Hands on Demonstration for Testing Security in Web Applications

advertisement
Hands on
Demonstration for
Testing Security in
Web Applications
Aaron Weaver
August 2010
Agenda
• What kind of application security
vulnerabilities should be tested?
• Methodology for testing
• Open source tools available
• Prioritizing application security defects
In the news...
the Solution?
AND NO
Not in the Cloud!
Web Application
Security Testing
OWASP Top 10 list
Top attacks
• SQL Injection
• Cross Site Scripting
• Authentication
ATTACK


Custom Code
App Server
Firewall
Hardened OS
Firewall
Network Layer
Web Server
DB Table


Billing
Human Resrcs
Directories
Web Services

Legacy Systems
Databases
HTTP
responseSQL

query
HTTP
request
APPLICATION
"SELECT * FROM
accounts WHERE
SKU:
acct=‘’ OR 1=1-Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
’"
Account Summary
Account:
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
Administration
Transactions
Accounts
Finance
Application Layer
SQL Injection
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
1. Application presents a
form to the attacker
2. Attacker sends an
attack in the form data
3. Application forwards
attack to the database in
a SQL query
4. Database runs query
containing attack and
sends encrypted results
back to application
5. Application decrypts
data as normal and
sends results to the user
Cross-Site Scripting
Attacker sets the trap – update my profile
Victim views page – sees attacker profile
Custom Code
Script runs inside victim’s
browser with full access to
the DOM and cookies
3
Script silently sends attacker Victim’s session cookie
Communication
Knowledge Mgmt
E-Commerce
Bus. Functions
2
Administration
Transactions
Attacker enters a
malicious script into a
web page that stores the
data on the server
Application with
stored XSS
vulnerability
Accounts
Finance
1
Authentication
Tools Overview
• Proxies
Tools
• Burp Suite
• Paros
• WebScarab
• Fiddler
• FoxyProxy plugin
• Open source scanners
• Skipfish
Burp Suite
http://portswigger.net/proxy/
FoxyProxy Browser Plugin
https://addons.mozilla.org/en-US/firefox/addon/2464/
Skipfish
A fully automated, active web application security
reconnaissance tool
* Server-side SQL injection (including blind vectors, numerical
parameters).
* Stored and reflected XSS
* Directory listing bypass vectors.
* External untrusted embedded content.
http://code.google.com/p/skipfish/
Cheat Sheet
Quick Cheat Sheet
Cheat Sheet
AppSec Tools
Demonstration
Prioritizing
Threat Risk
D
R
E
A
D
amage potential
eproducibility
xploitability
ffected users
iscoverability
Scoring
D
R
E
A
D
0-3 =
0-15
Total
Severity Rating
Low
1-7
Medium
8-10
High
11-14
Critical
15
Threat Risk Modeling
• STRIDE (Microsoft)
• OWASP Risk Ranking
• Trike
• CVSS
Questions?
Thanks!
Download