What You Need to Know About Web App Security Testing in 2018
0 likes376 views
The document provides an overview of web application security testing, detailing tools and methodologies for identifying vulnerabilities such as OWASP Top 10 threats. It emphasizes the importance of proactive security measures, including threat modeling and the use of tools like OWASP ZAP and dependency checks. The talk focuses on practical experiences, underscoring that security is a continuous process rather than a one-time checklist.
![GET https://[redacted].com/orchestration_1111/gdc/
BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/
Paris&TimeFrom=2014-09-27T09:15:21](https://image.slidesharecdn.com/securityv1-180112004452/85/What-You-Need-to-Know-About-Web-App-Security-Testing-in-2018-4-320.jpg)
![GET https://[redacted].com/orchestration_1111/gdc/
BatteryStatusRecordsRequest.php?RegionCode=NE&lg=no-
NO&DCMID=&VIN=SJNFAAZE0U60XXXXX&tz=Europe/
Paris&TimeFrom=2014-09-27T09:15:21](https://image.slidesharecdn.com/securityv1-180112004452/85/What-You-Need-to-Know-About-Web-App-Security-Testing-in-2018-6-320.jpg)
What You Need to Know About Web App Security Testing in 2018
- 1. WhatYou Need to Know About Web App Security Testing in 2018 Ken De Souza STP Community Webinar, January 2018 V. 1.4 Twitter: @kgdesouz blog.tkee.org
- 2. Source: http://www.troyhunt.com/2016/02/controlling-vehicle-features-of-nissan.html
- 13. This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.
- 14. This topic is HUGE The tools don’t replace thinking.
- 15. Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next
- 16. "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem Source: https://news.ycombinator.com/item?id=11323849
- 17. STRIDE(identification) DREAD(classification) OWASP Top 10 (attack vectors)
- 18. OWASP ZAP (Web application vulnerability analysis) Dependency Check (3rd party vulnerability analysis)
- 19. nmap / Wireshark / tcpdump (network analysis) Microsoft Threat Modeling (communication)
- 21. STRIDE Spoofing Tampering Repudiation Information Disclosure Denial of Service Elevation of Privilege Source: https://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx
- 22. Sources: https://www.owasp.org/index.php/Application_Threat_Modeling http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx Type Security Control Examples Spoofing Authentication I am Spartacus Tampering Integrity Looks like Johnny got an A! Repudiation Non- Repudiation Didn’t Johnny have a B? Information disclosure Confidentiality Johnny’s SSN is… Denial of service Availability Please try again later. Elevation of privilege Authorization sudo rm –rf /home/johnny
- 23. DREAD Damage Reproducibility Exploitability Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
- 24. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Developer point of view…. DREAD Parameter Rating Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8
- 25. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Tester point of view… DREAD Parameter Rating Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 10 Easily exploitable by automated tools found on the Internet. Affected Users 10 Affects critical administrative users Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 10
- 27. OWASP Top 10, 2017 Source: https://github.com/OWASP/Top10/raw/master/2017/OWASP%20Top%2010%20-%202017%20RC1-English.pdf
- 28. OWASP Top 10 Open Web Application Security Project
- 29. A1: Injection http://example.com/app/accountView? id=' A2: Broken Authentication Using known passwords (from various public lists) Allowing insecure (not strong) passworrd (e.g.: Password1) A3: Sensitive Data Exposure SSL not being used Meltdown Bad programming A4: XML External Entities (new) <node attrib='foo''/> A5: Broken Access Control http://example.com/app/accountInfo? acct=notmyacct Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
- 30. A6: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; A7: Cross Site Scripting (XSS) <script>alert('test');</script> A8: Insecure Deserialization (new) Typical data tampering attacks, such as access-control-related attacks, where existing data structures are used but the content is changed. A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Insufficient Logging & Monitoring (new) Monitoring unauthorized access; Alerting on potential breaches; Source: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
- 31. nmap crt.sh dig
- 32. nmap what ports are open? Where can you attack? Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 34. Source: crt.sh
- 35. Source: dig -f shopify-urls.txt +noall +answer
- 38. Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet,Wifi, Bluetooth, USB, etc
- 39. Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems
- 41. docker run -e "SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080 "dhatanian/ticketmagpie" This container has LOTS of vulnerabilities, designed for learning about web security Source: Docker running “Ticket magpie” (https://github.com/dhatanian/ticketmagpie)
- 42. Wireshark Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 43. Demo
- 46. tcpdump: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 47. Why use tcpdump? Use this when you can’t use Wireshark Great for servers
- 49. OWASP ZAP
- 50. Why use OWASP ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode
- 55. Demo
- 56. Dependency Check
- 57. What is it? Checks your application for 3rd party software Looks to see if there are any known vulnerabilities and gives you suggestions on how to fix them
- 60. Threat Modeling
- 61. What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics
- 62. Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model
- 63. Threat Modeling: Communicating it… Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 64. Threat Modeling Step 1: Enumerate – Product functionality – Technologies used – Processes – Listening ports – Process to port mappings – Users processes that running – 3rd party applications / installations
- 65. Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat- modeling-you-apps.aspx
- 66. Demo
- 69. All these tools, help to answer the question Is your application secure?
- 70. Where to go next?
- 74. Bug bounties
- 75. Practice https://thetestdoctor.wordpress.com/2016/10/11/introducing-ticket-magpie/
- 77. To conclude…
- 78. Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding attack vectors is important
- 79. Thanks!
- 81. References • Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/ preventing-csrf-with-samesite-cookie-attribute/ • Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/ security-ninjas-opensource • Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling- web-application-a-case-study • Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx • Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http:// www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known- vulnerabilities • Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world- application-threat-modelling-by-example • The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/ • Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx • Struts Bug Explained: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability- what-you-need-to-know/