4/3/2019

Things we have to go through

• Threat modelling • Learning web and associated risks • server and client vulnerabilities, • user inputs based vulnerabilities and attacks, • technology and programming language based loop holes • vulnerabilities due to state information Breaking Web Applications • some basic privacy testing and threats around web services.

Smita Mishra, CEO, QAZone Infosystems

1 2

1 4/3/2019

Testing Principles of Testing

• No Silver Bullet • Think Strategically, Not Tactically • Test Early and Test often Exploratory Testing – the only possible way to test • Understand Scope • Use Source Code when available • Develop the right mindset • Develop Metrics • Understand the subject • Use the right tools • Devil is in the details • Document Test Results

3 4

2 4/3/2019

Exercise 1 Exercise 2

Horse Lunge Gear Generator

5 6

3 4/3/2019

How Web App Architecture evolved? Web Architecture

7 8

4 4/3/2019

Layered Architecture

What is testing? Where to start? – QUICK LEARN

@smitapmishra 10

9 10

5 4/3/2019

Security Testing Same Origin Policy

As per this policy, it permits scripts running on pages originating from the same site which can be a combination of the following − Confidentiality Integrity • Domain • Protocol • Port Non- Availability repudiation

11 12

6 4/3/2019

Malicious () is any software that gives partial to full control of the system to the attacker/malware creator. Malware Various forms of malware are listed here → Window of vulnerability • A virus is a program that creates copies of itself and inserts these copies into other computer programs, data files, or into the boot sector of the hard-disk. Upon successful replication, viruses cause harmful activity on Virus infected hosts such as stealing hard-disk space or CPU time.

• A worm is a type of malware which leaves a copy of itself in the memory of each computer in its path. Worm

• Trojan is a non-self-replicating type of malware that contains malicious code, which upon execution results in Trojan loss or theft of data or possible system harm.

, also known as freeware or pitchware, is a free computer software that contains commercial advertisements of games, desktop toolbars, and utilities. It is a web-based application and it collects web Adware browser data to target advertisements, especially pop-ups. • is infiltration software that anonymously monitors users which enables a to obtain sensitive information from the user's computer. Spyware exploits users and application vulnerabilities that is quite often Spyware attached to free online software downloads or to links that are clicked by users. • A is a software used by a hacker to gain admin level access to a computer/network which is installed Rootkkit through a stolen password or by exploiting a system vulnerability without the victim's knowledge. Ref : OWASP

13 14

7 4/3/2019

OWASP TESTING FRAMEWORK Approach WORK FLOW • PTES − Penetration Testing Execution Standard • OSSTMM − Open Source Security Testing Methodology Manual • OWASP Testing Techniques − Open Web Protocol

15 16

8 4/3/2019

Testing Techniques Security Testing Techniques

• Manual Inspection and Reviews • Threat Modeling • Code Review • Penetration Testing

Proportion of Test Effort in SDLC Proportion of Test Effort According to Test Technique

17 18

9 4/3/2019

Manual Inspection Threat Modeling Decomposing the

& application Advantages: Advantages: •Practical attacker’s view of the system Implications of people / • Requires no supporting technology • Flexible policies / processes Defining and • Can be applied to a variety of situations classifying the assets • Early in the SDLC • Flexible Disadvantages: Inspection of Technology • Promotes teamwork Exploring potential • Relatively new technique decisions

• Early in the SDLC Modeling •Good threat models don’t automatically mean (e.g.: Architectural design) vulnerabilities

Inspections Disadvantages: good software

Reviews Analyzing documentation / • Can be time consuming Exploring potential Interviewing designers , • Supporting material not always available threats system owners • Requires significant human thought and skill to be effective

Threat Creating mitigation Manual Manual strategies

19 20

10 4/3/2019

Source Code Review Penetration Testing

Flawed Business Advantages: Logic Testers as Advantages: •Completeness and effectiveness Attackers • Accuracy •Can be fast (and therefore cheap) Concurrency •Requires a relatively lower skill-set than Problems •Fast (for competent reviewers)

Testing BBT / Ethical source code review

Reviews Disadvantages: Cryptographic •Requires highly skilled security developers Hacking • Tests the code that is actually being exposed Weaknesses •Can miss issues in compiled libraries Disadvantages: • Too late in the SDLC Code • Cannot detect run-time errors easily N/W , OS Testing •The source code actually deployed might • Front impact testing only. problems differ from the one being analyzed

Operational Tools Source Source

Procedures Penetration

21 22

11 4/3/2019

Application Security Risks Identifying Application Security Risks Top 10 – 2010 vs 2013

23 24

12 4/3/2019

Top 10 vulnerabilities of 2013 vs 2017 Attacks Classification Attacking the User Supplied Language State Based Client Input Data Based

Bypass Hidden Fields Cross-Site Restrictions on BufferOverflows Scripting Input Choices

CGI Parameters Bypass Client– SQL Injection Canonicalization Side Validation

Cookie Poisoning

Directory NULL-String Traversal Attacks URL Jumping

Session Hijacking

25 26

13 4/3/2019

Attacks Classification

Attacking the Authentication Privacy Web Serivces Server

SQL Injection II WSDL Fake – Stored User Agents Scanning Cryptography Exercises Procedures Attack

Command Breaking Parameter Referrer Injection Authentication Tampering

XPATH Fingerprinting Cross-Site Cookies Injection the server Tracing Attack

Recursive / Denial of Forcing Weak Web Bugs OverloadPath Service Cryptography attack

27 28

14 4/3/2019

OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017

• Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when • Application functions related to authentication and session management A1:2017- untrusted data is sent to an as part of a command or query. The A2:2017-Broken are often implemented incorrectly, allowing attackers to compromise Injection attacker’s hostile data can trick the interpreter into executing unintended passwords, keys, or session tokens, or to exploit other implementation flaws commands or accessing data without proper authorization. Authentication to assume other users’ identities temporarily or permanently.

29 30

15 4/3/2019

OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Many older or poorly configured XML processors evaluate external A3:2017- • Many web applications and APIs do not properly protect sensitive data, such as A4:2017-XML financial, healthcare, and PII. Attackers may steal or modify such weakly protected data entity references within XML documents. External entities can be Sensitive Data to conduct , identity theft, or other crimes. Sensitive data may be External Entities used to disclose internal files using the file URI handler, internal file compromised without extra protection, such as at rest or in transit, and shares, internal port scanning, remote code execution, and denial of Exposure requires special precautions when exchanged with the browser. (XXE) service attacks.

31 32

16 4/3/2019

OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Security misconfiguration is the most commonly seen issue. This is commonly • Restrictions on what authenticated users are allowed to do are often not a result of insecure default configurations, incomplete or ad hoc A5:2017-Broken properly enforced. Attackers can exploit these flaws to access unauthorized A6:2017-Security configurations, open cloud storage, misconfigured HTTP headers, and verbose Access Control functionality and/or data, such as access other users' accounts, view error messages containing sensitive information. Not only must all operating sensitive files, modify other users’ data, change access rights, etc. Misconfiguration systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.

33 34

17 4/3/2019

OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • XSS flaws occur whenever an application includes untrusted data in a new web A7:2017-Cross- • Insecure deserialization often leads to remote code execution. Even if page without proper validation or escaping, or updates an existing web page with A8:2017-Insecure deserialization flaws do not result in remote code execution, they can be user-supplied data using a browser API that can create HTML or JavaScript. XSS Site Scripting used to perform attacks, including replay attacks, injection attacks, and allows attackers to execute scripts in the victim’s browser which can hijack user Deserialization attacks. (XSS) sessions, deface web sites, or redirect the user to malicious sites.

35 36

18 4/3/2019

OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Insufficient logging and monitoring, coupled with missing or ineffective • Components, such as libraries, frameworks, and other software modules, run with A10:2017- integration with incident response, allows attackers to further attack A9:2017-Using the same privileges as the application. If a vulnerable component is exploited, such Components with an attack can facilitate serious data loss or server takeover. Applications and APIs Insufficient Logging systems, maintain persistence, pivot to more systems, and tamper, extract, using components with known vulnerabilities may undermine application defenses or destroy data. Most breach studies show time to detect a breach is over Known Vulnerabilities and enable various attacks and impacts. & Monitoring 200 days, typically detected by external parties rather than internal processes or monitoring.

37 38

19 4/3/2019

Whats next for Developers

Establish& Use Repeatable Security Processes and Standard Security Controls

WHATS NEXT? Application Application Standard Secure Application Security Security Security Development Security Requirements Architecture Controls Lifecycle Education

@smitapmishra 39

39 40

20 4/3/2019

Whats next for Testers Whats next for Organizations

Establish Continuous Application Security Start Your Application Security Program Testing Now

Integrate Achieving Clearly Risk Based Enable with a Provide Understand the Understand Your Security into Testing Strategies Coverage and Communicate Get Started Portfolio Strong Management Threat Model SDLC Existing Accuracy Approach Foundation Visibility Findings Processes

41 42

21 4/3/2019

Whats next for Application Managers

Manage the Full Application Lifecycle THANK YOU

STAY IN TOUCH

Requirements Request for Planning and [email protected] Deployment, Retiring and Resource Proposals Design Operations Twitter : @smitapmishra Testing and and Change Systems Management (RFP) and Rollout Contracting Management Linkedin: http://www.linkedin.com/in/smitapmishra

43 44

22