The document provides an overview of web application security testing tools and techniques. It begins with an introduction to common terminology and threats. It then demonstrates various tools for tasks like vulnerability analysis (OWASP ZAP), exploitation (sqlmap), and network analysis (nmap, Wireshark, tcpdump). It also covers topics like the OWASP Top 10, STRIDE/DREAD frameworks, and threat modeling. The document emphasizes that tools should be used thoughtfully alongside security expertise and provides several references for further learning.
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Security Testing by Ken De Souza
1. The bare minimum you should know
about web application security
testing in 2017
Ken De Souza
QA or the Highway, February 2017
V. 1.1.1
Twitter: @kgdesouz
Blog: blog.tkee.org
12. "security, just like disaster recovery, is a lifestyle,
not a checklist"
This is not a black and white problem
Source: https://news.ycombinator.com/item?id=11323849
20. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Developer point of view….
DREAD
Parameter
Ratin
g
Rationale
Damage
Potential
5 An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 2 Easily exploitable by automated tools found on
the Internet.
Affected Users 1 Affects critical administrative users
Discoverability 1 Affected page “admin.aspx” easily guessed by an
attacker.
Overall Rating 3.8
21. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx
Tester point of view…
DREAD
Parameter
Ratin
g
Rationale
Damage
Potential
10 An attacker could read and alter data in the
product database.
Reproducibility 10 Can reproduce every time.
Exploitability 10 Easily exploitable by automated tools found on
the Internet.
Affected Users 10 Affects critical administrative users
Discoverability 10 Affected page “admin.aspx” easily guessed by an
attacker.
Overall Rating 10
23. OWASP Top 10
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
24. OWASP TOP 10
A1: Injection http://example.com/app/accountView?id='
A2: Broken Authentication
and Session Management
http://example.com/sale/saleitems?session
id=268544541&dest=Hawaii
A3: Cross Site Scripting
(XSS)
<script>alert('test');</script>
A4: Insecure Direct Object
References
http://example.com/app/accountInfo?acct=n
otmyacct
A5: Security
Misconfiguration
Default admin account enabled;
directories shown on site;
Stack traces shown to users;
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
25. OWASP TOP 10
A6: Sensitive Data Exposure
SSL not being used
Heartbleed
Bad programming
A7: Missing Function Level Access
Control
Access areas where you shouldn’t be
able to access
A8: Cross-Site Request Forgery
<img
src="http://example.com/app/transfe
rFunds?amount=1500&destinationAccou
nt=attackersAcct#" width="0"
height="0" />
A9: Using Components with
known vulnerability
Not patching your 3rd party sh*t
A10: Unvalidated redirects and
forwards
http://www.example.com/redirect.jsp
?url=evil.com
Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
26. Vulnerability Tool
A1: Injection SQLMap or ZAP
A2: Broken Authentication and Session
Management
ZAP
A3: Cross Site Scripting (XSS) ZAP
A4: Insecure Direct Object References ZAP
A5: Security Misconfiguration OpenVAS
A6: Sensitive Data Exposure Your brain…
A7: Missing Function Level Access Control OpenVAS
A8: Cross-Site Request Forgery ZAP
A9: Using Components with known vulnerability OpenVAS, nmap
A10: Unvalidated redirects and forwards ZAP
27. Demos: Setup
Docker running “Ticket magpie”
(https://github.com/dhatanian/ticketmagpie)
docker run -e
"SPRING_PROFILES_ACTIVE=hsqldb" -p8080:8080
"dhatanian/ticketmagpie"
This container has LOTS of vulnerabilities,
designed for learning about web security
29. nmap
what ports are open? Where can you attack?
Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
30.
31.
32. What is Wireshark
Network packet / protocol analysis tool
Allows users to capture network traffic from any
interface, like Ethernet, Wifi, Bluetooth, USB, etc
41. What is OWASP ZAP?
Find security vulnerabilities in your web
applications
Can be used both manually and in an automated
manner
42. Why use ZAP?
Can be used to find many of the top 10 exploits
Can be quick integrated into you manual or
automated workflow
Can be used in active or passive mode
51. Threat Modeling - What is it?
A way to analyze and communicate security
related problems
This is a much larger topic than we have time for
… but I’ll give you the basics
52. Threat Modeling - Why do this?
To explain to management
To explain to customers
To explain to developers, architects, etc.
With the tools I just showed you, you now have
the basics to be able to build a model
75. References
• Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-
samesite-cookie-attribute/
• Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security-
ninjas-opensource
• Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-
a-case-study
• Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx
• Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities:
http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities
• Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat-
modelling-by-example
• The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/
• Threat modeling example: http://www.se.rit.edu/~swen-331/slides/07%20Threat%20Modeling.pptx
Editor's Notes
Spoofing: illegally access and use another user's credentials, such as username and password.
Tampering: maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet.
Repudiation: illegal operations in a system that lacks the ability to trace the prohibited operations.
Information disclosure: read a file that one was not granted access to, or to read data in transit.
Denial of service: Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable.
Elevation of privilege: Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.
Open Web Application Security Project
Get a plan together and get your manager to sign off on it.