SlideShare a Scribd company logo

AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf

S
sk0894308

Cyber Security Roadmap for beginners.

Internet
1 of 56
Download to read offline
INTRODUCTION TO WEB APPLICATION PENETRATION TESTING By: Rana Khalil
WHO AM I? ¡ University of Ottawa student – Master of Computer Science ¡ Thesis: Comparative Analysis of Open-source Web Application Vulnerability Scanners ¡ Previous work experience include: Software developer,Tester, Ransomware researcher, Security Analyst. ¡ Aspiring Ethical Hacker! ¡ Removed my wisdom tooth a week ago L 2
OUTLINE ¡ Introduction to web application penetration testing ¡ Software setup ¡ Mapping and analyzing the application ¡ Bypassing client-side controls ¡ Attacking authentication ¡ Attacking session management ¡ Attacking data stores 3
THE WEB APPLICATION HACKER’S HANDBOOK 4 ¡ Bible of web application penetration testing. ¡ Good mix of theory and practice. ¡ Most of the examples in the slides are from this book.
TOOLS NEEDED FOR WORKSHOP 5 ¡ Burp Community Edition ¡ OWASP ZAP ¡ VirtualBox ¡ OWASP BWA Project ¡ FoxyProxy Standard ¡ Modern browser (preferably Firefox) Note: You should have these tools already installed. An email was sent to registered participants prior to workshop.
INTRODUCTION SECTION 1
WHY THE WEB? 7 ¡ Let’s look at some statistics: ¡ Over 3.9 billion internet users in the world ¡ Over 1.9 billion websites online ¡ We use websites for everything: e-commerce, online banking to social networking, social media, etc. ¡ Web security has become a major concern for businesses. ¡ Recent example: Equifax.The breach exposed the personal information of 143 million US users and an estimated 100,000 Canadian users. ¡ According toTrustwave’s 2018 Global Security Report: ¡ 100% of the web applications scanned by Trustwave displayed at least one vulnerability. ¡ Median number of 11 vulnerabilities detected per application.
HOWTO SECURE AWEB APPLICATION? 8 Combination of techniques are used: ¡ Secure coding practices ¡ Web application firewalls ¡ Static code analysis ¡ Web application penetration testing ¡ Etc.
WHAT IS WEB APP PEN TESTING? 9 ¡ Combination of manual and automated tests to identify vulnerabilities, security flaws and/or threats in a web application. ¡ Categorized into three types: ¡ White box:Tester has complete access and in-depth knowledge of the system.Access to source code is usually given. ¡ Black box:Tester is given little to no information about the system. Just the URL of the application is usually given. ¡ Grey box: Combination of white box and black box penetration testing. Limited information and access is given to the tester. ¡ Several methodologies and guidelines: OWASP, PTES, PCI DSS, etc. ¡ Most important thing to keep in mind: you need permission to perform a security test!
WHAT IS OWASP? 10 ¡ Stands for Open Web Application Security Project ¡ International open source community “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted”. ¡ Contains widely used and popular tools such as the ZAP. ¡ OWASPTOP 10 Project
ABSTRACT PEN TESTING METHODOLOGY 11 Reconnaissance Mapping + Analyzing Discovery Exploitation
SOFTWARE SETUP SECTION 2
SOFTWARE SETUP 13 1. DownloadVirtualBox and OWASP BWA Project virtual machine. 2. Install OWASP BWA Project vm onVirtualBox. 3. Download Firefox and FoxyProxy add-on. 4. Download Burp Suite Community Edition and OWASP ZAP. 5. Configure Burp and ZAP in FoxyProxy.
HOW DOES A PROXY WORK? 14
SOFTWARE SETUP 15 Setup Demonstration
MAPPING AND ANALYZING THE APPLICATION SECTION 3
MAPPING THE APPLICATION 17 ¡ Explore the visible content ¡ Review public resources ¡ Identify any hidden content
ANALYZING THE APPLICATION 18 ¡ Identify functionality ¡ Identify data entry points ¡ Identify the technologies used ¡ Map the attack surface
EXERCISE #1:WACKOPICKO 19 Web Spidering Your goal is to use ZAP spider to crawl the application. 1. Configure browser to work with ZAP 2. Load the application on configured browser 3. Include root application URL in context. 4. Right click on the root URL in the Sites tree map > select Attack > select Spider. 5. Right click on the root URL in the Sites tree map > select Attack > select Ajax Spider.
EXERCISE #1:WACKOPICKO 20 Solution demonstration using ZAP and Burp Suite.
BYPASSING CLIENT-SIDE CONTROLS SECTION 4
CLIENT-SIDEVS SERVER-SIDEVALIDATION Client-side Server-side 22 1 2 3 1 2 3
BYPASSING CLIENT-SIDE CONTROLS Ø Allowing clients to submit arbitrary input is a core security problem in web applications. § Users have full control of everything submitted from the client. § Can cause a range of problems including corrupting data stores, allowing unauthorized access to users and buffer overflows. Ø In general, there are two ways client-side controls are used to restrict user input: § Transmitting data via the client using mechanisms that “prevent” user interaction. Examples include hidden form fields, disabled elements, referrer header, URL parameters, etc. § Controlling user input using measures that “restrict” user input. Examples include HTML form features, client-side scripts, etc. 23
TRANSMITTING DATAVIATHE CLIENT Ø Example #1: Hidden Form Field 24 Code Request
TRANSMITTING DATAVIATHE CLIENT Ø Example #2: HTTP Cookies ¡ Response: Request: 25
EXERCISE #2:WEBGOAT Exploit Hidden Fields Try to purchase the HDTV for less than the purchase price, if you have not done so already. 26
EXERCISE #2:WEBGOAT Solution Demonstration 27
RESTRICTING USER DATA Ø Example #3: Length Limits 28
RESTRICTING USER DATA Ø Example #4: Disabled Elements 29
EXERCISE #3:WEBGOAT Bypass HTML Field Restrictions You must submit invalid values for all six fields in one form submission. 30
EXERCISE #3:WEBGOAT Solution Demonstration 31
RESTRICTING USER DATA Ø Example #5: Script-BasedValidation 32
EXERCISE #4:WEBGOAT Bypass Client Side JavaScriptValidation You must break all 7 validators at the same time. 33
EXERCISE #4:WEBGOAT Solution Demonstration 34
ATTACKING AUTHENTICATION SECTION 5
AUTHENTICATION Ø Authentication is a mechanism for validating a user. Ø There are many authentication technologies: § HTML forms-based authentication § Multifactor authentication § Client SSL certificates and/or smartcards § etc Ø In general, there are two factors that result in insecure authentication: § Design flaws in authentication mechanisms § Implementation flaws in authentication 36
DESIGN FLAWS IN AUTHENTICATION MECHANISMS Ø Bad passwords* Ø Brute-forcible logins Ø Verbose Failure messages Ø Vulnerable transmission of credentials Ø Weaknesses in password change functionality Ø Weaknesses in forgotten password functionality* Ø etc. 37
BAD PASSWORDS Ø Very short or blank passwords Ø Common dictionary words or names Ø The same as the username Ø Still set to the default value Ø Check the strength of your password: https://password.kaspersky.com/ 38
EXERCISE #5: WEBGOAT Forgot Password The goal is to retrieve the password of another user. 39
EXERCISE #5:WEBGOAT Solution Demonstration 40
IMPLEMENTATION FLAWS IN AUTHENTICATION Ø Fail-open login mechanisms Ø Defects in multistage login mechanisms* Ø Assumption that access to a later stage means that the user cleared prior stages. Ø Trusting client side data across stages Ø Insecure storage of credentials Ø etc. 41
EXERCISE #6:WEBGOAT Multi Level Login 2 Your goal is to log in as Jane. 42
EXERCISE #6:WEBGOAT Solution Demonstration 43
ATTACKING SESSION MANAGEMENT SECTION 6
ATTACKING SESSION MANAGEMENT 45 ¡ Understand the mechanism ¡ Test session tokens for meaning ¡ Test session tokens for predictability ¡ Check for session termination
EXERCISE #7: WACKOPICKO Session Management Try to determine how the session is being calculated for the admin interface. Log in as admin/admin multiple times to solve this exercise. 46
EXERCISE #7: WACKOPICKO Solution Demonstration 47
ATTACKING DATA STORES SECTION 7
ATTACKING DATA STORES 49 ¡ Most applications have a data store to manage and store data. ¡ User accounts, credentials and personal information. ¡ Prices of items ¡ Orders ¡ Privilege level of a user ¡ We’ll test for SQL injections. ¡ Supply unexpected syntax that might cause problems in the application. ¡ Identify and analyze any anomalies and error messages received. ¡ Attempt to exploit the vulnerability
EXERCISE #8: WEBGOAT String SQL Injection Try to inject an SQL string that results in all the credit card numbers being displayed.Try the user name of 'Smith'. 50
EXERCISE #8: WEBGOAT Solution Demonstration 51
CONCLUSION SECTION 8
WHAT NEXT? 53 Concepts we learned today Remaining concepts
WHAT NEXT? ¡ Read books ¡ Get a mentor ¡ So many free online resource! (Cybrary, coursera, MIT open courseware, etc.) ¡ Practice on intentionally vulnerable web applications ¡ Participate in CTF competitions ¡ Attend conferences ¡ Contribute to open-source security projects ¡ Apply to security jobs (Even if you don’t have all the qualifications. Most people don’t!) ¡ Take life one step at a time.You can do this! 54
GET IN TOUCH! 55 https://rkhal101.github.io/ /ranakhalil1 @rana__khalil /rkhal101
GET IN TOUCH! 56 Laptop stickers generously donated by OWASP!

Recommended

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slidesBassam Al-Khatib
 

Recommended

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingRana Khalil
 
Tw noche geek quito webappsec
Tw noche geek quito webappsecTw noche geek quito webappsec
Tw noche geek quito webappsecThoughtworks
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-...Rana Khalil
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks Ahmed Sherif
 
Ceh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksCeh v8 labs module 03 scanning networks
Ceh v8 labs module 03 scanning networksAsep Sopyan
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...Outpost24
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slidesBassam Al-Khatib
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsInternet Security Auditors
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Web security
Web securityWeb security
Web securitykareem zock
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10Juan Golden Tiger
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesKaty Anton
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 

More Related Content

Similar to AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf

Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureWhiteSource
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureDevOps.com
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsInternet Security Auditors
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Rana Khalil
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application SecurityJim Kaplan CIA CFE
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsRam G Athreya
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10Juan Golden Tiger
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Kyle Lai
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdfRavi Aggarwal
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decompositionKaty Anton
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesKaty Anton
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...HackerOne
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 

Similar to AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf (20)

Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Open Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure CultureOpen Source Security: How to Lay the Groundwork for a Secure Culture
Open Source Security: How to Lay the Groundwork for a Secure Culture
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
OWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application AssessmentsOWASP Europe Summit Portugal 2008. Web Application Assessments
OWASP Europe Summit Portugal 2008. Web Application Assessments
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
Why Johnny Still Can’t Pentest: A Comparative Analysis of Open-source Black-b...
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Cyber security series Application Security
Cyber security series Application SecurityCyber security series Application Security
Cyber security series Application Security
 
Web security
Web securityWeb security
Web security
 
Semi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applicationsSemi-Automated Security Testing of Web applications
Semi-Automated Security Testing of Web applications
 
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
OWASPAppSecEU2006_CanTestingToolsReallyFindOWASPTop10
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
 
Security testing
Security testingSecurity testing
Security testing
 
iOS Application Security.pdf
iOS Application Security.pdfiOS Application Security.pdf
iOS Application Security.pdf
 
Security vulnerabilities decomposition
Security vulnerabilities decompositionSecurity vulnerabilities decomposition
Security vulnerabilities decomposition
 
Tips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party LibrariesTips to Reduce the Attack Surface When Using Third-Party Libraries
Tips to Reduce the Attack Surface When Using Third-Party Libraries
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...How GitLab and HackerOne help organizations innovate faster without compromis...
How GitLab and HackerOne help organizations innovate faster without compromis...
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 

Recently uploaded

Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Standkumarajju5765
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...SofiyaSharma5
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 

Recently uploaded (20)

Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night StandHot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
Hot Call Girls |Delhi |Hauz Khas ☎ 9711199171 Book Your One night Stand
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 

AnitaB-Atlanta-CyberSecurity-Weekend-Rana-Khalil.pdf

  • 1. INTRODUCTION TO WEB APPLICATION PENETRATION TESTING By: Rana Khalil
  • 2. WHO AM I? ¡ University of Ottawa student – Master of Computer Science ¡ Thesis: Comparative Analysis of Open-source Web Application Vulnerability Scanners ¡ Previous work experience include: Software developer,Tester, Ransomware researcher, Security Analyst. ¡ Aspiring Ethical Hacker! ¡ Removed my wisdom tooth a week ago L 2
  • 3. OUTLINE ¡ Introduction to web application penetration testing ¡ Software setup ¡ Mapping and analyzing the application ¡ Bypassing client-side controls ¡ Attacking authentication ¡ Attacking session management ¡ Attacking data stores 3
  • 4. THE WEB APPLICATION HACKER’S HANDBOOK 4 ¡ Bible of web application penetration testing. ¡ Good mix of theory and practice. ¡ Most of the examples in the slides are from this book.
  • 5. TOOLS NEEDED FOR WORKSHOP 5 ¡ Burp Community Edition ¡ OWASP ZAP ¡ VirtualBox ¡ OWASP BWA Project ¡ FoxyProxy Standard ¡ Modern browser (preferably Firefox) Note: You should have these tools already installed. An email was sent to registered participants prior to workshop.
  • 7. WHY THE WEB? 7 ¡ Let’s look at some statistics: ¡ Over 3.9 billion internet users in the world ¡ Over 1.9 billion websites online ¡ We use websites for everything: e-commerce, online banking to social networking, social media, etc. ¡ Web security has become a major concern for businesses. ¡ Recent example: Equifax.The breach exposed the personal information of 143 million US users and an estimated 100,000 Canadian users. ¡ According toTrustwave’s 2018 Global Security Report: ¡ 100% of the web applications scanned by Trustwave displayed at least one vulnerability. ¡ Median number of 11 vulnerabilities detected per application.
  • 8. HOWTO SECURE AWEB APPLICATION? 8 Combination of techniques are used: ¡ Secure coding practices ¡ Web application firewalls ¡ Static code analysis ¡ Web application penetration testing ¡ Etc.
  • 9. WHAT IS WEB APP PEN TESTING? 9 ¡ Combination of manual and automated tests to identify vulnerabilities, security flaws and/or threats in a web application. ¡ Categorized into three types: ¡ White box:Tester has complete access and in-depth knowledge of the system.Access to source code is usually given. ¡ Black box:Tester is given little to no information about the system. Just the URL of the application is usually given. ¡ Grey box: Combination of white box and black box penetration testing. Limited information and access is given to the tester. ¡ Several methodologies and guidelines: OWASP, PTES, PCI DSS, etc. ¡ Most important thing to keep in mind: you need permission to perform a security test!
  • 10. WHAT IS OWASP? 10 ¡ Stands for Open Web Application Security Project ¡ International open source community “dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted”. ¡ Contains widely used and popular tools such as the ZAP. ¡ OWASPTOP 10 Project
  • 11. ABSTRACT PEN TESTING METHODOLOGY 11 Reconnaissance Mapping + Analyzing Discovery Exploitation
  • 13. SOFTWARE SETUP 13 1. DownloadVirtualBox and OWASP BWA Project virtual machine. 2. Install OWASP BWA Project vm onVirtualBox. 3. Download Firefox and FoxyProxy add-on. 4. Download Burp Suite Community Edition and OWASP ZAP. 5. Configure Burp and ZAP in FoxyProxy.
  • 14. HOW DOES A PROXY WORK? 14
  • 16. MAPPING AND ANALYZING THE APPLICATION SECTION 3
  • 17. MAPPING THE APPLICATION 17 ¡ Explore the visible content ¡ Review public resources ¡ Identify any hidden content
  • 18. ANALYZING THE APPLICATION 18 ¡ Identify functionality ¡ Identify data entry points ¡ Identify the technologies used ¡ Map the attack surface
  • 19. EXERCISE #1:WACKOPICKO 19 Web Spidering Your goal is to use ZAP spider to crawl the application. 1. Configure browser to work with ZAP 2. Load the application on configured browser 3. Include root application URL in context. 4. Right click on the root URL in the Sites tree map > select Attack > select Spider. 5. Right click on the root URL in the Sites tree map > select Attack > select Ajax Spider.
  • 23. BYPASSING CLIENT-SIDE CONTROLS Ø Allowing clients to submit arbitrary input is a core security problem in web applications. § Users have full control of everything submitted from the client. § Can cause a range of problems including corrupting data stores, allowing unauthorized access to users and buffer overflows. Ø In general, there are two ways client-side controls are used to restrict user input: § Transmitting data via the client using mechanisms that “prevent” user interaction. Examples include hidden form fields, disabled elements, referrer header, URL parameters, etc. § Controlling user input using measures that “restrict” user input. Examples include HTML form features, client-side scripts, etc. 23
  • 24. TRANSMITTING DATAVIATHE CLIENT Ø Example #1: Hidden Form Field 24 Code Request
  • 25. TRANSMITTING DATAVIATHE CLIENT Ø Example #2: HTTP Cookies ¡ Response: Request: 25
  • 26. EXERCISE #2:WEBGOAT Exploit Hidden Fields Try to purchase the HDTV for less than the purchase price, if you have not done so already. 26
  • 28. RESTRICTING USER DATA Ø Example #3: Length Limits 28
  • 29. RESTRICTING USER DATA Ø Example #4: Disabled Elements 29
  • 30. EXERCISE #3:WEBGOAT Bypass HTML Field Restrictions You must submit invalid values for all six fields in one form submission. 30
  • 32. RESTRICTING USER DATA Ø Example #5: Script-BasedValidation 32
  • 33. EXERCISE #4:WEBGOAT Bypass Client Side JavaScriptValidation You must break all 7 validators at the same time. 33
  • 36. AUTHENTICATION Ø Authentication is a mechanism for validating a user. Ø There are many authentication technologies: § HTML forms-based authentication § Multifactor authentication § Client SSL certificates and/or smartcards § etc Ø In general, there are two factors that result in insecure authentication: § Design flaws in authentication mechanisms § Implementation flaws in authentication 36
  • 37. DESIGN FLAWS IN AUTHENTICATION MECHANISMS Ø Bad passwords* Ø Brute-forcible logins Ø Verbose Failure messages Ø Vulnerable transmission of credentials Ø Weaknesses in password change functionality Ø Weaknesses in forgotten password functionality* Ø etc. 37
  • 38. BAD PASSWORDS Ø Very short or blank passwords Ø Common dictionary words or names Ø The same as the username Ø Still set to the default value Ø Check the strength of your password: https://password.kaspersky.com/ 38
  • 39. EXERCISE #5: WEBGOAT Forgot Password The goal is to retrieve the password of another user. 39
  • 41. IMPLEMENTATION FLAWS IN AUTHENTICATION Ø Fail-open login mechanisms Ø Defects in multistage login mechanisms* Ø Assumption that access to a later stage means that the user cleared prior stages. Ø Trusting client side data across stages Ø Insecure storage of credentials Ø etc. 41
  • 42. EXERCISE #6:WEBGOAT Multi Level Login 2 Your goal is to log in as Jane. 42
  • 45. ATTACKING SESSION MANAGEMENT 45 ¡ Understand the mechanism ¡ Test session tokens for meaning ¡ Test session tokens for predictability ¡ Check for session termination
  • 46. EXERCISE #7: WACKOPICKO Session Management Try to determine how the session is being calculated for the admin interface. Log in as admin/admin multiple times to solve this exercise. 46
  • 49. ATTACKING DATA STORES 49 ¡ Most applications have a data store to manage and store data. ¡ User accounts, credentials and personal information. ¡ Prices of items ¡ Orders ¡ Privilege level of a user ¡ We’ll test for SQL injections. ¡ Supply unexpected syntax that might cause problems in the application. ¡ Identify and analyze any anomalies and error messages received. ¡ Attempt to exploit the vulnerability
  • 50. EXERCISE #8: WEBGOAT String SQL Injection Try to inject an SQL string that results in all the credit card numbers being displayed.Try the user name of 'Smith'. 50
  • 51. EXERCISE #8: WEBGOAT Solution Demonstration 51
  • 54. WHAT NEXT? ¡ Read books ¡ Get a mentor ¡ So many free online resource! (Cybrary, coursera, MIT open courseware, etc.) ¡ Practice on intentionally vulnerable web applications ¡ Participate in CTF competitions ¡ Attend conferences ¡ Contribute to open-source security projects ¡ Apply to security jobs (Even if you don’t have all the qualifications. Most people don’t!) ¡ Take life one step at a time.You can do this! 54
  • 56. GET IN TOUCH! 56 Laptop stickers generously donated by OWASP!