web application assessment - securosis - home · best practices for web app pen testing ......
TRANSCRIPT
Integrating Web Application Penetration Testing into Your
Vulnerability Management Program
Rich MogullSecurosis, L.L.C.
ecurosis.com
Top Threats
ClientsideWeb Applications
ecurosis.com
Why Web Applications Are Such a Problem
• Rapid development with limited QA
• Eternal beta cycles
• Un(security)trained developers
• New vulnerability classes
• Insecure browsers
• Inherent insecurity of web model
ecurosis.com
Major Webapp AttacksBreaking Trust Relationships
Cross Site Scripting
Cross Site Request Forgery
SQL InjectionBrowser Server
ecurosis.com
Cross Site Scripting
2) Malicious script stored
Stored
1
2) User follows to
trusted site
3) Malicious script injected
by site
Reflected
1) Malicious URL
23
Victim VictimAttacker Attacker
ecurosis.com
Cross Site Request Forgery
Script/link to submit
transaction to trusted site
Malicious transactions
Session 1
Authenticates
Session 2 StealthSession
ecurosis.com
SQL Injection
SQL Statement
Statement: “SELECT * FROM users WHERE name = '" + uName + "‘ AND password =
‘” + upass + “’;”
admin‘--
Attack Input
SELECT * FROM users WHERE name = ‘admin’-- "‘ AND password = ‘” + upass
+ “’;”
Executed Statement
ecurosis.com
Accidental/Directory Traversal
+ Or - “/” =
ecurosis.com
How we used to manage web applications
ecurosis.com
Vulnerability Management
ecurosis.com
Web Application Security Program Overview
ecurosis.com
Application Security Lifecycle
ecurosis.com
Development Phases
ecurosis.com
Integration
Pla$ormvulns
ecurosis.com
Integration
Pla$ormvulns
ecurosis.com
Limitations of static analysis/scanning
• Can’t catch everything
• No validation
• No exploitability/Impact
• Miss logic flaws
• Fire and forget
• The bad guys don’t use them
ecurosis.com
Best Practices for Web App Pen Testing
• Begun testing in the development process.
• Use a combination of tools and manual process.
• Include traditional pen testing of the underlying platform.
• Perform periodic testing post-deployment, especially as new exploits appear.
ecurosis.com
Adapting your program for the long term
• Understand the different requirements of web application vulnerability management.
• Establish web application configuration standards and begin enforcement during development.
• Include code and vulnerability scanning, but you cannot skip penetration testing.
ecurosis.com
Integrating Web Application Penetration Testing into Your
Vulnerability Management Program
Rich MogullSecurosis, L.L.C.
http://[email protected]