SlideShare ist ein Scribd-Unternehmen logo

Owasp security testing methodlogies –part2

R
robin_bene

Security testing for beginners with real time example.

Technologie
1 von 16
OWASP TESTING METHODOLOGIES –Part2 • Identity management testing. ? • Authentication Testing
Identity Management Testing • Identity management testing required in each and every web application for the roles and responsibilities. • Various test cases required to prepare to check identity management testing like user registration process, user enumeration, user account provisioning, user roles, unenforced password policy. • To test the user roles need to validate the system roles defined within the application sufficiently based on the functionality and information. • For the security tester need to assure that user roles are properly defined with their respective functionality. • To test this process the best way to execute it through manually also with the help of spider tool can identify the respective access pages of different users.
Identity Management Testing • User provisioning account also play important part for the identity management testing. • Security Tester need to assure that the same user can not provision the user with high privilege. • Need to verify that the same user can not de- provision themselves. • Need to verify if the administrator create multiple administrator If yes then need to check business requirement. • This process also test through the manual testing and with the burp suite tool. • User enumeration attack is the first level of attack on the login pages. • Here the attackers grab the user name without having any information of the user. • Security Tester need to assure the response from the server for the correct and wrong credentials remain same. • Security tester can also verify the response length with the burp suite tool to enumerate the account name.
Identity Management Testing • In the below screenshot it reveals that the response length signify the presence of valid name and invalid name.
Identity Management Testing • When the user registered himself into the application, the password policy play the crucial role. • A weak password policy make the task of the attacker easier to crack the user credentials. • Security tester need to assure that strong password policy have to be follow by the application. • Manual security testing help to identify that whether the application implemented the strong password policy or not. • Some of the recommended suggestion are that password should be equal to or greater than eight character, it is combination of numeric, upper case and lower case character, it expire after 90 days etc. • Attackers generally use the password crackers tools like Brutus, wfuz,rainbow crack etc. to crash the password.
Authentication Testing • Authentication page is entry point for the attacker to access the restricted pages. • Compromising the credentials means the efforts to create security restriction by developer on other areas get inadequate. • Security Tester need to create various test cases to identify the weakness on the authentication pages. • Attackers gain access of the credentials with the help of various techniques and tools. • Various test cases need to be created to test the authentication testing. • Some of the examples are credentials must passes over encrypted channel, default credentials ,Bypass the authentication mechanism, browser cache the credentials ,weak password policy, weak security challenge/answer, weak password change or reset functionality, remember password functionality. • Authentication testing process can be test through the manual testing and also with the automated tools. • Some of the good tools are IBM appscan, acunetix, Web inspect helps to identifying authentication related vulnerability very easily. • Various types of authentication mechanism used by the application are basic, form-based, NTLM etc.
Authentication Testing • To test the credentials is working over encrypted channel, identify manually with the proxy tool or with the Wireshark tools. • Tester need to verify that some times credentials working over https and http protocols too. • Below screenshot shows that credentials passes over http protocol.
Authentication Testing • In the below screenshot shows that user id and password travel over http in the base 64 encoded format. • Various techniques can be used by the attackers to bypass the authentication mechanism of the application.
• Also to bypass the authentication attacker can login into the application with SQL injection attacks For example the sql injection ‘ or 1=1– help the attackers to by pass the authentication: Authentication Testing
Authentication Testing • Any techniques which reached to the restricted pages without entering the correct credentials can be named as bypass the authentication. • Security tester must assure that restricted pages can only be accessible through login mechanism
Authentication Testing • In the below screenshot of paypal website shows that how the password echo from the server when the invalid user or password entered by the user. • Here the attackers can retrieve the html files from the browser history pages to view the source code .
Authentication Testing • As shown here the echo's password shown in the html source code of the page in the clear text format.
Authentication Testing • Security tester need to verify each mechanism where the credentials sent over the server from the client machine. • In the below screen shots of shopify website on the user password reset page, the password value also travel over the GET method.
Authentication Testing • Most of the time developer open the entry points of default credentials on the production server too. • Security tester need to verify the same with manually or with automated tools (brutus as shown in below screen shot) to identify the default credentials access.
Authentication Testing • Most of the ecommerce application required to have the remember me password functionality because it become ease for the customer to re login into the application without remembering the password. • But this functionality become dangerous when the application business domain changed from ecommerce to the banking domain. • Remember me password save on the user browser which can retrieve easily through web browser.
Authentication Testing • Most of the application provide authority to the user to set the challenge question and answers for password recovery. • A lazy user always set the very easy question & answer which can easily breakable by the attackers. • Some of the examples are “what is your name”, what come after 8” etc. • Attackers with the help of password crackers tools can easily break the security challenge. • Security tester must ensure that such kind of weak challenges avoided into the application. • Security Tester also need to verify the password reset and change password functionalities. • Most of the application provide the authorization token to the registered email address. Security tester must ensure that the reset link always bind with time period and destroy after it use. • The authorization token should be puzzle and lengthy so that attacker should not easily predict the token id. • Change password feature only allowed if the previous password feature also available with the request. • Security tester must ensure that no user can change the password of other user.

Empfohlen

Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1robin_bene
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 

Empfohlen

Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1Owasp methodologies of Security testing part1
Owasp methodologies of Security testing part1robin_bene
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkNetsparker
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testingAvyaan, Web Security Company in India
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013n|u - The Open Security Community
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentationEzhilan Elangovan (Eril)
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentationAshwini Paranjpe
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 

Weitere ähnliche Inhalte

Was ist angesagt?

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistCigital
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Controlstevil1224
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkNetsparker
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application SecurityTed Husted
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWebsecurify
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceTjylen Veselyj
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 

Was ist angesagt? (20)

The Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing ChecklistThe Complete Web Application Security Testing Checklist
The Complete Web Application Security Testing Checklist
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
A7 Missing Function Level Access Control
A7 Missing Function Level Access ControlA7 Missing Function Level Access Control
A7 Missing Function Level Access Control
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Scaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech TalkScaling-up and Automating Web Application Security Tech Talk
Scaling-up and Automating Web Application Security Tech Talk
 
Step by step guide for web application security testing
Step by step guide for web application security testingStep by step guide for web application security testing
Step by step guide for web application security testing
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Testing Web Application Security
Testing Web Application SecurityTesting Web Application Security
Testing Web Application Security
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Security hole #5 application security science or quality assurance
Security hole #5 application security science or quality assuranceSecurity hole #5 application security science or quality assurance
Security hole #5 application security science or quality assurance
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Security Testing
Security TestingSecurity Testing
Security Testing
 

Ähnlich wie Owasp security testing methodlogies –part2

CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacysoftware-engineering-book
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicSam Bowne
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testingsakshisoni076
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application AuthenticationRapidValue
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Michael Hidalgo
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudOrkhan Gasimov
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppAppsecco
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerSameer Paradia
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxPuskar Bhandari
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applicationsVaibhav Khanna
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Class 8 -Authentication Controls.pptx
Class 8 -Authentication Controls.pptxClass 8 -Authentication Controls.pptx
Class 8 -Authentication Controls.pptxMadhusha15
 

Ähnlich wie Owasp security testing methodlogies –part2 (20)

CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2CNIT 129S: Securing Web Applications Ch 1-2
CNIT 129S: Securing Web Applications Ch 1-2
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
CNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application LogicCNIT 129S: 11: Attacking Application Logic
CNIT 129S: 11: Attacking Application Logic
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
apex security demo.ppsx
apex security demo.ppsxapex security demo.ppsx
apex security demo.ppsx
 
Security Design Principles.ppt
Security Design Principles.ppt Security Design Principles.ppt
Security Design Principles.ppt
 
What is penetration testing
What is penetration testingWhat is penetration testing
What is penetration testing
 
Security Testing In Application Authentication
Security Testing In Application AuthenticationSecurity Testing In Application Authentication
Security Testing In Application Authentication
 
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxBroken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptx
 
Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...Application Security Testing for Software Engineers: An approach to build sof...
Application Security Testing for Software Engineers: An approach to build sof...
 
Secured REST Microservices with Spring Cloud
Secured REST Microservices with Spring CloudSecured REST Microservices with Spring Cloud
Secured REST Microservices with Spring Cloud
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Fragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your AppFragments-Plug the vulnerabilities in your App
Fragments-Plug the vulnerabilities in your App
 
Owasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developerOwasp Proactive Controls for Web developer
Owasp Proactive Controls for Web developer
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Unit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptxUnit-4-User-Authentication.pptx
Unit-4-User-Authentication.pptx
 
Information and network security 47 authentication applications
Information and network security 47 authentication applicationsInformation and network security 47 authentication applications
Information and network security 47 authentication applications
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
Class 8 -Authentication Controls.pptx
Class 8 -Authentication Controls.pptxClass 8 -Authentication Controls.pptx
Class 8 -Authentication Controls.pptx
 
SCWCD : Secure web
SCWCD : Secure webSCWCD : Secure web
SCWCD : Secure web
 

Kürzlich hochgeladen

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 

Kürzlich hochgeladen (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 

Owasp security testing methodlogies –part2

  • 1. OWASP TESTING METHODOLOGIES –Part2 • Identity management testing. ? • Authentication Testing
  • 2. Identity Management Testing • Identity management testing required in each and every web application for the roles and responsibilities. • Various test cases required to prepare to check identity management testing like user registration process, user enumeration, user account provisioning, user roles, unenforced password policy. • To test the user roles need to validate the system roles defined within the application sufficiently based on the functionality and information. • For the security tester need to assure that user roles are properly defined with their respective functionality. • To test this process the best way to execute it through manually also with the help of spider tool can identify the respective access pages of different users.
  • 3. Identity Management Testing • User provisioning account also play important part for the identity management testing. • Security Tester need to assure that the same user can not provision the user with high privilege. • Need to verify that the same user can not de- provision themselves. • Need to verify if the administrator create multiple administrator If yes then need to check business requirement. • This process also test through the manual testing and with the burp suite tool. • User enumeration attack is the first level of attack on the login pages. • Here the attackers grab the user name without having any information of the user. • Security Tester need to assure the response from the server for the correct and wrong credentials remain same. • Security tester can also verify the response length with the burp suite tool to enumerate the account name.
  • 4. Identity Management Testing • In the below screenshot it reveals that the response length signify the presence of valid name and invalid name.
  • 5. Identity Management Testing • When the user registered himself into the application, the password policy play the crucial role. • A weak password policy make the task of the attacker easier to crack the user credentials. • Security tester need to assure that strong password policy have to be follow by the application. • Manual security testing help to identify that whether the application implemented the strong password policy or not. • Some of the recommended suggestion are that password should be equal to or greater than eight character, it is combination of numeric, upper case and lower case character, it expire after 90 days etc. • Attackers generally use the password crackers tools like Brutus, wfuz,rainbow crack etc. to crash the password.
  • 6. Authentication Testing • Authentication page is entry point for the attacker to access the restricted pages. • Compromising the credentials means the efforts to create security restriction by developer on other areas get inadequate. • Security Tester need to create various test cases to identify the weakness on the authentication pages. • Attackers gain access of the credentials with the help of various techniques and tools. • Various test cases need to be created to test the authentication testing. • Some of the examples are credentials must passes over encrypted channel, default credentials ,Bypass the authentication mechanism, browser cache the credentials ,weak password policy, weak security challenge/answer, weak password change or reset functionality, remember password functionality. • Authentication testing process can be test through the manual testing and also with the automated tools. • Some of the good tools are IBM appscan, acunetix, Web inspect helps to identifying authentication related vulnerability very easily. • Various types of authentication mechanism used by the application are basic, form-based, NTLM etc.
  • 7. Authentication Testing • To test the credentials is working over encrypted channel, identify manually with the proxy tool or with the Wireshark tools. • Tester need to verify that some times credentials working over https and http protocols too. • Below screenshot shows that credentials passes over http protocol.
  • 8. Authentication Testing • In the below screenshot shows that user id and password travel over http in the base 64 encoded format. • Various techniques can be used by the attackers to bypass the authentication mechanism of the application.
  • 9. • Also to bypass the authentication attacker can login into the application with SQL injection attacks For example the sql injection ‘ or 1=1– help the attackers to by pass the authentication: Authentication Testing
  • 10. Authentication Testing • Any techniques which reached to the restricted pages without entering the correct credentials can be named as bypass the authentication. • Security tester must assure that restricted pages can only be accessible through login mechanism
  • 11. Authentication Testing • In the below screenshot of paypal website shows that how the password echo from the server when the invalid user or password entered by the user. • Here the attackers can retrieve the html files from the browser history pages to view the source code .
  • 12. Authentication Testing • As shown here the echo's password shown in the html source code of the page in the clear text format.
  • 13. Authentication Testing • Security tester need to verify each mechanism where the credentials sent over the server from the client machine. • In the below screen shots of shopify website on the user password reset page, the password value also travel over the GET method.
  • 14. Authentication Testing • Most of the time developer open the entry points of default credentials on the production server too. • Security tester need to verify the same with manually or with automated tools (brutus as shown in below screen shot) to identify the default credentials access.
  • 15. Authentication Testing • Most of the ecommerce application required to have the remember me password functionality because it become ease for the customer to re login into the application without remembering the password. • But this functionality become dangerous when the application business domain changed from ecommerce to the banking domain. • Remember me password save on the user browser which can retrieve easily through web browser.
  • 16. Authentication Testing • Most of the application provide authority to the user to set the challenge question and answers for password recovery. • A lazy user always set the very easy question & answer which can easily breakable by the attackers. • Some of the examples are “what is your name”, what come after 8” etc. • Attackers with the help of password crackers tools can easily break the security challenge. • Security tester must ensure that such kind of weak challenges avoided into the application. • Security Tester also need to verify the password reset and change password functionalities. • Most of the application provide the authorization token to the registered email address. Security tester must ensure that the reset link always bind with time period and destroy after it use. • The authorization token should be puzzle and lengthy so that attacker should not easily predict the token id. • Change password feature only allowed if the previous password feature also available with the request. • Security tester must ensure that no user can change the password of other user.