavij
Havij
 
Search Engine Optimization
Search Engine OptimizationSearch Engine Optimization
Search Engine Optimization
 
Load Runner
Load RunnerLoad Runner
Load Runner
 
Automation Testing
Automation TestingAutomation Testing
Automation Testing
 
Selenium IDE
Selenium IDESelenium IDE
Selenium IDE
 
Selenium
SeleniumSelenium
Selenium
 
Rest Console
Rest ConsoleRest Console
Rest Console
 
Web Services Testing
Web Services TestingWeb Services Testing
Web Services Testing
 
What Are The Advantages and Disadvantages Of Studying And Working Together?
What Are The Advantages and Disadvantages Of Studying And Working Together?What Are The Advantages and Disadvantages Of Studying And Working Together?
What Are The Advantages and Disadvantages Of Studying And Working Together?
 

Kürzlich hochgeladen

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 

Kürzlich hochgeladen (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Security Testing For Web Applications

  • 1. Security Testing For Web Applications Created by: Kristina Filipyan Reviewed by: Vladimir Soghoyan Ogma Applications
  • 2. Causes of vulnerabilities  Design and development errors  Poor system configuration  Human errors
  • 3. Security testing concepts  Authentication Determining the act of confirming the truth of an attribute of a datum or entity.  Authorization Determining that a requester is allowed to receive a service or perform an operation.  Confidentiality A security measure which protects the disclosure of data or information to parties other than the intended.  Integrity Whether the intended receiver receives the information or data which is not altered in transmission.  Non-repudiation (session time limitations) Interchange of authentication information with some form of provable time stamp e.g. with session id .
  • 4. Security Testing Types  Vulnerability Scanning Method to assess computers, computer systems, networks or applications for weaknesses.  Security Scanning Security Scanning is a Vulnerability Scan  Penetration Testing Method of evaluating the security of a computer system or network by simulating an attack  Risk Assessment Risk Assessment involves a security analysis of interviews compiled with research of business, legal, and industry justifications.  Security Auditing Security Auditing involves hands on internal inspection of Operating Systems and Applications, often via line-by-line inspection of the code.  Ethical Hacking This is basically a number of Penetration Tests on a number of systems on a network segment.
  • 5. Why Security testing is needed?  To secure financial data while transferring between different system  To secure user data  To find security vulnerabilities in an application
  • 6. Main methods of manual security testing  URL manipulation  SQL injection  XSS (Cross Site Scripting)
  • 7. URL manipulation through HTTP GET methods examples  Search for directories making it possible to administer the site: http://target/admin/ http://target/admin.cgi  Search for a script to reveal information about the remote system: http://target/phpinfo.php3  Search for backup copies. The .bak extension is generally used and is not interpreted by servers by default, which can cause a script to be displayed: http://target/.bak
  • 8. SQL Injection examples  SELECT fieldlist FROM table WHERE field = ‘username@domain.com'';  SELECT fieldlist FROM table WHERE field = 'x' AND email IS NULL; --';  SELECT email, passwd, login_id, full_name FROM table WHERE email = 'x' AND 1=(SELECT COUNT(*) FROM tabname); --';
  • 9. Cross Site Scripting (XSS)  '';!--"<XSS>=&{()}  <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>  <IMG SRC="javascript:alert('XSS');">
  • 10. XSS Attack example on RockSquare: XSS Input XSS Attack Results
  • 11. Automated security testing tools:  NMAP (free source) Security scanner used to discover hosts and services on a computer network.  GFI LANguard (licensed) Network Security Scanner and Vulnerability Management Tool.
  • 12. What is Zenmap ? Zenmap is the official Nmap Security Scanner GUI  Zenmap action shots: Nmap Output Hosts and Posts Topology Host Details
  • 13. Nmap Output: The “Nmap Output” shows scanning results.
  • 14. Hosts and Ports “Ports / Hosts” tab shows all the hosts which have that port open filtered, or closed.
  • 15. Topology The “Topology” tab is an interactive view of the connections between hosts in a network.
  • 16. Host Details The “Host Details” tab breaks all the information about a single host into a hierarchical display.
  • 17. The goal of the Nmap  Nmap sends specially crafted packets to the target host and then analyzes the responses.  Nmap can determine the operating system of the target, names and versions of the listening services, estimated uptime, type of device, and presence of a firewall.