Introduction to web applications security testing

1. Technical Practices
Bassam Al-Khatib
Web Applications Security Testing

2. What You Will Learn Today?
Security testing
techniques
Test cases design
& implementation
New testing tool.
2

3. Discussing concepts & definitions
Why web applications security matters?
Defense Mechanisms
Tester`s role in WAST
Practice Time
Questions & Answers
Agenda
3

4. Training Plan
Technical
Background
Hybrid Examples
(Manual & Auto)
Practice Using
Burp
WAST
Discussion
Our Plan
4

5. What is the deference between web sites and web applications?
5

6.  Web sites:
 Information repositories and
browsers retrieve data all the
time.
 Information flow is one way,
from server to browser.
 No users authentication.
1: Difference between web sites & web applications?
6

7.  Web Applications:
 Highly functional and rely on two-way flow of information.
 Support login, registration, financial transactions, search.
 Information is generated for each user dynamically and on the fly.
1: Difference between web sires & web applications?
7

8. 1.1: Examples of web applications
8

9.  Its one of software product attributes that bear on its ability to
prevent unauthorized access, weather accidental or deliberate
to programs and data.
[ISO 9126 – ISTQB Glossary]
2: What is security ?
9

10.  A non-functional testing type, to determine the security of the
software product.
[ISO 9126 – ISTQB Glossary]
2.1: What is security testing ?
10

11.  Security testing provides the evidence and awareness for the
business to make the informed decision of how much security
risk to accept.
2.2: Let`s discuss the definitions..
11

12.  Security vulnerabilities often have no symptoms, not like other
types of failures where the error is patently obvious.
2.2: Let`s discuss the definitions..
12

13.  Security testing ensures that people cant see what they should
not have access to.
2.2:Let`s discuss the definitions..
13

14. Who should do security testing ?
14

15. 2.3: Security Testing Specialties
15
Web Application Penetration Tester
Web Application Defenders
Penetration Tester

16.  Web Application Penetration Tester:
 Security personnel whose job duties involve tests web applications
holes and vulnerabilities.
2.3.1: Security Testing Specialties
16

17.  Penetration Tester :
 Security personnel whose job duties involve assessing target networks
and systems to find security vulnerabilities
2.3.3: Security Testing Specialties
17

18.  Web Application Defenders:
 Security personnel with skills and abilities which are taken from the
areas of Defensive Network Infrastructure, Packet Analysis,
Penetration Testing, Incident Handling, and Malware Removal
2.3.2: Security Testing Specialties
18

19. What is the difference between web
applications security and IT security?
19

20. Why firewalls and antivirus don’t protect Web
applications from hacking ?
20

21.  IT security means :
 Fire Walls
 Antivirus
 Email security products
3: Because its software security NOT IT security
21

22.  Web applications security means:
 Software source code and business logic which written by developer
and tested by QA testers.
3: Because its software security NOT IT security
22

23. Why web application security Matters ?
23

24.  Every body suffer from attacks…
4: Why web application security Matters ?
24

25. Because…
Crimes Cost World Economic Annual Loss of $1 trillion
46 Million Credit Card Numbers Stolen
99% of Tested web Applications Have Vulnerabilities
4: Why web application security Matters ?
25

26. 4: Why web application security Matters ?
26

27. 4: Why web application security matters ?
27

28. 4: Why web application security matters ?
28

29. We need to protect our web application, is
there any Defense Mechanisms to use ?
29

30.  Virtually all applications employ mechanisms that are
conceptually similar, although the details of the design and the
effectiveness of the implementation differ very widely indeed.
5: Defense Mechanisms
30

31.  The defense mechanisms employed by web applications
comprise the following core elements:
 Handling user access to the application’s data and functionality.
 Handling user input to the application’s functions.
 Handling application`s behavior against attackers.
 Managing the application itself, by enabling administrators to monitor
its activities and configure its functionality.
5: Defense Mechanisms
31

32. Handling User
Access
Authentication
Session
Management
Access
Control
5: Defense Mechanisms
32

33.  Authentication
5.1: Defense Mechanisms
33

34.  Session Management (Session Time out)
5.2: Defense Mechanisms
34

35.  Access control, we have it in different levels, Users and groups,
on application level, and on document level.
5.3: Defense Mechanisms
35

36. Tester`s Role is Security Testing
As a tester what is my role?
36

37.  Provide an evidence about the lack of vulnerabilities.
 Observing a potential vulnerability is enough to prompt a fix.
6: As a tester what is my role?
37

38. 38
How can I observe a vulnerability ?

39.  It’s a new methodology.
 A new technical practice to learn.
6.1: My Observation model
39

40. 40
Vulnerability
Exists?
Submit
malicious input
Prompt a fix
Check
normal
behavior
Check
behavior
again
•This is a techninal practice
depends on the following:
1) Crafting inputs.
2) Observe behavior.
No
Yes

41.  Since my role as a tester is known.
 I need to know what is a vulnerability.
6.2: How to start security testing?
41

42. What is vulnerability ?
42

43.  The word "vulnerability" describes a problem (such as a
programming bug or common configuration error) that allows a
system to be attacked or broken into.
 How could that happen? , see next slide..
7: What is vulnerability ?
43

44. 7: What is vulnerability ?
44

45.  Understanding the differences between vulnerabilities type will
help you in:
 How you should test?
 How to report them?
 How they get fixed?
7: What is vulnerability ?
45

46. What about these vulnerabilities?, let`s see the following list ..
46

47. 47

48. 48
Let`s have some vulnerabilities in practice..

49. Security Testing Practice
Attendees will try
SQL
injection
XSS
URL
Tampering
Burp
Attendees will
NOT try
DOM-
Based
XSS
Malicious
Files
8: Practice Plan..
49

50.  Enables hacker to submit crafted input to interfere with
application`s interaction with back-end database.
 Hacker may be able to retrieve arbitrary data from application,
interfere with logic or execute commands on the database
server itself.
8.4: SQL Injection
50

51.  Open http://www.testfire.net/bank/
 Populate User name with admin' OR 1=1 –
 Populate password field with any value
8.1: Guessing User name or Password
51

52. admin' OR 1=1 -- SQL statement
would look like
SELECT * FROM
users WHERE
username = 'admin'
OR 1=1 --';
Since validation is weak, this will
either select the admin account or it
will before 1=1 which will result in true.
Which in SQL terms this will return the
entire users table. Which the users
table could contain all sorts of other
additional sensitive information
8.1: What happened at the backend ?
52

53. Reveals a vulnerability
Miss
validation
URL
Query
8.5: URL Tampering
53

54.  URLs consist of:
8.5: URL Tampering
54
Protocol Password Server Name Port Path
http:// user:password@ www.testfire.net/ :80 /bank/account.html
Makes it possible to
exchange web
pages in HTML
format
Makes it possible to
specify the parameters
required to access a
secure
server.(Optional)
This is the domain
name of the
computer hosting the
requested resource.
To define type of
resource is being
requested.(Optional)
Defines the resource
location(Directory)

55.  Open http://www.testfire.net/bank/
 Add the following parameter at the end of URL :id
 Run the URL, No validation appers.
 Add the following at the end of URL ?id=1’
 Run the URL, a directory page is opened
8.5: No validation
55
This proofs that malicious inputs are NOT validated

56.  All parameters should be send from client to server via valid
session / server side tokens .
 Prevent HTTP viewing of HTTPS accessible pages.
8.5: Solution / defense mechanism
56

57. File Name
• Can include potential opportunity for injection attacks.
• For example ‘onerror=alert(‘xss’)’ a=‘.jpg
File Type
• “Zip of Death” which circulated in 2001 and targeted for email virus checkers.
• This file if sent by email will be unzipped for ever and bring email server to halt.
File Size
• 100 times larger files than normal usage will keep your application loading if they attached.
• For example try files of size 500MB.
8.6: Malicious Files
57

58.  Virus Scanners.
 Anti Spam Software.
8.6.1: Solution/Defense Mechanism
58

59. "Unbalanced Quotes
`Accent Grave
&qout;HTML Entities
'Escaped Quotes
8.7: Illegal Characters
59
 Open Reliance Home page.
 User view source.
 Search for these characters.
 Are they escaped ?

60.  These chars. Should be filtered out from user input to prevent
Java script and SQL Injection.
 Attacker will guess which chars. Will pass the filter then will try
to use.
8.7.1: Solution/Defense Mechanism
60

61.  Tool Selection depends on the usefulness of any individual tool
will depend heavily on your context—particularly the web
application’s language and what you most need to protect
9: Web Apps. Security Testing Tools
61

62. 9: Web Apps. Security Testing Tools
62
Web Proxies
• Web Scrap – Provided from OWASP.
Web
Scanners
• cURL
Inspection
tools
• Firefox Plugins

63. Why we are using burp ?
63

64.  Burp Suite is an integrated platform for performing security
testing of web applications.
 It is designed to support the methodology of a hands-on tester,
and gives you complete control over the actions that it performs,
and deep analysis of the results.
9: Burp Suite
64

65. 9: Burp Suite
65

66. Burp Suite
66
Contains the following tools
1 Target
2 Proxy
3 Spider
4 Scanner
5 Sequencer
6 Decoder
7 Comparer
8 Extender

67.  Target : This tool contains detailed information about your target
applications, and lets you drive the process of testing for vulnerabilities.
 Proxy : This is an intercepting web proxy that operates as man-in-the-
middle between the end browser and the target web application. It lets
you intercept, inspect and modify the raw traffic passing in both
directions.
9.1: Burp Suite
67

68.  Spider : This is an intelligent application-aware web spider that can
crawl an application to locate its content and functionality.
 Scanner : [Pro version] - This is an advanced web vulnerability
scanner, which can automatically discover numerous types of
vulnerabilities.
9.1: Burp Suite
68

69.  Intruder : This is a powerful tool for carrying out automated customized
attacks against web applications. It is highly configurable and can be
used to perform a wide range of tasks to make your testing faster and
more effective.
 Repeater : This is a simple tool for manually manipulating and
reissuing individual HTTP requests, and analyzing the application's
responses.
9.1: Burp Suite
69

70.  Sequencer : This is a sophisticated tool for analyzing the quality of
randomness in an application's session tokens or other important data
items that are intended to be unpredictable.
 Decoder : This is a useful tool for performing manual or intelligent
decoding and encoding of application data.
9.1: Burp Suite
70

71.  Comparer : This is a handy utility for performing a visual "diff" between
any two items of data, such as pairs of similar HTTP messages.
 Extender : This lets you load Burp extensions, to extend Burp's
functionality using your own or third-party code.
9.1: Burp Suite
71

72.  Security vulnerabilities are our
shared responsibility
(Developers, QA, Tech.
Support).
 Applying new techniques for
your test cases design and
implementation reveals more
vulnerabilities.
10: Conclusion & Recommendations
72

73.  Security testing is a hybrid
testing methodology.
 Running Real time periodic
security tests (Using burp
scanner) will help to discover
new vulnerabilities.
10: Conclusion & Recommendations
73

74. Recommended books to read
74

75.  Web security testing cookbook, Paco Hope, 2009.
 The.Web.Application.Hackers.Handbook, Dafydd Stuttard, 2007.
 The myths of security, John Viega, 2009.
 Cenzic-Application-Vulnerability-Trends-Report-2013.
 ISTQB – Glossery of Temss.
 AdvancedSoftwareTesting - Vol3, 2011
11: References - Books
75

76.  http://portswigger.net/burp/help/
 http://www.testfire.net/bank/
 http://www.example.com
 http://www.testingsecurity.com/
 http://code.google.com/p/dvwa/wiki/README
11: References – Websites
76

77. 77
Questions!

78. Thank You!
78