4/3/2019 Things we have to go through • Exploratory testing • Threat modelling • Learning web and associated risks • server and client vulnerabilities, • user inputs based vulnerabilities and attacks, • technology and programming language based loop holes • vulnerabilities due to state information Breaking Web Applications • some basic privacy testing and threats around web services. Smita Mishra, CEO, QAZone Infosystems 1 2 1 4/3/2019 Testing Principles of Testing • No Silver Bullet • Think Strategically, Not Tactically • Test Early and Test often Exploratory Testing – the only possible way to test • Understand Scope • Use Source Code when available • Develop the right mindset • Develop Metrics • Understand the subject • Use the right tools • Devil is in the details • Document Test Results 3 4 2 4/3/2019 Exercise 1 Exercise 2 Horse Lunge Gear Generator 5 6 3 4/3/2019 How Web App Architecture evolved? Web Architecture 7 8 4 4/3/2019 Layered Architecture What is security testing? Where to start? SECURITY TESTING – QUICK LEARN @smitapmishra 10 9 10 5 4/3/2019 Security Testing Same Origin Policy As per this policy, it permits scripts running on pages originating from the same site which can be a combination of the following − Confidentiality Integrity Authentication • Domain • Protocol • Port Non- Authorization Availability repudiation 11 12 6 4/3/2019 Malicious software (malware) is any software that gives partial to full control of the system to the attacker/malware creator. Malware Various forms of malware are listed here → Window of vulnerability • A virus is a program that creates copies of itself and inserts these copies into other computer programs, data files, or into the boot sector of the hard-disk. Upon successful replication, viruses cause harmful activity on Virus infected hosts such as stealing hard-disk space or CPU time. • A worm is a type of malware which leaves a copy of itself in the memory of each computer in its path. Worm • Trojan is a non-self-replicating type of malware that contains malicious code, which upon execution results in Trojan loss or theft of data or possible system harm. • Adware, also known as freeware or pitchware, is a free computer software that contains commercial advertisements of games, desktop toolbars, and utilities. It is a web-based application and it collects web Adware browser data to target advertisements, especially pop-ups. • Spyware is infiltration software that anonymously monitors users which enables a hacker to obtain sensitive information from the user's computer. Spyware exploits users and application vulnerabilities that is quite often Spyware attached to free online software downloads or to links that are clicked by users. • A rootkit is a software used by a hacker to gain admin level access to a computer/network which is installed Rootkkit through a stolen password or by exploiting a system vulnerability without the victim's knowledge. Ref : OWASP 13 14 7 4/3/2019 OWASP TESTING FRAMEWORK Approach WORK FLOW • PTES − Penetration Testing Execution Standard • OSSTMM − Open Source Security Testing Methodology Manual • OWASP Testing Techniques − Open Web Application Security Protocol 15 16 8 4/3/2019 Testing Techniques Security Testing Techniques • Manual Inspection and Reviews • Threat Modeling • Code Review • Penetration Testing Proportion of Test Effort in SDLC Proportion of Test Effort According to Test Technique 17 18 9 4/3/2019 Manual Inspection Threat Modeling Decomposing the & application Advantages: Advantages: •Practical attacker’s view of the system Implications of people / • Requires no supporting technology • Flexible policies / processes Defining and • Can be applied to a variety of situations classifying the assets • Early in the SDLC • Flexible Disadvantages: Inspection of Technology • Promotes teamwork Exploring potential • Relatively new technique decisions • Early in the SDLC Modeling •Good threat models don’t automatically mean (e.g.: Architectural design) vulnerabilities Inspections Disadvantages: good software Reviews Analyzing documentation / • Can be time consuming Exploring potential Interviewing designers , • Supporting material not always available threats system owners • Requires significant human thought and skill to be effective Threat Creating mitigation Manual strategies 19 20 10 4/3/2019 Source Code Review Penetration Testing Flawed Business Advantages: Logic Testers as Advantages: •Completeness and effectiveness Attackers • Accuracy •Can be fast (and therefore cheap) Concurrency •Requires a relatively lower skill-set than Problems •Fast (for competent reviewers) Testing BBT / Ethical source code review Reviews Disadvantages: Cryptographic •Requires highly skilled security developers Hacking • Tests the code that is actually being exposed Weaknesses •Can miss issues in compiled libraries Disadvantages: • Too late in the SDLC Code • Cannot detect run-time errors easily N/W , OS Testing Access control •The source code actually deployed might • Front impact testing only. problems differ from the one being analyzed Operational Tools Source Source Procedures Penetration 21 22 11 4/3/2019 Application Security Risks Identifying Application Security Risks Top 10 – 2010 vs 2013 23 24 12 4/3/2019 Top 10 vulnerabilities of 2013 vs 2017 Attacks Classification Attacking the User Supplied Language State Based Client Input Data Based Bypass Hidden Fields Cross-Site Restrictions on BufferOverflows Scripting Input Choices CGI Parameters Bypass Client– SQL Injection Canonicalization Side Validation Cookie Poisoning Directory NULL-String Traversal Attacks URL Jumping Session Hijacking 25 26 13 4/3/2019 Attacks Classification Attacking the Authentication Privacy Web Serivces Server SQL Injection II WSDL Fake – Stored User Agents Scanning Cryptography Exercises Procedures Attack Command Breaking Parameter Referrer Injection Authentication Tampering XPATH Fingerprinting Cross-Site Cookies Injection the server Tracing Attack Recursive / Denial of Forcing Weak Web Bugs OverloadPath Service Cryptography attack 27 28 14 4/3/2019 OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when • Application functions related to authentication and session management A1:2017- untrusted data is sent to an interpreter as part of a command or query. The A2:2017-Broken are often implemented incorrectly, allowing attackers to compromise Injection attacker’s hostile data can trick the interpreter into executing unintended passwords, keys, or session tokens, or to exploit other implementation flaws commands or accessing data without proper authorization. Authentication to assume other users’ identities temporarily or permanently. 29 30 15 4/3/2019 OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Many older or poorly configured XML processors evaluate external A3:2017- • Many web applications and APIs do not properly protect sensitive data, such as A4:2017-XML financial, healthcare, and PII. Attackers may steal or modify such weakly protected data entity references within XML documents. External entities can be Sensitive Data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be External Entities used to disclose internal files using the file URI handler, internal file compromised without extra protection, such as encryption at rest or in transit, and shares, internal port scanning, remote code execution, and denial of Exposure requires special precautions when exchanged with the browser. (XXE) service attacks. 31 32 16 4/3/2019 OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Security misconfiguration is the most commonly seen issue. This is commonly • Restrictions on what authenticated users are allowed to do are often not a result of insecure default configurations, incomplete or ad hoc A5:2017-Broken properly enforced. Attackers can exploit these flaws to access unauthorized A6:2017-Security configurations, open cloud storage, misconfigured HTTP headers, and verbose Access Control functionality and/or data, such as access other users' accounts, view error messages containing sensitive information. Not only must all operating sensitive files, modify other users’ data, change access rights, etc. Misconfiguration systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion. 33 34 17 4/3/2019 OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • XSS flaws occur whenever an application includes untrusted data in a new web A7:2017-Cross- • Insecure deserialization often leads to remote code execution. Even if page without proper validation or escaping, or updates an existing web page with A8:2017-Insecure deserialization flaws do not result in remote code execution, they can be user-supplied data using a browser API that can create HTML or JavaScript. XSS Site Scripting used to perform attacks, including replay attacks, injection attacks, and allows attackers to execute scripts in the victim’s browser which can hijack user Deserialization privilege escalation attacks. (XSS) sessions, deface web sites, or redirect the user to malicious sites. 35 36 18 4/3/2019 OWASP Top 10 OWASP Top 10 Application Security Risks–2017 Application Security Risks–2017 • Insufficient logging and monitoring, coupled with missing or ineffective • Components, such as libraries,