6. AN EPIC HACK
6
Agenda
mathonan@me.com
@mat
How about CC
number?
Billing
m******n@me.co
Apple
Wait!!
I’ll give you
Got the CC
Number :)
Insert
new Credit card
Lost
access! Add new e-
mail
Reset
Password
8. SECURITY TESTING
•Process intended to reveal flaws in the security mechanisms of an information system
•Finding out the potential loopholes & weakness of the system
•To check whether there is an information leakage
•Passing Security Testing is not an indication that no flaws exist
8
16. •Password should be in encrypted / hashed
•Credentials(say login) delivered only over HTTPS
•System/Application should not allow invalid users
•Browser Back button should not allowed for a Banking website
•Cookies / Session token should timeout after a certain time
•Forms should be validated at Server side also. Test the APIs
•Directory structure should not be browsable
•Check if Exceptions are handled correctly. Stack trace errors shouldn’t be displayed
•Use plugins to keep checking for vulnerabilities from time to time (Eg: Tamper Data, Site Spider, etc)
1 6
18. KEY TAKEAWAYS
1 8
•Make things safe by default
•Make security test plan in accordance to the business requirements & Security goals
•Have the ability to deploy/respond quickly
20. F o r q u e s t i o n s o r s u g g e s t i o n s :
W r i t e t o u s @
h a r i k r i s @ t h o u g h t w o r k s . c o m
s h i l p a b @ t h o u g h t w o r k s . c o m
THANK YOU