Boutique product development company It is amazing what you can accomplish when you have a client-centric team to deliver outstanding products.
Boutique product development company It is amazing what you can accomplish when you have a client-centric team to deliver outstanding products.
Workshop Sikandar Ahmed | Presenter
Arooj Un Nisa | Co-presenter
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier
Security Testing
• What is Security Testing?
• Top 10 Security Risks
• Security Testing Types
• Security Exposures Revealing —Practice
• Security Tools
Arooj | QA Mentor
Security Testing
What is Security Testing?
Arooj | QA Mentor
―Security Testing‖
Tests the ability of the system/software to
prevent unauthorized access to the resources
and data
Security Testing
Arooj | QA Mentor
What it Covers?
Security Testing needs to cover the six basic security concepts:
• Confidentiality
• Integrity
• Authentication
• Authorization
• Availability
• Non-repudiation
Security Testing
Top Ten Security Risks
Arooj | QA Mentor
• SQL Injections
• Cross Site Scripting (XSS)
• Broken Authentication and Session Management
• Insecure Direct Object References
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL Access
• Insufficient Transport Layer Protection
• Invalidated Redirects and Forwards
Security Testing
Types: Black Box and White Box Hacking
Arooj | QA Mentor
In Black Box Hacking, you try
to find security bugs by
experimenting with the
application and manipulating
input fields and URL
parameters, trying to cause
application errors, and looking
at the HTTP requests and
responses to guess server
behavior.
Watcher can be used for the
black box hacking.
While in White-Box Hacking,
you have access to the source
code and can use automated or
manual analysis to identify bugs.
Gruyere in which through the
source code you can find the
bugs.
Security Testing
Security Exposure Revealing-Practice
Arooj | QA Mentor
Want to beat the hackers at their own game ??
Meet Me: I am Gruyere Reach me: Am here at Google Code Labs
Security Testing
Gruyere: Practice
Arooj | QA Mentor
Learn • How hackers find security vulnerabilities!
• How hackers exploit web applications!
• How to stop them!
How web application vulnerabilities can be exploited and how to defend against
these attacks?
• How an application can be attacked using common web security vulnerabilities, like
cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF)?
• How to find, fix, and avoid these common vulnerabilities and other bugs that have a
security impact, such as denial-of-service, information disclosure, or remote code
execution?
Security Testing
Cross Site Scripting XSS
Sikandar Ahmed| QA Mentor
• Cross-site scripting (XSS) is a vulnerability that permits
an attacker to inject code (typically HTML or JavaScript)
into contents of a website not under the attacker's control
• When a victim views such a page, the injected code
executes in the victim's browser.
• Types of XSS:
• Reflected
• Stored
Security Testing
XSS Types
Sikandar Ahmed| QA Mentor
• In a reflected XSS attack, the attack is in the request itself (frequently the URL)
and the vulnerability occurs when the server inserts the attack in the response
verbatim or incorrectly escaped or sanitized
• The victim triggers the attack by browsing to a malicious URL created by the
attacker
• In a stored XSS attack, the attacker stores the attack in the application (e.g., in a
snippet) and the victim triggers the attack by browsing to a page on the server that
renders the attack, by not properly escaping or sanitizing the stored data
Security Testing
XSS Attack
Sikandar Ahmed| QA Mentor
Security Testing
SQL Injection
Sikandar Ahmed| QA Mentor
• SQL injection vulnerabilities allow attackers to inject
arbitrary scripts into SQL queries
• When a SQL query is executed it can either read or
write data, so it can be used to read your entire
database as well as overwrite it, as described in the
classic Bobby Tables XKCD comic
• If you use SQL, the most important advice is to
avoid building queries by string concatenation, use
API calls instead
Security Testing
How To Exploit SQL Injection Attack?
Sikandar Ahmed| QA Mentor
The SQL Injection attack allows external users to read details from the database
• In a well designed system this will only include data that is available to the
public anyway
• In a poorly designed system this may allow external users to discover other
users' passwords
Security Testing
Client State Manipulation
Sikandar Ahmed| QA Mentor
• When a user interacts with a web application, they do it indirectly through a
browser
• When the user clicks a button or submits a form, the browser sends a request
back to the web server. Because the browser runs on a machine that can be
controlled by an attacker, the application must not trust any data sent by the
browser
• It might seem that not trusting any user data would make it impossible to write
a web application but that's not the case
• If the user submits a form that says they wish to purchase an item, it's OK to
trust that data
• But if the submitted form also includes the price of the item, that's something
that cannot be trusted
Security Testing
Cross Site Request Forgery XSRF
Sikandar Ahmed| QA Mentor
• Also known as a One-Click Attack or Session Riding or CSRF (Sea-Surf )
• XSRF is a type of malicious exploit of a website whereby unauthorized
commands are transmitted from a user that the website trusts.
• Unlike XSS, which exploits the trust a user has fro a particular site, XSRF
exploits the trust a site has in a user‘s browser
Security Testing
Cross Site Script Inclusion (XSSI)
Sikandar Ahmed| QA Mentor
• When a browser makes requests to a site, it always sends along any cookies
it has for that site, regardless of where the request comes from
• Additionally, web servers generally cannot distinguish between a request
initiated by a deliberate user action (e.g., user clicking on "Submit" button)
versus a request made by the browser without user action (e.g., request for an
embedded image in a page)
• Therefore, if a site receives a request to perform some action (like deleting a
mail, changing contact address), it cannot know whether this action was
knowingly initiated by the user — even if the request contains authentication
cookies. An attacker can use this fact to fool the server into performing actions
the user did not intend to perform
Security Testing
Path Traversal
Sikandar Ahmed| QA Mentor
• Most web applications serve static resources like images and CSS files. Frequently,
applications simply serve all the files in a folder
• If the application isn't careful, the user can use a path traversal attack to read files
from other folders that they shouldn't have access to
For example, in both Windows and Linux, .. represents the parent directory, so if you
can inject ../ in a path you can "escape" to the parent directory
• If an attacker knows the structure of your file system, then they can craft a URL that
will traverse out of the installation directory to /etc
Security Testing
Denial of Service
Sikandar Ahmed| QA Mentor
• A denial of service (DoS) attack is an attempt to make a server unable to service
ordinary requests
• A common form of DoS attack is sending more requests to a server than it can
handle. The server spends all its time servicing the attacker's requests that it has
very little time to service legitimate requests
• Hackers can also prevent a server from servicing requests by taking advantage
of server bugs, such as sending requests that crash a server, make it run out of
memory, or otherwise cause it fail serving legitimate requests in some way
Security Testing
DoS Attack
Sikandar Ahmed| QA Mentor
Security Testing
Configuration Vulnerabilities
Sikandar Ahmed| QA Mentor
• Applications are often installed with default settings
• A particularly issue with third party software where an attacker has easy access
to a copy of the same application or framework you are running
• Hackers know the default account names and passwords. Configuration
vulnerabilities also include features that increase attack surface
• A common example is a feature that is on by default but you are not using, so
you didn't configure it and the default configuration is vulnerable
• It also includes debug features like status pages or dumping stack traces on
failures
Security Testing
AJAX vulnerabilities
Sikandar Ahmed| QA Mentor
• Bad AJAX code allows attackers to modify parts of your application in ways
that you might not expect
• In traditional client development, there is a clear separation between the
application and the data it displays. That's not true in web applications as
the next two attacks will make clear
Security Testing
Security Testing Tools
Sikandar Ahmed| QA Mentor
• Havij– http://itsecteam.com/products/havij-advanced-sql-injection Havij is
an automated SQL Injection tool that helps penetration testers to find and
exploit SQL Injection vulnerabilities on a web page
• WebSecurify (www.websecurify.com), Websecurify is an integrated web
security testing environment, which can be used to identify web vulnerabilities
by using advanced browser automation, discovery and fuzzing technologies
• Watcher(http://websecuritytool.codeplex.com/), Watcher is a runtime
passive-analysis tool for HTTP-based Web applications. Being passive means
it won't damage production systems, it's completely safe to use in Cloud
computing, shared hosting, and dedicated hosting environments
Watcher detects Web-application security issues as well as operational
configuration issues
Security Testing
Security Testing Tools
Sikandar Ahmed| QA Mentor
• Wapiti(http://wapiti.sourceforge.net/), File Handling Errors (Local and remote
include/require, fopen, readfile...)Wapiti allows you to audit the security of your
web applications
It performs "black-box" scans, i.e. it does not study the source code of the
application but will scans the webpages of the deployed webapp, looking for
scripts and forms where it can inject data
• FlawFinder (http://www.dwheeler.com/flawfinder/), searches through C/C++
source code looking for potential security flaws. It is designed in Python and
produces a list of ‗‗hits‘‘ (potential security flaws), sorted by risk; the riskiest hits
are shown first
• Honeyd (http://www.honeyd.org/), Honeyd is a small daemon that creates
virtual hosts on a network. The hosts can be configured to run arbitrary services,
and their personality can be adapted so that they appear to be running certain
operating systems. Honeyd enables a single host to claim multiple addresses
Security Testing
Security Testing Tools
Sikandar Ahmed| QA Mentor
• Brakeman(http://brakemanscanner.org/), Brakeman is an open source
vulnerability scanner specifically designed for Ruby on Rails applications
• It statically analyzes Rails application code to find security issues at any
stage of development
• If you happen to use the Hudson/Jenkins continuous integration tool,
there is a Brakeman plugin for it
• Its requirement is Rails 3
Security Testing
Server Security--Linux
Sikandar Ahmed| QA Mentor
• Set the complex root password
• Install Fail2ban
• Require public key authentication
• Lock Down SSH
• Set Up a Firewall
• Enable Automatic Security Updates
• Install Logwatch To Keep An Eye On Things
Security Testing
References
Sikandar Ahmed| QA Mentor
• http://google-gruyere.appspot.com
• https://www.owasp.org/index.php/Top_10_2010-Main
• http://www.softwaretestingmentor.com/types-of-testing/security-testing/
• http://vishnuvalentino.com/tips-and-trick/penetration-testing-pros-and-cons/
• http://www.toolsjournal.com/testing-lists/item/217-10-free-and-opensource-tools-
for-security-testing
• http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-
linux-servers