SlideShare a Scribd company logo

Security Testing - Zap It

Download as PPTX, PDF
M
Manjyot Singh

This document introduces security testing using OWASP ZAP (Zed Attack Proxy). It discusses the OWASP Top 10 security risks including injection, XSS, command injection, brute force attacks, insecure direct object references, and CSRF. It demonstrates how ZAP can be used to test for these vulnerabilities on a sample application. Prevention techniques are also provided for each risk, such as parameterized queries, output encoding, access control, account lockouts, and CSRF tokens.

1 of 42
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Hanika D Manjyot Singh Samaj Shekhar Security Testing - Zap It
Introduction Manjyot Singh QA @ Thoughtworks manjyots@thoughtworks.com Hanika D QA @ Thoughtworks hanikad@thoughtworks.com Samaj Shekhar App Dev @ Thoughtworks samajs@thoughtworks.com
Security Risk
Importance
Impact
OWASP ● Open Web Application Security Project. ● Online community, which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security ● Not-for-profit charitable organization. ● Focussed on improving the security of software. ● All material is available under a FOSS license. ● Currently has over 142 active projects.
OWASP Top 10 ● List the 10 most critical web application security risks. ● A powerful awareness document. ● Published at regular intervals. ○ Approximately once in 3 years. ○ Last published in 2013
OWASP Top 10 ● Injection. ● Broken authentication and session management. ● Cross-site scripting (XSS). ● Insecure direct object references. ● Cross-site request forgery (CSRF). ● Sensitive data exposure. ● Missing functional level access control. ● Security misconfigurations. ● Using component with known vulnerabilities. ● Unvalidated redirects and forwards.
OWASP ZAP (Zed Attack Proxy) DEMO
OWASP ZAP (Zed Attack Proxy) ● DVWA (An sample application with vulnerabilities) ● Take permission before attacking public web applications ● Bounty Programmes
ZAP
ZAP
ZAP
ZAP
ZAP
OWASP ZAP (Zed Attack Proxy) 1-Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
OWASP ZAP (SQL Injection) http://192.168.99.100/vulnerabilities/sqli/?id=%20%2017:%20%27%20or%20%27a%27=%27a&Submit=Submit
OWASP ZAP (SQL Injection)
SELECT * FROM Users; DROP TABLE Suppliers; SQL Injection - Batched sql statement
Prevention Use parameterized queries. txtName = getRequestString("CustomerName"); txtSQL = "INSERT INTO Customers (CustomerName) Values(@0)"; db.Execute(txtSQL, txtNam);
Prevention declare @0 = ‘ThoughtWorks’; INSERT INTO Customers (CustomerName) Values(@0)";
OWASP ZAP (Zed Attack Proxy) 2- XSS XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
OWASP ZAP (XSS)
OWASP ZAP (XSS) What’s your name : <script>alert(1);</script>
XSS - Prevention
XSS - Prevention Never insert untrusted data in HTML. Escape untrusted JSON, JS or HTML before inserting. Sanitize HTML Markup with a Library Designed for the job.
OWASP ZAP (Zed Attack Proxy) 3-Command execution Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
OWASP ZAP (Command Execution) IP = 192.168.1.1& ls
OWASP ZAP (Command Execution) int main(char* argc, char** argv) { char cmd[CMD_MAX] = "/usr/bin/cat "; strcat(cmd, argv[1]); system(cmd); }
Command Execution - Prevention The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but - - it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A “white list” containing only allowable characters should be created - - to validate the user input. Characters that were missed, as well as undiscovered threats, should be eliminated by this list.
OWASP ZAP (Zed Attack Proxy) 4-Brute Force A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response.
OWASP ZAP(Brute Force) Username : admin’#
Brute Force - Prevention The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Another solution is to lock out an IP address with multiple failed logins. After one or two failed login attempts, you may want to prompt the user not only for the username and password but also to answer a secret question. Use a CAPTCHA to prevent automated attacks.
OWASP ZAP (Zed Attack Proxy) 5-Insecure Direct object references A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
OWASP ZAP (Insecure Direct object references) http://misc-security.com/file.jsp? file=report.txt http://misc-security.com/file.jsp? file=**../../../etc/shadow**
Insecure Direct object references - Prevention Use indirect reference maps. - Use hash of file name.
OWASP ZAP (Zed Attack Proxy) 6-CSRF A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
OWASP ZAP (CSRF) http://bank.com/transferFunds? amount=1500&destAccount=12312
OWASP ZAP (CSRF) Malicious user tricks the user in opening the image with forged link <img src=”http://bank.com/transferFunds?amoun t=1500&destAccount=9999”/>
CSRF - Prevention Checking referrer header. Checking origin header. Requiring the user to reauthenticate or prove they are a user.
References https://en.wikipedia.org/wiki/OWASP https://www.owasp.org/index.php/Top_10_2013-Top_10 http://www.slideshare.net/vodqanite/introduction-to-security-vulnerabilities https://docs.google.com/presentation/d/16fn47AZSNxorx- D5DkYjALeEkJ8sGCdZg3MguYrSmrM/edit?ts=56d424e8#slide=id.p
Questions

More Related Content

PPTX
Web_service_testing_finall
Manjyot Singh
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PPTX
Ten Commandments of Secure Coding
Mateusz Olejarka
 
PPTX
Access Control Pitfalls v2
Jim Manico
 
PDF
Securty Testing For RESTful Applications
Source Conference
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
PDF
Security Automation using ZAP
Vaibhav Gupta
 
Web_service_testing_finall
Manjyot Singh
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Access Control Pitfalls v2
Jim Manico
 
Securty Testing For RESTful Applications
Source Conference
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Security Automation using ZAP
Vaibhav Gupta
 

What's hot (19)

PPTX
Securing Your MongoDB Deployment
MongoDB
 
PDF
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
PPTX
Software Development in the Age of Breaches
Karthik Bhat
 
PDF
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Denis Kolegov
 
PPTX
JWTs for CSRF and Microservices
Stormpath
 
PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
PPTX
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
RF Studio
 
PPTX
Getting Started with API Security Testing
SmartBear
 
PPTX
Syntribos API Security Test Automation
Matthew Valdes
 
PDF
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
PPTX
Token Authentication in ASP.NET Core
Stormpath
 
PDF
SignalR
Sarvesh Kushwaha
 
PDF
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
PPTX
Nguyen phuong truong anh a story of bug bounty hunter
Security Bootcamp
 
PDF
Secure JAX-RS
Rudy De Busscher
 
PPTX
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Dakiry
 
PDF
Spring Framework - Spring Security
Dzmitry Naskou
 
PPTX
Application Security Tools
Lalit Kale
 
PPTX
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Securing Your MongoDB Deployment
MongoDB
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
Software Development in the Age of Breaches
Karthik Bhat
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Denis Kolegov
 
JWTs for CSRF and Microservices
Stormpath
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
WordPress Security - A Hacker's Guide - WordCamp 2019 Islamabad
RF Studio
 
Getting Started with API Security Testing
SmartBear
 
Syntribos API Security Test Automation
Matthew Valdes
 
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
Token Authentication in ASP.NET Core
Stormpath
 
SignalR
Sarvesh Kushwaha
 
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
Nguyen phuong truong anh a story of bug bounty hunter
Security Bootcamp
 
Secure JAX-RS
Rudy De Busscher
 
Oleh Shpyrna "Security Testing Basics: Check your Webapp for gaps before l_unch"
Dakiry
 
Spring Framework - Spring Security
Dzmitry Naskou
 
Application Security Tools
Lalit Kale
 
Secure API Services in Node with Basic Auth and OAuth2
Stormpath
 
Ad

Viewers also liked (12)

PDF
PhysRevLett.105.163602
Fabrizio Guerrieri
 
PPTX
AgileValues
Ron Johnson
 
PDF
Introduction to agile
onewomanmore witl
 
PPTX
La cámara fotográfica
Collado Torrecillas
 
PPT
Proteinas
ressurreicaorecreio
 
PPTX
Social media position
Victoria Gonser
 
DOCX
φυλλάδιο Kεσυπ
4Gym Glyfadas
 
PPTX
Advanced Melanoma-Immunotherapy-JCP
Khushboo Gandhi
 
PPTX
Dapt vs triple therapy, jacc
Khushboo Gandhi
 
PDF
Osnovi zdorovya-6-klas-bekh-2014
freegdz
 
PPTX
160902 tullängen
Björn Sundin
 
PDF
07 villkor version 1.1.doc
Björn Sundin
 
PhysRevLett.105.163602
Fabrizio Guerrieri
 
AgileValues
Ron Johnson
 
Introduction to agile
onewomanmore witl
 
La cámara fotográfica
Collado Torrecillas
 
Proteinas
ressurreicaorecreio
 
Social media position
Victoria Gonser
 
φυλλάδιο Kεσυπ
4Gym Glyfadas
 
Advanced Melanoma-Immunotherapy-JCP
Khushboo Gandhi
 
Dapt vs triple therapy, jacc
Khushboo Gandhi
 
Osnovi zdorovya-6-klas-bekh-2014
freegdz
 
160902 tullängen
Björn Sundin
 
07 villkor version 1.1.doc
Björn Sundin
 
Ad

Similar to Security Testing - Zap It (20)

PDF
Security Awareness
Lucas Hendrich
 
PDF
T04505103106
IJERA Editor
 
PPTX
Cyber ppt
karthik menon
 
PPTX
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PDF
2013 OWASP Top 10
bilcorry
 
PDF
Web Application Security 101
Cybersecurity Education and Research Centre
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PPTX
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
PPT
OWASP Top10 2010
Tommy Tracx Xaypanya
 
PDF
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
PPT
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
PPTX
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
PDF
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PPTX
Prevoty NYC Java SIG 20150730
chadtindel
 
PDF
Problems with parameters b sides-msp
Mike Saunders
 
PDF
OWASP (Open Web Application Security Project) .pdf
kavsinghta
 
PPTX
Security risks awareness
Janagi Kannan
 
PDF
Web application sec_3
vhimsikal
 
Security Awareness
Lucas Hendrich
 
T04505103106
IJERA Editor
 
Cyber ppt
karthik menon
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
2013 OWASP Top 10
bilcorry
 
Web Application Security 101
Cybersecurity Education and Research Centre
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
OWASP Top10 2010
Tommy Tracx Xaypanya
 
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
OWASP -Top 5 Jagjit
Jagjit Singh Brar
 
Jonathan Singer - Wheezing The Juice.pdf
Jonathan Singer
 
Secure coding guidelines
Zakaria SMAHI
 
Prevoty NYC Java SIG 20150730
chadtindel
 
Problems with parameters b sides-msp
Mike Saunders
 
OWASP (Open Web Application Security Project) .pdf
kavsinghta
 
Security risks awareness
Janagi Kannan
 
Web application sec_3
vhimsikal
 

Security Testing - Zap It

  • 1. Hanika D Manjyot Singh Samaj Shekhar Security Testing - Zap It
  • 2. Introduction Manjyot Singh QA @ Thoughtworks manjyots@thoughtworks.com Hanika D QA @ Thoughtworks hanikad@thoughtworks.com Samaj Shekhar App Dev @ Thoughtworks samajs@thoughtworks.com
  • 6. OWASP ● Open Web Application Security Project. ● Online community, which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security ● Not-for-profit charitable organization. ● Focussed on improving the security of software. ● All material is available under a FOSS license. ● Currently has over 142 active projects.
  • 7. OWASP Top 10 ● List the 10 most critical web application security risks. ● A powerful awareness document. ● Published at regular intervals. ○ Approximately once in 3 years. ○ Last published in 2013
  • 8. OWASP Top 10 ● Injection. ● Broken authentication and session management. ● Cross-site scripting (XSS). ● Insecure direct object references. ● Cross-site request forgery (CSRF). ● Sensitive data exposure. ● Missing functional level access control. ● Security misconfigurations. ● Using component with known vulnerabilities. ● Unvalidated redirects and forwards.
  • 9. OWASP ZAP (Zed Attack Proxy) DEMO
  • 10. OWASP ZAP (Zed Attack Proxy) ● DVWA (An sample application with vulnerabilities) ● Take permission before attacking public web applications ● Bounty Programmes
  • 11. ZAP
  • 12. ZAP
  • 13. ZAP
  • 14. ZAP
  • 15. ZAP
  • 16. OWASP ZAP (Zed Attack Proxy) 1-Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
  • 17. OWASP ZAP (SQL Injection) http://192.168.99.100/vulnerabilities/sqli/?id=%20%2017:%20%27%20or%20%27a%27=%27a&Submit=Submit
  • 18. OWASP ZAP (SQL Injection)
  • 19. SELECT * FROM Users; DROP TABLE Suppliers; SQL Injection - Batched sql statement
  • 20. Prevention Use parameterized queries. txtName = getRequestString("CustomerName"); txtSQL = "INSERT INTO Customers (CustomerName) Values(@0)"; db.Execute(txtSQL, txtNam);
  • 21. Prevention declare @0 = ‘ThoughtWorks’; INSERT INTO Customers (CustomerName) Values(@0)";
  • 22. OWASP ZAP (Zed Attack Proxy) 2- XSS XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
  • 24. OWASP ZAP (XSS) What’s your name : <script>alert(1);</script>
  • 26. XSS - Prevention Never insert untrusted data in HTML. Escape untrusted JSON, JS or HTML before inserting. Sanitize HTML Markup with a Library Designed for the job.
  • 27. OWASP ZAP (Zed Attack Proxy) 3-Command execution Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell.
  • 28. OWASP ZAP (Command Execution) IP = 192.168.1.1& ls
  • 29. OWASP ZAP (Command Execution) int main(char* argc, char** argv) { char cmd[CMD_MAX] = "/usr/bin/cat "; strcat(cmd, argv[1]); system(cmd); }
  • 30. Command Execution - Prevention The URL and form data needs to be sanitized for invalid characters. A “blacklist” of characters is an option but - - it may be difficult to think of all of the characters to validate against. Also there may be some that were not discovered as of yet. A “white list” containing only allowable characters should be created - - to validate the user input. Characters that were missed, as well as undiscovered threats, should be eliminated by this list.
  • 31. OWASP ZAP (Zed Attack Proxy) 4-Brute Force A brute force attack can manifest itself in many different ways, but primarily consists in an attacker configuring predetermined values, making requests to a server using those values, and then analyzing the response.
  • 33. Brute Force - Prevention The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts. Another solution is to lock out an IP address with multiple failed logins. After one or two failed login attempts, you may want to prompt the user not only for the username and password but also to answer a secret question. Use a CAPTCHA to prevent automated attacks.
  • 34. OWASP ZAP (Zed Attack Proxy) 5-Insecure Direct object references A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data.
  • 35. OWASP ZAP (Insecure Direct object references) http://misc-security.com/file.jsp? file=report.txt http://misc-security.com/file.jsp? file=**../../../etc/shadow**
  • 36. Insecure Direct object references - Prevention Use indirect reference maps. - Use hash of file name.
  • 37. OWASP ZAP (Zed Attack Proxy) 6-CSRF A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
  • 39. OWASP ZAP (CSRF) Malicious user tricks the user in opening the image with forged link <img src=”http://bank.com/transferFunds?amoun t=1500&destAccount=9999”/>
  • 40. CSRF - Prevention Checking referrer header. Checking origin header. Requiring the user to reauthenticate or prove they are a user.