At Security Testing, Web applications are complex and face a massive amount of sophisticated attacks as well as Web applications are a major target of attackers. Security testing is considered an art; the success of a security tester in detecting vulnerabilities hence mainly depends on his skills we use advanced testing techniques, experienced testing specialists and a process driven approach to security testing to ensure we deliver a highly effective security testing service with fewer resources and in a shorter period of time.
OWASP TOP 10 dedicated to security analysis has proved their ability to identify complex attacks on web-based or mobile application security. However, the gap between an abstract attack traces output by an OWASP and a penetration test on the real web application is still an open issue. We present here an approach for “What We Can Do” on security testing web applications starting from a secure model.
2. Presenter : Hien Trinh Minh
Background & Work experience:
Harvey Nash Vietnam : Testing Solution Architect
More than 2 years of experience in Web Application Security Testing, Mobile Application Security Testing,
security analysis.
More than 12 years of experience in software testing for Telecom application and networking.
More than 7 years of experience in software testing for UMTS : Inter-Operability Test, Functional Network
Element Test, Field testing activities at 3G lab with live network.
Contact info:
Hien.trinhminh@harveynash.vn
2
3. Tech Agenda
• Introduction to Security Testing
• Open Web Application Security Project Top 10
• Security testing on OWASP Web Top 10
• Security Testing Tools
• Demo
3
4. Introduction to Security Testing
4
Security Testing Network
Security
Testing
Application
Security
Testing
Web App
Security
Testing
Mobile App
Security
Testing
5. Introduction to Security Testing (cont.)
5
• High Risks
– Allows an attacker to read or modify confidential data
belonging to other web sites. If exploited would compromise
data security, potentially allowing access to confidential
data, or could compromise processing resources in a user's
computer.
• Medium Risks
– Allows an attacker to obtain limited amounts of information.
That is limited to a significant degree by factors such as
default configuration, auditing, or is difficult to exploit.
• Low Risks
– Allows an attacker temporary control over non-critical
browser features. That has minimal impact and is extremely
difficult to exploit.
• Information
– Just provide information
High
Medium
Low
Information
Severity
9. A2 : Broken Authentication and
Session Management
• Password not hashed/encrypted in
database
• No wrong password limit (Brute
force attack)
• Session id exposed in URL
• No session timeout
• Session id vulnerable to session
fixation.
9
10. A2 : Broken Authentication and
Session Management (cont.)
10
13. A4 : Insecure Direct Object References
• A direct object reference occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory, database record, or
key, as a URL or form parameter.
13
15. A5 : Security Misconfiguration
• Directories are listed and PHPinfo page has been found in this directory
15
16. A6 : Sensitive Data Exposure
16
Examples:
• Transmitting data in the clear text
e.g. non-SSL, URLs, login forms
over http
• Unencrypted credit card info
• Incorrect encryption
• Logging
17. A7 : Missing Function Level Access
Control
• Attacker notices the URL indicates his role
/user/Accounts
• He modifies it to another directory (role) /admin/Accounts
or /manager/Accounts
• Attacker views more accounts than just their own
17