Slides for OWASP Pune Chapter Meetup dated 21st Apr 2016
Testing web applications for security issues and protecting them effectively needs use of various methodologies. Each of these have their own advantages and disadvantages. The talk starts with overview of the methodologies and then talks about how they can be combined to get the best results. Towards the end also touches up the emerging trends in the WebAppSec world.
7. DAST: How it works?
Crawl: Get links, forms and AJAX requests to test
Test (mostly fuzzing): Send malformed/evil variants of
the crawled requests and see how the web app responds
8. DAST: Concerns
– Coverage
• Is the entire web app crawled?
• Auto form filling
• Authentication
– Redundant links
• http://www.cartrade.com/buy-used-cars/pune/tata/nano/2162257.html
• http://www.cartrade.com/buy-used-cars/pune/hyundai/i20/2162275.html
• http://www.cartrade.com/buy-used-cars/pune/chevrolet/beat/2162336.html
• http://www.cartrade.com/buy-used-cars/pune/maruti-suzuki/sx4/2162360.html
• Thousands of similar links
– Less direct help to developers
13. Automated vs Manual
Lower accuracy
Higher FP
High accuracy*
Low FP*
Fast
Hours to days per web app
Slower
Weeks to months per web app
Bad at business logic flaw detection Good at business logic flaw detection*
Lower cost Very (very) high cost
* Subject to expertise of the manual pen tester(s)
18. WAF: How it works
• Block malicious (looking) requests
– Rules
– Heuristics
– Blacklist/whitelist
• Add protection in responses
– Security headers
– Frame bursting
– Sign/encrypt cookie/hidden fields
W
A
F
22. RASP
Runtime Application Self-Protection
• Installs runtime agent within the application
binary (runtime dependency)
• Analyzes input, event flow and application
behavior at runtime
• Alerts or stops malicious execution
23. WAF vs RASP
External Internal
One for many apps One (agent) per app
Technology* Independent Technology* Dependent
*Programming language and runtime
Images credit: freedigitalphotos.net (Photo by taoty, Sura Nualpradid)
24. Trends/Future
• Browser side security
– CSP
– HSTS
– Public Key-pinning (HPKP)
– X-Frame-Options
– X-XSS-Protection
– X-Content-Type-Options
– …
• DAST
– JavaScript Analysis (DOM XSS and more)
– Blind vulnerability detection
– REST APIs, mobile apps
– HTML5, HTTP2
• Secure coding/development
– Static code analysis with-in IDE
– Secure libraries and frameworks
– Lifecycle: Design + Dev + Test + Ops
• SAST + DAST + WAF + RASP