O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a navegar o site, você aceita o uso de cookies. Leia nosso Contrato do Usuário e nossa Política de Privacidade.
O SlideShare utiliza cookies para otimizar a funcionalidade e o desempenho do site, assim como para apresentar publicidade mais relevante aos nossos usuários. Se você continuar a utilizar o site, você aceita o uso de cookies. Leia nossa Política de Privacidade e nosso Contrato do Usuário para obter mais detalhes.
What is Security Testing
• Security testing is the process that
determines that confidential data stays
confidential and users can perform only
those tasks that they are authorized to
• Security Testing is a type of software testing
that intends to uncover vulnerabilities of the
system and determine that its data and
resources are protected from possible
Some key terms used in Security
• What is “Vulnerability”?
This is a weakness in the web application.
The cause of such a “weakness” can be
bugs in the application, an injection (SQL/
script code) or the presence of viruses.
• What is “Spoofing”?
The creation of hoax look-alike websites or
emails is called spoofing.
• What is “URL manipulation”?
Some web applications communicate
additional information between the client
(browser) and the server in the URL.
Changing some information in the URL
may sometimes lead to unintended
behavior by the server.
• What is “SQL injection”?
This is the process of inserting SQL
statements through the web application
user interface into some query that is then
executed by the server.
• The Open Web Application Security
Project (OWASP) is an online community
dedicated to web application security.
• OWASP is a worldwide not-for-profit
charitable organization focused on
improving the security of software.
Few OWASP Recommended Tools
WEB APPLICATION RISK SECURITY UTILITY
SQL Inject Me and
Zed Attack Proxy (ZAP)
A2: Broken Authentication and Session Management ZAP
A3: Cross-Site Scripting (XSS) ZAP
A4: Insecure Direct Object References
HTTP Directory Traversal Scanner, Burp Suite and
A5: Security Misconfiguration OpenVAS and WATOBO
A6: Sensitive Data Exposure Qualys SSL Server Test
A7: Missing Function Level Access Control OpenVAS
A8: Cross-Site Request Forgery (CSRF) Tamper Data (Samurai WTF), WebScarab or ZAP
A9: Using Components with Known Vulnerabilities OpenVAS
A10: Unvalidated Redirects and Forwards ZAP
What is IronWASP
• An environment for Web Application Security Testing
• Designed for optimum mix of Manual and Automated Testing
• Designed for Pentesters and QA folks
• Let’s you write a custom Security Scanner in a very short time
• Open Source and Open Architecture
• ƒGUI based & does not require installation
• Powerful and effective scanning engine
• Extensible via plug-ins or modules in Python, Ruby, C# or
IronWASP – Key Components
• Built-in Crawler + Scan Manager + Proxy
• Python/Ruby based plug-ins
• Active plug-ins for Scanning
• Passive plug-ins for vulnerability detection
• Format plug-ins for defining data formats
• Session plug-ins to customise the scans
• Generate detailed report
Zed Attack Proxy [ZAP]
• An easy to use web application security
• Completely Free and Open Source
• An OWASP flagship project
• Ideal for Beginners
• But also used by Professionals
• Framework for advanced testing
• Ideal for Dev and QA. Especially for Test
Integrating ZAP into the Build
• ANT Tasks
• Session management: New, Save and
• Tasks: Spider and Active Attack
• Results: Ignoring rules and Failing the
• Password Autocomplete
• Application Error disclosure
• Cookie set without HttpOnly
Using the HttpOnly flag when generating a cookie helps mitigate the risk of client side
script accessing the protected cookie
• X-Content-Type-Options header missing
Opens up a serious security vulnerability, in which, by confusing the MIME
sniffing algorithm, the browser can be manipulated into interpreting data in a
way that allows an attacker to carry out operations that are not expected by either
the site operator or user, such as cross-site scripting
• X-Frame-Options header not set
Provides Clickjacking protection - “UI redress attack", is when an attacker uses
multiple transparent or opaque layers to trick a user into clicking on a button or link on
another page when they were intending to click on the the top level page. Thus,
the attacker is "hijacking" clicks meant for their page and routing them to another
page, most likely owned by another application, domain, or both
• Additional ROI
• Great for Catching
1. Injection Based Attacks
2. HTTP header and Cookie issues
3. URL Redirect abuse
• No additional effort for vulnerability scan
• Can be integrated with your CI Builds
• Ignoring Low Priority Alerts
• No Code
• Big Surprise