2. What You Will Learn Today?
Security testing
techniques
Test cases design
& implementation
New testing tool.
2
3. Discussing concepts & definitions
Why web applications security matters?
Defense Mechanisms
Tester`s role in WAST
Practice Time
Questions & Answers
Agenda
3
5. What is the deference between web sites and web applications?
5
6. Web sites:
Information repositories and
browsers retrieve data all the
time.
Information flow is one way,
from server to browser.
No users authentication.
1: Difference between web sites & web applications?
6
7. Web Applications:
Highly functional and rely on two-way flow of information.
Support login, registration, financial transactions, search.
Information is generated for each user dynamically and on the fly.
1: Difference between web sires & web applications?
7
9. Its one of software product attributes that bear on its ability to
prevent unauthorized access, weather accidental or deliberate
to programs and data.
[ISO 9126 – ISTQB Glossary]
2: What is security ?
9
10. A non-functional testing type, to determine the security of the
software product.
[ISO 9126 – ISTQB Glossary]
2.1: What is security testing ?
10
11. Security testing provides the evidence and awareness for the
business to make the informed decision of how much security
risk to accept.
2.2: Let`s discuss the definitions..
11
12. Security vulnerabilities often have no symptoms, not like other
types of failures where the error is patently obvious.
2.2: Let`s discuss the definitions..
12
13. Security testing ensures that people cant see what they should
not have access to.
2.2:Let`s discuss the definitions..
13
15. 2.3: Security Testing Specialties
15
Web Application Penetration Tester
Web Application Defenders
Penetration Tester
16. Web Application Penetration Tester:
Security personnel whose job duties involve tests web applications
holes and vulnerabilities.
2.3.1: Security Testing Specialties
16
17. Penetration Tester :
Security personnel whose job duties involve assessing target networks
and systems to find security vulnerabilities
2.3.3: Security Testing Specialties
17
18. Web Application Defenders:
Security personnel with skills and abilities which are taken from the
areas of Defensive Network Infrastructure, Packet Analysis,
Penetration Testing, Incident Handling, and Malware Removal
2.3.2: Security Testing Specialties
18
19. What is the difference between web
applications security and IT security?
19
20. Why firewalls and antivirus don’t protect Web
applications from hacking ?
20
21. IT security means :
Fire Walls
Antivirus
Email security products
3: Because its software security NOT IT security
21
22. Web applications security means:
Software source code and business logic which written by developer
and tested by QA testers.
3: Because its software security NOT IT security
22
24. Every body suffer from attacks…
4: Why web application security Matters ?
24
25. Because…
Crimes Cost World Economic Annual Loss of $1 trillion
46 Million Credit Card Numbers Stolen
99% of Tested web Applications Have Vulnerabilities
4: Why web application security Matters ?
25
29. We need to protect our web application, is
there any Defense Mechanisms to use ?
29
30. Virtually all applications employ mechanisms that are
conceptually similar, although the details of the design and the
effectiveness of the implementation differ very widely indeed.
5: Defense Mechanisms
30
31. The defense mechanisms employed by web applications
comprise the following core elements:
Handling user access to the application’s data and functionality.
Handling user input to the application’s functions.
Handling application`s behavior against attackers.
Managing the application itself, by enabling administrators to monitor
its activities and configure its functionality.
5: Defense Mechanisms
31
35. Access control, we have it in different levels, Users and groups,
on application level, and on document level.
5.3: Defense Mechanisms
35
36. Tester`s Role is Security Testing
As a tester what is my role?
36
37. Provide an evidence about the lack of vulnerabilities.
Observing a potential vulnerability is enough to prompt a fix.
6: As a tester what is my role?
37
43. The word "vulnerability" describes a problem (such as a
programming bug or common configuration error) that allows a
system to be attacked or broken into.
How could that happen? , see next slide..
7: What is vulnerability ?
43
45. Understanding the differences between vulnerabilities type will
help you in:
How you should test?
How to report them?
How they get fixed?
7: What is vulnerability ?
45
46. What about these vulnerabilities?, let`s see the following list ..
46
49. Security Testing Practice
Attendees will try
SQL
injection
XSS
URL
Tampering
Burp
Attendees will
NOT try
DOM-
Based
XSS
Malicious
Files
8: Practice Plan..
49
50. Enables hacker to submit crafted input to interfere with
application`s interaction with back-end database.
Hacker may be able to retrieve arbitrary data from application,
interfere with logic or execute commands on the database
server itself.
8.4: SQL Injection
50
51. Open http://www.testfire.net/bank/
Populate User name with admin' OR 1=1 –
Populate password field with any value
8.1: Guessing User name or Password
51
52. admin' OR 1=1 -- SQL statement
would look like
SELECT * FROM
users WHERE
username = 'admin'
OR 1=1 --';
Since validation is weak, this will
either select the admin account or it
will before 1=1 which will result in true.
Which in SQL terms this will return the
entire users table. Which the users
table could contain all sorts of other
additional sensitive information
8.1: What happened at the backend ?
52
54. URLs consist of:
8.5: URL Tampering
54
Protocol Password Server Name Port Path
http:// user:password@ www.testfire.net/ :80 /bank/account.html
Makes it possible to
exchange web
pages in HTML
format
Makes it possible to
specify the parameters
required to access a
secure
server.(Optional)
This is the domain
name of the
computer hosting the
requested resource.
To define type of
resource is being
requested.(Optional)
Defines the resource
location(Directory)
55. Open http://www.testfire.net/bank/
Add the following parameter at the end of URL :id
Run the URL, No validation appers.
Add the following at the end of URL ?id=1’
Run the URL, a directory page is opened
8.5: No validation
55
This proofs that malicious inputs are NOT validated
56. All parameters should be send from client to server via valid
session / server side tokens .
Prevent HTTP viewing of HTTPS accessible pages.
8.5: Solution / defense mechanism
56
57. File Name
• Can include potential opportunity for injection attacks.
• For example ‘onerror=alert(‘xss’)’ a=‘.jpg
File Type
• “Zip of Death” which circulated in 2001 and targeted for email virus checkers.
• This file if sent by email will be unzipped for ever and bring email server to halt.
File Size
• 100 times larger files than normal usage will keep your application loading if they attached.
• For example try files of size 500MB.
8.6: Malicious Files
57
59. "Unbalanced Quotes
`Accent Grave
&qout;HTML Entities
'Escaped Quotes
8.7: Illegal Characters
59
Open Reliance Home page.
User view source.
Search for these characters.
Are they escaped ?
60. These chars. Should be filtered out from user input to prevent
Java script and SQL Injection.
Attacker will guess which chars. Will pass the filter then will try
to use.
8.7.1: Solution/Defense Mechanism
60
61. Tool Selection depends on the usefulness of any individual tool
will depend heavily on your context—particularly the web
application’s language and what you most need to protect
9: Web Apps. Security Testing Tools
61
62. 9: Web Apps. Security Testing Tools
62
Web Proxies
• Web Scrap – Provided from OWASP.
Web
Scanners
• cURL
Inspection
tools
• Firefox Plugins
64. Burp Suite is an integrated platform for performing security
testing of web applications.
It is designed to support the methodology of a hands-on tester,
and gives you complete control over the actions that it performs,
and deep analysis of the results.
9: Burp Suite
64
66. Burp Suite
66
Contains the following tools
1 Target
2 Proxy
3 Spider
4 Scanner
5 Sequencer
6 Decoder
7 Comparer
8 Extender
67. Target : This tool contains detailed information about your target
applications, and lets you drive the process of testing for vulnerabilities.
Proxy : This is an intercepting web proxy that operates as man-in-the-
middle between the end browser and the target web application. It lets
you intercept, inspect and modify the raw traffic passing in both
directions.
9.1: Burp Suite
67
68. Spider : This is an intelligent application-aware web spider that can
crawl an application to locate its content and functionality.
Scanner : [Pro version] - This is an advanced web vulnerability
scanner, which can automatically discover numerous types of
vulnerabilities.
9.1: Burp Suite
68
69. Intruder : This is a powerful tool for carrying out automated customized
attacks against web applications. It is highly configurable and can be
used to perform a wide range of tasks to make your testing faster and
more effective.
Repeater : This is a simple tool for manually manipulating and
reissuing individual HTTP requests, and analyzing the application's
responses.
9.1: Burp Suite
69
70. Sequencer : This is a sophisticated tool for analyzing the quality of
randomness in an application's session tokens or other important data
items that are intended to be unpredictable.
Decoder : This is a useful tool for performing manual or intelligent
decoding and encoding of application data.
9.1: Burp Suite
70
71. Comparer : This is a handy utility for performing a visual "diff" between
any two items of data, such as pairs of similar HTTP messages.
Extender : This lets you load Burp extensions, to extend Burp's
functionality using your own or third-party code.
9.1: Burp Suite
71
72. Security vulnerabilities are our
shared responsibility
(Developers, QA, Tech.
Support).
Applying new techniques for
your test cases design and
implementation reveals more
vulnerabilities.
10: Conclusion & Recommendations
72
73. Security testing is a hybrid
testing methodology.
Running Real time periodic
security tests (Using burp
scanner) will help to discover
new vulnerabilities.
10: Conclusion & Recommendations
73