4/3/2019
Things we have to go through
• Exploratory testing • Threat modelling • Learning web and associated risks • server and client vulnerabilities, • user inputs based vulnerabilities and attacks, • technology and programming language based loop holes • vulnerabilities due to state information Breaking Web Applications • some basic privacy testing and threats around web services.
Smita Mishra, CEO, QAZone Infosystems
1 2
1 4/3/2019
Testing Principles of Testing
• No Silver Bullet • Think Strategically, Not Tactically • Test Early and Test often Exploratory Testing – the only possible way to test • Understand Scope • Use Source Code when available • Develop the right mindset • Develop Metrics • Understand the subject • Use the right tools • Devil is in the details • Document Test Results
3 4
2 4/3/2019
Exercise 1 Exercise 2
Horse Lunge Gear Generator
5 6
3 4/3/2019
How Web App Architecture evolved? Web Architecture
7 8
4 4/3/2019
Layered Architecture
What is security testing? Where to start? SECURITY TESTING – QUICK LEARN
@smitapmishra 10
9 10
5 4/3/2019
Security Testing Same Origin Policy
As per this policy, it permits scripts running on pages originating from the same site which can be a combination of the following − Confidentiality Integrity Authentication • Domain • Protocol • Port Non- Authorization Availability repudiation
11 12
6 4/3/2019
Malicious software (malware) is any software that gives partial to full control of the system to the attacker/malware creator. Malware Various forms of malware are listed here → Window of vulnerability • A virus is a program that creates copies of itself and inserts these copies into other computer programs, data files, or into the boot sector of the hard-disk. Upon successful replication, viruses cause harmful activity on Virus infected hosts such as stealing hard-disk space or CPU time.
• A worm is a type of malware which leaves a copy of itself in the memory of each computer in its path. Worm
• Trojan is a non-self-replicating type of malware that contains malicious code, which upon execution results in Trojan loss or theft of data or possible system harm.
• Adware, also known as freeware or pitchware, is a free computer software that contains commercial advertisements of games, desktop toolbars, and utilities. It is a web-based application and it collects web Adware browser data to target advertisements, especially pop-ups. • Spyware is infiltration software that anonymously monitors users which enables a hacker to obtain sensitive information from the user's computer. Spyware exploits users and application vulnerabilities that is quite often Spyware attached to free online software downloads or to links that are clicked by users. • A rootkit is a software used by a hacker to gain admin level access to a computer/network which is installed Rootkkit through a stolen password or by exploiting a system vulnerability without the victim's knowledge. Ref : OWASP
13 14
7 4/3/2019
OWASP TESTING FRAMEWORK Approach WORK FLOW • PTES − Penetration Testing Execution Standard • OSSTMM − Open Source Security Testing Methodology Manual • OWASP Testing Techniques − Open Web Application Security Protocol
15 16
8 4/3/2019
Testing Techniques Security Testing Techniques
• Manual Inspection and Reviews • Threat Modeling • Code Review • Penetration Testing
Proportion of Test Effort in SDLC Proportion of Test Effort According to Test Technique
17 18
9 4/3/2019
Manual Inspection Threat Modeling Decomposing the
& application Advantages: Advantages: •Practical attacker’s view of the system Implications of people / • Requires no supporting technology • Flexible policies / processes Defining and • Can be applied to a variety of situations classifying the assets • Early in the SDLC • Flexible Disadvantages: Inspection of Technology • Promotes teamwork Exploring potential • Relatively new technique decisions
• Early in the SDLC Modeling •Good threat models don’t automatically mean (e.g.: Architectural design) vulnerabilities
Inspections Disadvantages: good software
Reviews Analyzing documentation / • Can be time consuming Exploring potential Interviewing designers , • Supporting material not always available threats system owners • Requires significant human thought and skill to be effective
Threat Creating mitigation Manual Manual strategies
19 20
10 4/3/2019
Source Code Review Penetration Testing
Flawed Business Advantages: Logic Testers as Advantages: •Completeness and effectiveness Attackers • Accuracy •Can be fast (and therefore cheap) Concurrency •Requires a relatively lower skill-set than Problems •Fast (for competent reviewers)
Testing BBT / Ethical source code review
Reviews Disadvantages: Cryptographic •Requires highly skilled security developers Hacking • Tests the code that is actually being exposed Weaknesses •Can miss issues in compiled libraries Disadvantages: • Too late in the SDLC Code • Cannot detect run-time errors easily N/W , OS Testing Access control •The source code actually deployed might • Front impact testing only. problems differ from the one being analyzed
Operational Tools Source Source
Procedures Penetration
21 22
11 4/3/2019
Application Security Risks Identifying Application Security Risks Top 10 – 2010 vs 2013
23 24
12 4/3/2019
Top 10 vulnerabilities of 2013 vs 2017 Attacks Classification Attacking the User Supplied Language State Based Client Input Data Based
Bypass Hidden Fields Cross-Site Restrictions on BufferOverflows Scripting Input Choices
CGI Parameters Bypass Client– SQL Injection Canonicalization Side Validation
Cookie Poisoning
Directory NULL-String Traversal Attacks URL Jumping
Session Hijacking
25 26
13 4/3/2019
Attacks Classification
Attacking the Authentication Privacy Web Serivces Server
SQL Injection II WSDL Fake – Stored User Agents Scanning Cryptography Exercises Procedures Attack
Command Breaking Parameter Referrer Injection Authentication Tampering
XPATH Fingerprinting Cross-Site Cookies Injection the server Tracing Attack
Recursive / Denial of Forcing Weak Web Bugs OverloadPath Service Cryptography attack
27 28
14 4/3/2019
OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017
• Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when • Application functions related to authentication and session management A1:2017- untrusted data is sent to an interpreter as part of a command or query. The A2:2017-Broken are often implemented incorrectly, allowing attackers to compromise Injection attacker’s hostile data can trick the interpreter into executing unintended passwords, keys, or session tokens, or to exploit other implementation flaws commands or accessing data without proper authorization. Authentication to assume other users’ identities temporarily or permanently.
29 30
15 4/3/2019
OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Many older or poorly configured XML processors evaluate external A3:2017- • Many web applications and APIs do not properly protect sensitive data, such as A4:2017-XML financial, healthcare, and PII. Attackers may steal or modify such weakly protected data entity references within XML documents. External entities can be Sensitive Data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be External Entities used to disclose internal files using the file URI handler, internal file compromised without extra protection, such as encryption at rest or in transit, and shares, internal port scanning, remote code execution, and denial of Exposure requires special precautions when exchanged with the browser. (XXE) service attacks.
31 32
16 4/3/2019
OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Security misconfiguration is the most commonly seen issue. This is commonly • Restrictions on what authenticated users are allowed to do are often not a result of insecure default configurations, incomplete or ad hoc A5:2017-Broken properly enforced. Attackers can exploit these flaws to access unauthorized A6:2017-Security configurations, open cloud storage, misconfigured HTTP headers, and verbose Access Control functionality and/or data, such as access other users' accounts, view error messages containing sensitive information. Not only must all operating sensitive files, modify other users’ data, change access rights, etc. Misconfiguration systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
33 34
17 4/3/2019
OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • XSS flaws occur whenever an application includes untrusted data in a new web A7:2017-Cross- • Insecure deserialization often leads to remote code execution. Even if page without proper validation or escaping, or updates an existing web page with A8:2017-Insecure deserialization flaws do not result in remote code execution, they can be user-supplied data using a browser API that can create HTML or JavaScript. XSS Site Scripting used to perform attacks, including replay attacks, injection attacks, and allows attackers to execute scripts in the victim’s browser which can hijack user Deserialization privilege escalation attacks. (XSS) sessions, deface web sites, or redirect the user to malicious sites.
35 36
18 4/3/2019
OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Insufficient logging and monitoring, coupled with missing or ineffective • Components, such as libraries, frameworks, and other software modules, run with A10:2017- integration with incident response, allows attackers to further attack A9:2017-Using the same privileges as the application. If a vulnerable component is exploited, such Components with an attack can facilitate serious data loss or server takeover. Applications and APIs Insufficient Logging systems, maintain persistence, pivot to more systems, and tamper, extract, using components with known vulnerabilities may undermine application defenses or destroy data. Most breach studies show time to detect a breach is over Known Vulnerabilities and enable various attacks and impacts. & Monitoring 200 days, typically detected by external parties rather than internal processes or monitoring.
37 38
19 4/3/2019
Whats next for Developers
Establish& Use Repeatable Security Processes and Standard Security Controls
WHATS NEXT? Application Application Standard Secure Application Security Security Security Development Security Requirements Architecture Controls Lifecycle Education
@smitapmishra 39
39 40
20 4/3/2019
Whats next for Testers Whats next for Organizations
Establish Continuous Application Security Start Your Application Security Program Testing Now
Integrate Achieving Clearly Risk Based Enable with a Provide Understand the Understand Your Security into Testing Strategies Coverage and Communicate Get Started Portfolio Strong Management Threat Model SDLC Existing Accuracy Approach Foundation Visibility Findings Processes
41 42
21 4/3/2019
Whats next for Application Managers
Manage the Full Application Lifecycle THANK YOU
STAY IN TOUCH
Requirements Request for Planning and [email protected] Deployment, Retiring and Resource Proposals Design Operations Twitter : @smitapmishra Testing and and Change Systems Management (RFP) and Rollout Contracting Management Linkedin: http://www.linkedin.com/in/smitapmishra
43 44
22