web applications testing
DESCRIPTION
Supported by. Web Applications Testing. By Jamie Rougvie. Disclaimer. All information presented here is for educational use only. Please only practice in a controlled environment that you own or that you have written permission to use!. Why test web application ??. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/1.jpg)
Web Applications TestingBy Jamie Rougvie
Supported by
![Page 2: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/2.jpg)
Jamie Rougvie 2
Disclaimer
•All information presented here is for educational use only.
•Please only practice in a controlled environment that you own or that you have written permission to use!
![Page 3: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/3.jpg)
Jamie Rougvie 3
Why test web application ??
•Tesco web security 'flaw' probed by UK data watchdog.
•6.5 Million LinkedIn passwords leaked by hackers.
•GoDaddy hacked, millions of sites go down in registrar outage.
•Yahoo hacked, 450,000 passwords posted online.
• IEEE exposed 100k plaintext usernames and passwords on their FTP server.
![Page 4: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/4.jpg)
Jamie Rougvie 4
Common tools
• Web Browser
• Burpsuit / ZAP
there are loads of others tools and plugins to aid us when testing but the most common ones are:
• Sqlmap
• Nikto
• Nessus
• Dir Buster
• BEEF
• Automated scanners Netsparker, Acunetix and W3af
![Page 5: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/5.jpg)
Jamie Rougvie 5
What is a Proxy?
![Page 6: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/6.jpg)
Jamie Rougvie 6
Demo Burp Suite
![Page 7: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/7.jpg)
Jamie Rougvie 7
Getting Started
•Browse the website
• Identify functional pages
•List possible attacks for functional pages
•Try to implement attacks
•Documentation screen shots
![Page 8: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/8.jpg)
Jamie Rougvie 8
Owasp Top 10
• A1: Injection
• A2: Cross-Site Scripting (XSS)
• A3: Broken Authentication and Session Management
• A4: Insecure Direct Object References
• A5: Cross-Site Request Forgery (CSRF)
• A6: Security Misconfiguration
• A7: Insecure Cryptographic Storage
• A8: Failure to Restrict URL Access
• A9: Insufficient Transport Layer Protection
• A10: Unvalidated Redirects and Forwards
![Page 9: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/9.jpg)
SQL Injection
A1 Injection
![Page 10: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/10.jpg)
Jamie Rougvie 10
About SQL
•SQL Injection attacks are the process of injecting SQL commands into SQL queries to manipulate the database which the application relies on.
•Two types of SQL injection error based and blind.
![Page 11: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/11.jpg)
Jamie Rougvie 11
Demo of SQL Injection
![Page 12: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/12.jpg)
Jamie Rougvie 12
SQL Explained
• We can assume the SQL statement is Select * FROM users WHERE username= ' ' AND password= ' '
• The Code we Injected' or ' '= '
• The Query that’s gets submitted isSelect * FROM users WHERE username= ' ' AND password= ' ' or ' ' = ' '
• This Result is a true statement so data from the database gets returned.
![Page 13: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/13.jpg)
Jamie Rougvie 13
Power of SQL Injection
•Bypass login pages
•Dump entire databases using a tool like Sqlmap. This will allow you to get usernames and passwords which you could then crack unless they were hashed.
•People like using the same username and password on many sites so you can now try to access other sites with the login details.
![Page 14: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/14.jpg)
Cross Site Scripting
A3 XSS
![Page 15: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/15.jpg)
Jamie Rougvie 15
About XSS
• Injecting HTML or running code (Javascript) in a user web browser
•Three Types of XSS they are stored, reflected and DOM.
•XSS can be found in any user supplied input COOKIES,GET,POST,HTTP HEADERS
![Page 16: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/16.jpg)
Jamie Rougvie 16
XSS Demo
![Page 17: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/17.jpg)
Jamie Rougvie 17
What can you do with an XSS attack
•Steal Cookies
•Redirect users
•Deface website
•Use BEEF
![Page 18: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/18.jpg)
Jamie Rougvie 18
BEEF Demo
![Page 19: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/19.jpg)
Jamie Rougvie 19
The Solution
Always validate any input from the user on the server side!
![Page 20: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/20.jpg)
Common Vulnerabilities
Low hanging fruit
![Page 21: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/21.jpg)
Jamie Rougvie 21
Default Login Details
•Many People make the mistake of installing applications and leaving the default settings setup on it.
Example:root: password - MYSQLroot: blank – PHPMyAdmin
•This may vary between versions but a quick Google search can find the correct default login.
![Page 22: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/22.jpg)
Jamie Rougvie 22
Weak Password
•This is really common and yet so simple to fix! 123456Password123456789abc123111111There are loads more default and silly passwords!
•Other bad ideas.Any Dictionary word
Website Name
Organisation Details
![Page 23: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/23.jpg)
Jamie Rougvie 23
Old Version Running
•Companies don’t upgrade web servers or CMS (Content Management System) in case they break it.
•This may make it easier to exploit as they would not have known security bugs fixed.
![Page 24: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/24.jpg)
Jamie Rougvie 24
Information Leakage
• Information leaked from the site can give vital information to the attack. Information leakage can come in many forms.
Example:.
![Page 25: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/25.jpg)
Jamie Rougvie 25
PRATICE RESOURCES
• jamierougive.co.uk – My Blog
• ypisg.bcs.org – Young Professional Information Security Group
• http://vulnhub.com Great for all testing
• hack.me - Working progress as seen in demos
• www.owasp.org – Great for web app testing
• www.trustedsec.com – Social Engineer Toolkit
• www.dvwa.co.uk – Damn Vulnerable Web App
• www.kioptrix.com – Demo Example
• g0tmi1k.blogspot.co.uk BOOT 2 ROOT
• http://beefproject.com/ Beef Project
![Page 26: Web Applications Testing](https://reader035.vdocuments.net/reader035/viewer/2022062301/56814e00550346895dbb6b7d/html5/thumbnails/26.jpg)
Jamie Rougvie 26
Questions!!
ANY QUESTIONS ?