Download Hands on Demonstration for Testing Security in Web Applications

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Microsoft Jet Database Engine wikipedia , lookup

Relational model wikipedia , lookup

Database model wikipedia , lookup

SQL wikipedia , lookup

Clusterpoint wikipedia , lookup

PL/SQL wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Team Foundation Server wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Transcript 
Hands on
Demonstration for
Testing Security in
Web Applications
Aaron Weaver
August 2010
Agenda
• What kind of application security
vulnerabilities should be tested?
• Methodology for testing
• Open source tools available
• Prioritizing application security defects
In the news...
the Solution?
AND NO
Not in the Cloud!
Web Application
Security Testing
OWASP Top 10 list
Top attacks
• SQL Injection
• Cross Site Scripting
• Authentication
ATTACK


Custom Code
App Server
Firewall
Hardened OS
Firewall
Network Layer
Web Server
DB Table


Billing
Human Resrcs
Directories
Web Services

Legacy Systems
Databases
HTTP
responseSQL

query
HTTP
request
APPLICATION
"SELECT * FROM
accounts WHERE
SKU:
acct=‘’ OR 1=1-Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
’"
Account Summary
Account:
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
Administration
Transactions
Accounts
Finance
Application Layer
SQL Injection
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
1. Application presents a
form to the attacker
2. Attacker sends an
attack in the form data
3. Application forwards
attack to the database in
a SQL query
4. Database runs query
containing attack and
sends encrypted results
back to application
5. Application decrypts
data as normal and
sends results to the user
Cross-Site Scripting
Attacker sets the trap – update my profile
Victim views page – sees attacker profile
Custom Code
Script runs inside victim’s
browser with full access to
the DOM and cookies
3
Script silently sends attacker Victim’s session cookie
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
2
Administration
Transactions
Attacker enters a
malicious script into a
web page that stores the
data on the server
Application with
stored XSS
vulnerability
Accounts
Finance
1
Authentication
Tools Overview
• Proxies
Tools
• Burp Suite
• Paros
• WebScarab
• Fiddler
• FoxyProxy plugin
• Open source scanners
• Skipfish
Burp Suite
http://portswigger.net/proxy/
FoxyProxy Browser Plugin
https://addons.mozilla.org/en-US/firefox/addon/2464/
Skipfish
A fully automated, active web application security
reconnaissance tool
* Server-side SQL injection (including blind vectors, numerical
parameters).
* Stored and reflected XSS
* Directory listing bypass vectors.
* External untrusted embedded content.
http://code.google.com/p/skipfish/
Cheat Sheet
Quick Cheat Sheet
Cheat Sheet
AppSec Tools
Demonstration
Prioritizing
Threat Risk
D
R
E
A
D
amage potential
eproducibility
xploitability
ffected users
iscoverability
Scoring
D
R
E
A
D
0-3 =
0-15
Total
Severity Rating
Low
1-7
Medium
8-10
High
11-14
Critical
15
Threat Risk Modeling
• STRIDE (Microsoft)
• OWASP Risk Ranking
• Trike
• CVSS
Questions?
Thanks!
Related documents
網站安全 - 國立暨南國際大學
網站安全 - 國立暨南國際大學
Data Warehouse performance and maintenance
Data Warehouse performance and maintenance
slides - WordPress.com
slides - WordPress.com
COMPUTER INFORMATION TECHNOLOGY AT NKU
COMPUTER INFORMATION TECHNOLOGY AT NKU
What is SQL Injection?
What is SQL Injection?
Web Application Security
Web Application Security
Security in network
Security in network
SQL Injections
SQL Injections
Representatives from 196 nations made a historic pact Saturday
Representatives from 196 nations made a historic pact Saturday
SQL injection attacked
SQL injection attacked
Job Descriptions - Human Resources Department JOB GOAL
Job Descriptions - Human Resources Department JOB GOAL
Business Intelligence and Data Warehousing
Business Intelligence and Data Warehousing
Lecture 20 - The University of Texas at Dallas
Lecture 20 - The University of Texas at Dallas
Slide 1
Slide 1
Recruitment Authorisation Form
Recruitment Authorisation Form
mysql> show tables
mysql> show tables
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
to vulnerable site
to vulnerable site
Workshop 3 Web Application Security - comp
Workshop 3 Web Application Security - comp
OWASP Top 10 2007
OWASP Top 10 2007
20121101
20121101
WHAT IS SQL INJECTION? ANATOMY OF A SQL INJECTION
WHAT IS SQL INJECTION? ANATOMY OF A SQL INJECTION