Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010.
-
Upload
jaliyah-pitt -
Category
Documents
-
view
218 -
download
0
Transcript of Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010.
Hands on Demonstration for Testing Security in Web Applications
Aaron Weaver August 2010
Agenda
• What kind of application security vulnerabilities should be tested?
• Methodology for testing
• Open source tools available
• Prioritizing application security defects
In the news...
the Solution?
AND NO
Not in the Cloud!
Web Application Security Testing
OWASP Top 10 list
• SQL Injection
• Cross Site Scripting
• Authentication
Top attacks
Fire
wal
l
Hardened OS
Web Server
App Server
Fire
wal
l
Dat
abas
es
Leg
acy
Syst
ems
Web
Ser
vice
s
Dir
ecto
ries
Hum
an R
esrc
s
Bill
ing
Custom Code
APPLICATIONATTACK
Net
wor
k L
ayer
App
licat
ion
Lay
er
Acc
ount
s
Fina
nce
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
t
E-C
omm
erce
Bus
. Fun
ctio
ns
HTTP
requestSQL
queryDB Table
HTTP response
"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"
1. Application presents a form to the attacker
2. Attacker sends an attack in the form data3. Application forwards attack to the database in a SQL query
Account Summary
Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application
5. Application decrypts data as normal and sends results to the user
Account:
SKU:
Account:
SKU:
SQL Injection
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acc
ount
s
Fina
nce
Adm
inis
trat
ion
Tra
nsac
tions
Com
mun
icat
ion
Kno
wle
dge
Mgm
t
E-C
omm
erce
Bus
. Fun
ctio
ns
Cross-Site Scripting
Authentication
Tools Overview
Tools• Proxies
• Burp Suite
• Paros
• WebScarab
• Fiddler
• FoxyProxy plugin
• Open source scanners
• Skipfish
FoxyProxy Browser Plugin
https://addons.mozilla.org/en-US/firefox/addon/2464/
Skipfish
http://code.google.com/p/skipfish/
A fully automated, active web application security reconnaissance tool
* Server-side SQL injection (including blind vectors, numerical parameters).* Stored and reflected XSS* Directory listing bypass vectors.
* External untrusted embedded content.
Cheat Sheet
Quick Cheat Sheet
Cheat Sheet
AppSec Tools Demonstration
Prioritizing
DRE
A
D
amage potential
eproducibility
xploitability
ffected users
iscoverability
Threat Risk
Scoring
0-3 =
DRE
A
D
} 0-15Total
Severity Rating
Low
Medium
High
Critical
1-7
8-10
11-14
15
Threat Risk Modeling
• STRIDE (Microsoft)
• OWASP Risk Ranking
• Trike
• CVSS
Questions?
Thanks!