SlideShare ist ein Scribd-Unternehmen logo

Codefest2015

•
•
Denis Kolegov
Denis Kolegov

Basic web application security testing for QA engineers

Ingenieurwesen
1 von 26
Downloaden Sie, um offline zu lesen
Basic Web Application Security Testing in QA Denis Kolegov Sr. Security Test Engineer, PhD F5 Networks, Tomsk State University
Who Am I? • Sr. Security Test Engineer at F5 Networks • PhD, associate professor at TSU’s Information Security and Cryptography Department • Speaker – Positive Hack Days, Zero Nights, SibeCrypt • OWASP SCG, BeEF, Metasploit contributor
Introduction • BSIMM security testing (Gary McGraw) – Enhance QA beyond functional perspective – Integrate the attacker perspective into test plans – Deliver risk-based security testing • Hack yourself first (Troy Hunt) – This approach advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them
Causes and Consequences
Checklist 1. Information disclosure 2. SSL/TLS 3. Slow HTTP DoS attacks 4. HTTP host header attacks 5. Login page over HTTPS 6. Same site scripting 7. Secure headers 8. Cross domain policy 9. Session management 10. URL validation
Information Disclosure • Scope – Web management interfaces – Web application reverse proxies – Error pages • Services – Goggle Search Engine – Shodan • Weaknesses – Indexing by search engines – Hardcoded keywords on error pages – Keywords in HTTP response headers
Information Disclosure • Shodan – cisco – bitrix – VMware • Google – intitle: "VMware Horizon View Administrator" – inurl:"portal/webclient/views/mainUI.html" – intitle:"Welcome to VMware ESX"
Information Disclosure • Test robots.txt User-agent: * Disallow: / • Test meta tag <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"> • Test that it is possible to delete or change default keywords via customization tool
SSL/TLS Testing • Testing with OpenSSL – Trustworthy checks – Old versions (0.9.8k) • Qualys SSL Labs – SSL Server Test – SSL Client Test – SSL/TLS Best Practices – API • Tools – sslscan – sslyze – ssllabs-scan
Client-Initiated Renegotiation DoS Test • Testing with OpenSSL openssl s_client –connect test.com:443 GET / HTTP/1.1 Host: test.com R … R CRLF • Proof of concept with exploit thc-ssl-dos --accept test.com 443
Slow HTTP DoS Testing • Attacks – Slowloris (slow headers) – Slow HTTP POST (slow body) – Slow Read • Apache is generally the most vulnerable server • Nginx, IIS, lighthttpd are also can be vulnerable to these attacks • Tools – https://code.google.com/p/slowhttptest/ – slowloris.pl
Slow HTTP DoS Testing • Slowloris slowhttptest -u "https://test.com/" -c 8000 -l 400 -r 4000 -i 15 -x 400 • Slow HTTP Post slowhttptest -u https://test.com/ -B -c 8000 -l 400 -r 4000 -i 15 -x 400 • Slow Read slowhttptest -u "https://test.com/js/bigfile" -X -c 5000 -r 4000 -l 400 -k 5 -n 10 -w 10 -y 300 -z 1
Same Site Scripting • DNS misconfiguration – xyz.target.com with A-record to 127.0.0.1 – xyz.target.com with A-record to private address (RFC 1918) • In multi-users system an attacker can run network service on loopback and then eavesdrops users’ cookies 1. Run "nc –lv 10024" 2. Send email with <img src=“http://xyz.target.com:10024”> • An attacker can connect to public network with the same network address and publish resource link to xyz.target.com. All users in the same public network who accessed this resource send cookies to an attacker
Same Site Scripting • Testing – nslookup localhost.target.com – DNS enumeration • Examples – https://hackerone.com/reports/1509 – https://hackerone.com/reports/7949
Login Page over HTTPS • The initial login page must be served over TLS • The login page and all subsequent authenticated pages must be exclusively accessed over TLS Troy Hunt©. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
HTTP Secure Headers • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options • Strict-Transport-Security • Access-Control-Allow-Origin • Content-Security-Policy
X-Frame-Options • All about Clickjacking? • What an attacker can do – Bypass some XSS filters – Bypass XSS length restrictions – Bypass CSP via browser vulnerabilities • X-Frame-Options is an additional layer of defense against XSS
Access-Control-Allow-Origin • Access-Control-Allow-Origin is apart of the CORS specification • Access-Control-Allow-Origin: * means that the resource can be accessed by any domain in a cross-site manner • Examples – https://hackerone.com/reports/13551 – https://hackerone.com/reports/6268
Secure Headers Testing • X-Content-Type-Options: nosniff • X-Frame-Option: DENY | SAMEORIGIN • Strict-Transport-Security: max-age=31536000; includeSubDomains • X-XSS-Filter: 1; mode=block
Host Header Attacks • Weakness: a web server handles HTTP requests with arbitrary or invalid Host header • Attacks – DNS rebinding – Stored XSS – Password reset poisoning – Web-cache poisoning • Examples – https://hackerone.com/reports/13286 – https://hackerone.com/reports/487
Cross Domain Policy • A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, etc. use to access data across different domains • Files – crossdomain.xml – clientaccesspolicy.xml • Example of configuration weakness <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> • Example – https://hackerone.com/reports/43070
Session Management • Test that session is invalidated when user logs out • Session ID is sent in HTTP cookie or header and never disclosed in URLs • Test that session ID is changed when user performs critical action – Login, logout – Password changing – Session expiration, reauthentication OWASP ASVS project
URL Validation • Weakness: insufficient input validation for URL data • Test vectors (http://test.com/foo/bar?param=value) – GET /3fb5e7a4f814d790'"<>/%2e%2e/foo/bar?param=value HTTP/1.1 – GET /foo/3fb5e7a4f814d790'"<>/%2e%2e/bar?param=value HTTP/1.1 – GET /foo/bar/3fb5e7a4f814d790'"<>/%2e%2e/?param=value HTTP/1.1 – GET /foo/bar.baz/3fb5e7a4f814d790'"<>?param=value HTTP/1.1 • Attacks – XSS – CRLF-injection (HTTP Response Splitting) – Open Redirect – Secret token leakage Sergey Bobrov©. http://habrahabr.ru/company/pt/blog/247709
URL Validation Sergey BobrovŠ. http://habrahabr.ru/company/pt/blog/247709
Bibliography 1. Vladimir Kochetkov. How to Develop a Secure Web Application and Stay in Mind? 2. OWASP Testing Guide v4 3. The Building Security In Maturity Model 4. Qualys SSL LABS 5. SSL/TLS Checklist for Pentesters 6. Sergey Shekyan. Testing Web Servers for Slow HTTP Attacks 7. Troy Hunt. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection 8. Sergey Belov. Show Me Impact 9. Frederik Braun and Mario Heiderich. X-Frame-Options: All about Clickjacking? 10.Guidelines for Setting Security Headers 11.Sergey Bobrov. Yet Another Vulnerability in Facebook
@dnkolegov Denis Kolegov Sr. Security Test Engineer, PhD F5 Networks, Tomsk State University Questions? dnkolegov@gmail.com

Empfohlen

General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
Denis Kolegov
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Denis Kolegov
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Denis Kolegov
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
Gökhan Şengün
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information Gathering
Sam Bowne
 
Crawl
CrawlCrawl
Crawl
madhurikad13
 

Empfohlen

General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...General Method of HTTP Messages Authentication Based on Hash Functions in Web...
General Method of HTTP Messages Authentication Based on Hash Functions in Web...
Denis Kolegov
 
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Covert Timing Channels based on HTTP Cache Headers (Special Edition for Top 1...
Denis Kolegov
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Denis Kolegov
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
Covert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache HeadersCovert Timing Channels using HTTP Cache Headers
Covert Timing Channels using HTTP Cache Headers
Denis Kolegov
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
Gökhan Şengün
 
CNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information GatheringCNIT 124: Ch 5: Information Gathering
CNIT 124: Ch 5: Information Gathering
Sam Bowne
 
Crawl
CrawlCrawl
Crawl
madhurikad13
 
What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
Mark Nottingham
 
Meeting 4 : proxy
Meeting 4 : proxyMeeting 4 : proxy
Meeting 4 : proxy
Syaiful Ahdan
 
Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)
maamir farooq
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
Sam Bowne
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Scott Sutherland
 
Http protocol
Http protocolHttp protocol
Http protocol
Arpita Naik
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
Sam Bowne
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
Iftach Ian Amit
 
HTTP
HTTPHTTP
HTTP
altaykarakus
 
21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards
Denis Ristic
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
Sam Bowne
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
bryan_call
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
NetSPI
 
Covert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersCovert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headers
yalegko
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
Toni de la Fuente
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
DirkjanMollema
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
Mario Cardinal
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
Will Schroeder
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
trihug
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
Brian A. McHenry
 
Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
Marius Vorster
 
Flashack
FlashackFlashack
Flashack
n|u - The Open Security Community
 

Weitere ähnliche Inhalte

Was ist angesagt?

Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
bryan_call
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
NetSPI
 

Was ist angesagt? (20)

What's up with HTTP?
What's up with HTTP?What's up with HTTP?
What's up with HTTP?
 
Meeting 4 : proxy
Meeting 4 : proxyMeeting 4 : proxy
Meeting 4 : proxy
 
Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)Lec 7(HTTP Protocol)
Lec 7(HTTP Protocol)
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 
Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)Attack All the Layers: What's Working during Pentests (OWASP NYC)
Attack All the Layers: What's Working during Pentests (OWASP NYC)
 
Http protocol
Http protocolHttp protocol
Http protocol
 
CNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password AttacksCNIT 124: Ch 9: Password Attacks
CNIT 124: Ch 9: Password Attacks
 
Html5 hacking
Html5 hackingHtml5 hacking
Html5 hacking
 
HTTP
HTTPHTTP
HTTP
 
21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards21 HTTP Protocol #burningkeyboards
21 HTTP Protocol #burningkeyboards
 
CNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing TrafficCNIT 124: Ch 7: Capturing Traffic
CNIT 124: Ch 7: Capturing Traffic
 
Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014Choosing A Proxy Server - Apachecon 2014
Choosing A Proxy Server - Apachecon 2014
 
Introduction to Windows Dictionary Attacks
Introduction to Windows Dictionary AttacksIntroduction to Windows Dictionary Attacks
Introduction to Windows Dictionary Attacks
 
Covert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headersCovert timing channels using HTTP cache headers
Covert timing channels using HTTP cache headers
 
Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018Prowler: BlackHat Europe Arsenal 2018
Prowler: BlackHat Europe Arsenal 2018
 
aclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHoundaclpwn - Active Directory ACL exploitation with BloodHound
aclpwn - Active Directory ACL exploitation with BloodHound
 
HTTP fundamentals for developers
HTTP fundamentals for developersHTTP fundamentals for developers
HTTP fundamentals for developers
 
PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)PSConfEU - Offensive Active Directory (With PowerShell!)
PSConfEU - Offensive Active Directory (With PowerShell!)
 
TriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache SentryTriHUG 2/14: Apache Sentry
TriHUG 2/14: Apache Sentry
 
Death of WAF - GoSec '15
Death of WAF - GoSec '15Death of WAF - GoSec '15
Death of WAF - GoSec '15
 

Ähnlich wie Codefest2015

Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
NetSPI
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
NetSPI
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
owaspindy
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
Krzysztof Kotowicz
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
Frank Victory
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 

Ähnlich wie Codefest2015 (20)

Security vulnerabilities - 2018
Security vulnerabilities - 2018Security vulnerabilities - 2018
Security vulnerabilities - 2018
 
Flashack
FlashackFlashack
Flashack
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Attack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration TestingAttack All the Layers - What's Working in Penetration Testing
Attack All the Layers - What's Working in Penetration Testing
 
Attack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration TestingAttack All The Layers - What's Working in Penetration Testing
Attack All The Layers - What's Working in Penetration Testing
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Owasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet OverviewOwasp Indy Q2 2012 Cheat Sheet Overview
Owasp Indy Q2 2012 Cheat Sheet Overview
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Protecting Against Web Attacks
Protecting Against Web AttacksProtecting Against Web Attacks
Protecting Against Web Attacks
 
Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)Hacking HTML5 offensive course (Zeronights edition)
Hacking HTML5 offensive course (Zeronights edition)
 
Realities of Security in the Cloud
Realities of Security in the CloudRealities of Security in the Cloud
Realities of Security in the Cloud
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
Lesson 6 web based attacks
Lesson 6 web based attacksLesson 6 web based attacks
Lesson 6 web based attacks
 
Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptx
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 

Mehr von Denis Kolegov

Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...
Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...
Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...
Denis Kolegov
 
Моделирование безопасности управления доступом и информационными потоками на ...
Моделирование безопасности управления доступом и информационными потоками на ...Моделирование безопасности управления доступом и информационными потоками на ...
Моделирование безопасности управления доступом и информационными потоками на ...
Denis Kolegov
 
Development and Implementation of Mandatory Access Control Policy for RDBMS M...
Development and Implementation of Mandatory Access Control Policy for RDBMS M...Development and Implementation of Mandatory Access Control Policy for RDBMS M...
Development and Implementation of Mandatory Access Control Policy for RDBMS M...
Denis Kolegov
 
Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...
Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...
Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...
Denis Kolegov
 
О построении иерархического ролевого управления доступом (SibeCrypt 2012)
О построении иерархического ролевого управления доступом (SibeCrypt 2012)О построении иерархического ролевого управления доступом (SibeCrypt 2012)
О построении иерархического ролевого управления доступом (SibeCrypt 2012)
Denis Kolegov
 
Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...
Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...
Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...
Denis Kolegov
 

Mehr von Denis Kolegov (11)

Database Firewall from Scratch
Database Firewall from ScratchDatabase Firewall from Scratch
Database Firewall from Scratch
 
F5 BIG-IP Misconfigurations
F5 BIG-IP MisconfigurationsF5 BIG-IP Misconfigurations
F5 BIG-IP Misconfigurations
 
SibirCTF 2016. Практические методы защиты веб-приложений
SibirCTF 2016. Практические методы защиты веб-приложенийSibirCTF 2016. Практические методы защиты веб-приложений
SibirCTF 2016. Практические методы защиты веб-приложений
 
SibeCrypt 2016. Практические методы защиты веб-приложений
SibeCrypt 2016. Практические методы защиты веб-приложенийSibeCrypt 2016. Практические методы защиты веб-приложений
SibeCrypt 2016. Практические методы защиты веб-приложений
 
ZN27112015
ZN27112015ZN27112015
ZN27112015
 
Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...
Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...
Общая модель аутентификации HTTP-сообщений на основе хэш-функций в веб-прилож...
 
Моделирование безопасности управления доступом и информационными потоками на ...
Моделирование безопасности управления доступом и информационными потоками на ...Моделирование безопасности управления доступом и информационными потоками на ...
Моделирование безопасности управления доступом и информационными потоками на ...
 
Development and Implementation of Mandatory Access Control Policy for RDBMS M...
Development and Implementation of Mandatory Access Control Policy for RDBMS M...Development and Implementation of Mandatory Access Control Policy for RDBMS M...
Development and Implementation of Mandatory Access Control Policy for RDBMS M...
 
Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...
Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...
Разработка и реализация мандатного механизма управления доступом в СУБД MySQL...
 
О построении иерархического ролевого управления доступом (SibeCrypt 2012)
О построении иерархического ролевого управления доступом (SibeCrypt 2012)О построении иерархического ролевого управления доступом (SibeCrypt 2012)
О построении иерархического ролевого управления доступом (SibeCrypt 2012)
 
Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...
Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...
Разработка и реализация механизма мандатного управления доступом в СУБД MySQL...
 

KĂźrzlich hochgeladen

notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
dharasingh5698
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Arindam Chakraborty, Ph.D., P.E. (CA, TX)
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
sivaprakash250
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 

KĂźrzlich hochgeladen (20)

notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptxCOST-EFFETIVE and Energy Efficient BUILDINGS ptx
COST-EFFETIVE and Energy Efficient BUILDINGS ptx
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
Navigating Complexity: The Role of Trusted Partners and VIAS3D in Dassault Sy...
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Netaji Nagar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Design For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the startDesign For Accessibility: Getting it right from the start
Design For Accessibility: Getting it right from the start
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 

Codefest2015

  • 1. Basic Web Application Security Testing in QA Denis Kolegov Sr. Security Test Engineer, PhD F5 Networks, Tomsk State University
  • 2. Who Am I? • Sr. Security Test Engineer at F5 Networks • PhD, associate professor at TSU’s Information Security and Cryptography Department • Speaker – Positive Hack Days, Zero Nights, SibeCrypt • OWASP SCG, BeEF, Metasploit contributor
  • 3. Introduction • BSIMM security testing (Gary McGraw) – Enhance QA beyond functional perspective – Integrate the attacker perspective into test plans – Deliver risk-based security testing • Hack yourself first (Troy Hunt) – This approach advocates building up our cyber-offense skills, and focusing these skills inward at ourselves, to find and fix security issues before the bad guys find and exploit them
  • 5. Checklist 1. Information disclosure 2. SSL/TLS 3. Slow HTTP DoS attacks 4. HTTP host header attacks 5. Login page over HTTPS 6. Same site scripting 7. Secure headers 8. Cross domain policy 9. Session management 10. URL validation
  • 6. Information Disclosure • Scope – Web management interfaces – Web application reverse proxies – Error pages • Services – Goggle Search Engine – Shodan • Weaknesses – Indexing by search engines – Hardcoded keywords on error pages – Keywords in HTTP response headers
  • 7. Information Disclosure • Shodan – cisco – bitrix – VMware • Google – intitle: "VMware Horizon View Administrator" – inurl:"portal/webclient/views/mainUI.html" – intitle:"Welcome to VMware ESX"
  • 8. Information Disclosure • Test robots.txt User-agent: * Disallow: / • Test meta tag <META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW"> • Test that it is possible to delete or change default keywords via customization tool
  • 9. SSL/TLS Testing • Testing with OpenSSL – Trustworthy checks – Old versions (0.9.8k) • Qualys SSL Labs – SSL Server Test – SSL Client Test – SSL/TLS Best Practices – API • Tools – sslscan – sslyze – ssllabs-scan
  • 10. Client-Initiated Renegotiation DoS Test • Testing with OpenSSL openssl s_client –connect test.com:443 GET / HTTP/1.1 Host: test.com R … R CRLF • Proof of concept with exploit thc-ssl-dos --accept test.com 443
  • 11. Slow HTTP DoS Testing • Attacks – Slowloris (slow headers) – Slow HTTP POST (slow body) – Slow Read • Apache is generally the most vulnerable server • Nginx, IIS, lighthttpd are also can be vulnerable to these attacks • Tools – https://code.google.com/p/slowhttptest/ – slowloris.pl
  • 12. Slow HTTP DoS Testing • Slowloris slowhttptest -u "https://test.com/" -c 8000 -l 400 -r 4000 -i 15 -x 400 • Slow HTTP Post slowhttptest -u https://test.com/ -B -c 8000 -l 400 -r 4000 -i 15 -x 400 • Slow Read slowhttptest -u "https://test.com/js/bigfile" -X -c 5000 -r 4000 -l 400 -k 5 -n 10 -w 10 -y 300 -z 1
  • 13. Same Site Scripting • DNS misconfiguration – xyz.target.com with A-record to 127.0.0.1 – xyz.target.com with A-record to private address (RFC 1918) • In multi-users system an attacker can run network service on loopback and then eavesdrops users’ cookies 1. Run "nc –lv 10024" 2. Send email with <img src=“http://xyz.target.com:10024”> • An attacker can connect to public network with the same network address and publish resource link to xyz.target.com. All users in the same public network who accessed this resource send cookies to an attacker
  • 14. Same Site Scripting • Testing – nslookup localhost.target.com – DNS enumeration • Examples – https://hackerone.com/reports/1509 – https://hackerone.com/reports/7949
  • 15. Login Page over HTTPS • The initial login page must be served over TLS • The login page and all subsequent authenticated pages must be exclusively accessed over TLS Troy HuntŠ. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection
  • 16. HTTP Secure Headers • X-Frame-Options • X-XSS-Protection • X-Content-Type-Options • Strict-Transport-Security • Access-Control-Allow-Origin • Content-Security-Policy
  • 17. X-Frame-Options • All about Clickjacking? • What an attacker can do – Bypass some XSS filters – Bypass XSS length restrictions – Bypass CSP via browser vulnerabilities • X-Frame-Options is an additional layer of defense against XSS
  • 18. Access-Control-Allow-Origin • Access-Control-Allow-Origin is apart of the CORS specification • Access-Control-Allow-Origin: * means that the resource can be accessed by any domain in a cross-site manner • Examples – https://hackerone.com/reports/13551 – https://hackerone.com/reports/6268
  • 19. Secure Headers Testing • X-Content-Type-Options: nosniff • X-Frame-Option: DENY | SAMEORIGIN • Strict-Transport-Security: max-age=31536000; includeSubDomains • X-XSS-Filter: 1; mode=block
  • 20. Host Header Attacks • Weakness: a web server handles HTTP requests with arbitrary or invalid Host header • Attacks – DNS rebinding – Stored XSS – Password reset poisoning – Web-cache poisoning • Examples – https://hackerone.com/reports/13286 – https://hackerone.com/reports/487
  • 21. Cross Domain Policy • A cross-domain policy file specifies the permissions that a web client such as Java, Adobe Flash, etc. use to access data across different domains • Files – crossdomain.xml – clientaccesspolicy.xml • Example of configuration weakness <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy> • Example – https://hackerone.com/reports/43070
  • 22. Session Management • Test that session is invalidated when user logs out • Session ID is sent in HTTP cookie or header and never disclosed in URLs • Test that session ID is changed when user performs critical action – Login, logout – Password changing – Session expiration, reauthentication OWASP ASVS project
  • 23. URL Validation • Weakness: insufficient input validation for URL data • Test vectors (http://test.com/foo/bar?param=value) – GET /3fb5e7a4f814d790'"<>/%2e%2e/foo/bar?param=value HTTP/1.1 – GET /foo/3fb5e7a4f814d790'"<>/%2e%2e/bar?param=value HTTP/1.1 – GET /foo/bar/3fb5e7a4f814d790'"<>/%2e%2e/?param=value HTTP/1.1 – GET /foo/bar.baz/3fb5e7a4f814d790'"<>?param=value HTTP/1.1 • Attacks – XSS – CRLF-injection (HTTP Response Splitting) – Open Redirect – Secret token leakage Sergey BobrovŠ. http://habrahabr.ru/company/pt/blog/247709
  • 24. URL Validation Sergey BobrovŠ. http://habrahabr.ru/company/pt/blog/247709
  • 25. Bibliography 1. Vladimir Kochetkov. How to Develop a Secure Web Application and Stay in Mind? 2. OWASP Testing Guide v4 3. The Building Security In Maturity Model 4. Qualys SSL LABS 5. SSL/TLS Checklist for Pentesters 6. Sergey Shekyan. Testing Web Servers for Slow HTTP Attacks 7. Troy Hunt. OWASP Top 10 for .NET developers part 9: Insufficient Transport Layer Protection 8. Sergey Belov. Show Me Impact 9. Frederik Braun and Mario Heiderich. X-Frame-Options: All about Clickjacking? 10.Guidelines for Setting Security Headers 11.Sergey Bobrov. Yet Another Vulnerability in Facebook
  • 26. @dnkolegov Denis Kolegov Sr. Security Test Engineer, PhD F5 Networks, Tomsk State University Questions? dnkolegov@gmail.com