1. Web Application Security
Sreenath Sasikumar
QBurst

2. Who am I ?
www.MakeMeResume.com/@sreenath

3. Take Away
• Understanding web application security
• How to security test web applications
• Mitigating web application security risks
• Open source tools

4. How web applications work

5. Understanding web security

6. Security testing web applications
• Information Gathering
• Configuration Management Testing
• Authentication Testing
• Session Management Testing
• Authorization Testing
• Business Logic Testing
• Data Validation Testing
• Denial of Service Testing

7. Information Gathering

8. www.google.com/robots.txt
Spiders Robots and Crawlers

9. Search Engine Discovery
Google Hacking
• site
• cache
• inurl
• filetype
How to:
Manual
HackSearch

10. Identify Application Entry points
• GET
• POST
• Cookies
• Server Parameters
• Files
How to:
Tamper Data, WebScarab, ZAP

11. Web Application Fingerprinting
How to:
Nikto
Vulnerability Scanners

12. Application Discovery
Different Base URL
• www.example.com/abc
Different port
• www.example.com:8000
Different sub domain ( Virtual host )
• abc.example.com
How to:
Zap, WebSlayer

13. Analysis of Error Code

14. Configuration Management

15. SSL Testing
Identify ssl ports and services
How strong is you cipher?
How to:
Nmap -sV, Nessus, OpenSSL

16. Configuration Management Testing
• Infrastructure Configuration Management
• Application Configuration Management

17. Old, Backup & Unreferenced Files
User-agent: *
Disallow: /Admin
Disallow: /uploads
Disallow: /backup
Disallow: /~jbloggs
How to:
HackSearch, Webslayer

18. Testing for HTTP Methods
• HEAD
• GET
• POST
• PUT
• DELETE
• TRACE
• OPTIONS
• CONNECT
How to:
Netcat
Nikto

19. Authentication Testing

20. Credentials transport over an
encrypted channel
Prevent man in the middle attack

21. Testing for user enumeration
Error Messages/Notifications
"Sorry, please enter a valid password"
"Sorry, please enter a valid username"
"Sorry, this user does not exist"
"Sorry, this user is no longer active"

22. Testing for Guessable Users
& BruteForce Attacks
How to:
John the Ripper
Hydra

23. Testing for CAPTCHA

24. Testing Session & Cookies

25. Authorization Testing

26. Testing for privilege escalation
• vertical escalation
• horizontal escalation
www.example.com/?user=1&groupID=2

27. Business Logic Testing

28. Data Validation Testing

29. Injections
SQL
XSS

30. • SQL Injection
• XSS Injection
• LDAP Injection
• XML Injection
• HTML Injection
• SSI Injection
• ORM Injection
• XPath Injection
• IMAP/SMTP Injection
• Buffer Overflow

31. Testing for Denial of Service

32. Testing for SQL Wildcard Attacks
SELECT * FROM Article WHERE Content LIKE '%foo%'
SELECT TOP 10 * FROM Article WHERE Content LIKE
'%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()
$*R"_)][%](%[x])%a][$*"£$-9]_%'

33. Testing for DoS Locking Customer
Accounts

34. Open Source Tools
Nikto
Nessus
W3AF
ZAP
WebSlayer
Netcat
Nmap
Skipfish
Hydra
Mozilla Firefox addons
Lots & lots more...

35. PenQ - Security testing browser

36. Questions ?