SlideShare uma empresa Scribd logo

Introduction to web application security testing

Oleksandr Romanov
Oleksandr Romanov

A brief overview of common techniques and tools which can be applied to web application security testing

Tecnologia
1 de 9
Baixar para ler offline
Introduction to web application security testing Alexandr Romanov
What is security testing and why it is neccessary?
Prepare your mind for security testing - Think like a hacker :) - Concentrate on negative testing - Vulnerabilities = bugs
Security testing in action - stage 1 Mapping the application - web spidering - user directed spidering - brute force scanning
Security testing in action - stage 2 Analyze the application - application functionality - data entry points - application technologies
Security testing in action - stage 3 Test/break the application Test: - client-side controls - authentication mechanizm - session management mechanizm - access controls - input-based vulnerabilities .....
Security testing in action - stage 4 Report the results 1. Exclusive summary 2. Detailed report 3. Raw output
Security tester tools Firefox: - Firebug/FirePath - HTTPWatch - FoxyProxy - XSSme/SQLme Chrome: - XSSRays IE: - HTTPWatch/IEWatch
Security tester tools Complex tools: - BurpSuite - WebScarab - Zed Attack Proxy - Fiddler Vulnerability scanners: - Acunetix - Nikto - Nessus

Recomendados

[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Tom Eston
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Core Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Impact Pro R1-Release Overview
Core Impact Pro R1-Release Overview
Core Security
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 

Recomendados

[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
Tom Eston
 
Security Testing
Security TestingSecurity Testing
Security Testing
Kiran Kumar
 
Core Impact Pro R1-Release Overview
Core Impact Pro R1-Release OverviewCore Impact Pro R1-Release Overview
Core Impact Pro R1-Release Overview
Core Security
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Anant Shrivastava
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
Megha Sahu
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
we45
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
Priyanka Aash
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
blake101
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
Uniface
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
Dmitriy Gumeniuk
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
Katherine Golovinova
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
Fadi Abdulwahab
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
ibrahimumer2
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
Secure Code Warrior
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
n|u - The Open Security Community
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
Nazar Tymoshyk, CEH, Ph.D.
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Sathyanarayana Panduranga
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Anant Shrivastava
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
It pays to be mean
It pays to be meanIt pays to be mean
It pays to be mean
pptt33ch3r
 
Présentation
PrésentationPrésentation
Présentation
Pierre Fossaert
 

Mais conteúdo relacionado

Mais procurados

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 

Mais procurados (20)

Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
Web 2.0 Hacking
Web 2.0 HackingWeb 2.0 Hacking
Web 2.0 Hacking
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
 
Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?Automation of Security scanning easy or cheese?
Automation of Security scanning easy or cheese?
 
Automation of Security scanning easy or cheese
Automation of Security scanning easy or cheeseAutomation of Security scanning easy or cheese
Automation of Security scanning easy or cheese
 
Static analysis for security
Static analysis for securityStatic analysis for security
Static analysis for security
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depth
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
Hack through Injections
Hack through InjectionsHack through Injections
Hack through Injections
 
Web application security
Web application securityWeb application security
Web application security
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 

Destaque

It pays to be mean
It pays to be meanIt pays to be mean
It pays to be mean
pptt33ch3r
 
10 things to know about presserving socialmedia
10 things to know about presserving socialmedia10 things to know about presserving socialmedia
10 things to know about presserving socialmedia
kawanicole
 
الباب الثالث الدرس الأول تصنيف المثلثات
الباب الثالث الدرس الأول تصنيف المثلثاتالباب الثالث الدرس الأول تصنيف المثلثات
الباب الثالث الدرس الأول تصنيف المثلثات
hassonwayne
 
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
Laureen Cantwell
 
Kelompok 7
Kelompok 7Kelompok 7
Kelompok 7
087dwi
 
Como armar una pc
Como armar una pcComo armar una pc
Como armar una pc
Neovictril
 

Destaque (17)

It pays to be mean
It pays to be meanIt pays to be mean
It pays to be mean
 
Présentation
PrésentationPrésentation
Présentation
 
ΕΜΠΕΙΡΙΑ ΧΡΗΣΗΣ ΔΙΑΔΙΚΤΥΟΥ
ΕΜΠΕΙΡΙΑ ΧΡΗΣΗΣ ΔΙΑΔΙΚΤΥΟΥΕΜΠΕΙΡΙΑ ΧΡΗΣΗΣ ΔΙΑΔΙΚΤΥΟΥ
ΕΜΠΕΙΡΙΑ ΧΡΗΣΗΣ ΔΙΑΔΙΚΤΥΟΥ
 
Betoog product 2
Betoog product 2Betoog product 2
Betoog product 2
 
10 things to know about presserving socialmedia
10 things to know about presserving socialmedia10 things to know about presserving socialmedia
10 things to know about presserving socialmedia
 
Sales excellence
Sales excellenceSales excellence
Sales excellence
 
Bab ii keg pembel 6 array
Bab ii keg pembel 6 arrayBab ii keg pembel 6 array
Bab ii keg pembel 6 array
 
الباب الثالث الدرس الأول تصنيف المثلثات
الباب الثالث الدرس الأول تصنيف المثلثاتالباب الثالث الدرس الأول تصنيف المثلثات
الباب الثالث الدرس الأول تصنيف المثلثات
 
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
It's Not Pokemon Go! - It's Professional Development: A Call for Meaningful D...
 
Ca ne nous rajeunit pas
Ca ne nous rajeunit pasCa ne nous rajeunit pas
Ca ne nous rajeunit pas
 
Aaa presentasi koloid
Aaa presentasi koloidAaa presentasi koloid
Aaa presentasi koloid
 
Inspire edisi 7
Inspire edisi 7Inspire edisi 7
Inspire edisi 7
 
Fériade pampelune
Fériade pampeluneFériade pampelune
Fériade pampelune
 
Kelompok 7
Kelompok 7Kelompok 7
Kelompok 7
 
Como armar una pc
Como armar una pcComo armar una pc
Como armar una pc
 
1
11
1
 
test upload
test uploadtest upload
test upload
 

Semelhante a Introduction to web application security testing

Automating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through ScannersAutomating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through Scanners
nfteodoro
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
Abdulrahman Bassam
 

Semelhante a Introduction to web application security testing (20)

Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
FALCON.pptx
FALCON.pptxFALCON.pptx
FALCON.pptx
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Automating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through ScannersAutomating Web Applications Security Assessments Through Scanners
Automating Web Applications Security Assessments Through Scanners
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Computer security
Computer securityComputer security
Computer security
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
So You Want a Job in Cybersecurity
So You Want a Job in CybersecuritySo You Want a Job in Cybersecurity
So You Want a Job in Cybersecurity
 
cybersecurity-careers.pdf
cybersecurity-careers.pdfcybersecurity-careers.pdf
cybersecurity-careers.pdf
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
Reversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysisReversing & malware analysis training part 9 advanced malware analysis
Reversing & malware analysis training part 9 advanced malware analysis
 
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical OverviewCyber Tech Israel 2016: Advanced Threat Protection Technical Overview
Cyber Tech Israel 2016: Advanced Threat Protection Technical Overview
 

Mais de Oleksandr Romanov

Mais de Oleksandr Romanov (10)

Тестування Blockchain - Що там можна тестувати?
Тестування Blockchain - Що там можна тестувати?Тестування Blockchain - Що там можна тестувати?
Тестування Blockchain - Що там можна тестувати?
 
What does it mean to test a blockchain
What does it mean to test a blockchainWhat does it mean to test a blockchain
What does it mean to test a blockchain
 
Ups and downs of contract testing in real life
Ups and downs of contract testing in real lifeUps and downs of contract testing in real life
Ups and downs of contract testing in real life
 
Testing challenges at microservices world
Testing challenges at microservices worldTesting challenges at microservices world
Testing challenges at microservices world
 
Practical contract testing with Spring Cloud Contract [Test Con 2019]
Practical contract testing with Spring Cloud Contract [Test Con 2019]Practical contract testing with Spring Cloud Contract [Test Con 2019]
Practical contract testing with Spring Cloud Contract [Test Con 2019]
 
Turning automation education upside down [QAFest 2019]
Turning automation education upside down [QAFest 2019]Turning automation education upside down [QAFest 2019]
Turning automation education upside down [QAFest 2019]
 
Hidden complexities in microservices testing
Hidden complexities in microservices testingHidden complexities in microservices testing
Hidden complexities in microservices testing
 
Automating microservices: what, where and when
Automating microservices: what, where and whenAutomating microservices: what, where and when
Automating microservices: what, where and when
 
Integration testing for microservices with Spring Boot
Integration testing for microservices with Spring BootIntegration testing for microservices with Spring Boot
Integration testing for microservices with Spring Boot
 
Introduction to pairwise testing
Introduction to pairwise testing Introduction to pairwise testing
Introduction to pairwise testing
 

Último

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Último (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Introduction to web application security testing

  • 1. Introduction to web application security testing Alexandr Romanov
  • 2. What is security testing and why it is neccessary?
  • 3. Prepare your mind for security testing - Think like a hacker :) - Concentrate on negative testing - Vulnerabilities = bugs
  • 4. Security testing in action - stage 1 Mapping the application - web spidering - user directed spidering - brute force scanning
  • 5. Security testing in action - stage 2 Analyze the application - application functionality - data entry points - application technologies
  • 6. Security testing in action - stage 3 Test/break the application Test: - client-side controls - authentication mechanizm - session management mechanizm - access controls - input-based vulnerabilities .....
  • 7. Security testing in action - stage 4 Report the results 1. Exclusive summary 2. Detailed report 3. Raw output
  • 8. Security tester tools Firefox: - Firebug/FirePath - HTTPWatch - FoxyProxy - XSSme/SQLme Chrome: - XSSRays IE: - HTTPWatch/IEWatch
  • 9. Security tester tools Complex tools: - BurpSuite - WebScarab - Zed Attack Proxy - Fiddler Vulnerability scanners: - Acunetix - Nikto - Nessus