Hands on Demonstration for Testing Security in Web Applications Aaron Weaver August 2010 Agenda • What kind of application security vulnerabilities should be tested? • Methodology for testing • Open source tools available • Prioritizing application security defects In the news... the Solution? AND NO Not in the Cloud! Web Application Security Testing OWASP Top 10 list Top attacks • SQL Injection • Cross Site Scripting • Authentication ATTACK Custom Code App Server Firewall Hardened OS Firewall Network Layer Web Server DB Table Billing Human Resrcs Directories Web Services Legacy Systems Databases HTTP responseSQL query HTTP request APPLICATION "SELECT * FROM accounts WHERE SKU: acct=‘’ OR 1=1-Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 ’" Account Summary Account: Communication Knowledge Mgmt E-Commerce Bus. Functions Administration Transactions Accounts Finance Application Layer SQL Injection Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user Cross-Site Scripting Attacker sets the trap – update my profile Victim views page – sees attacker profile Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie Communication Knowledge Mgmt E-Commerce Bus. Functions 2 Administration Transactions Attacker enters a malicious script into a web page that stores the data on the server Application with stored XSS vulnerability Accounts Finance 1 Authentication Tools Overview • Proxies Tools • Burp Suite • Paros • WebScarab • Fiddler • FoxyProxy plugin • Open source scanners • Skipfish Burp Suite http://portswigger.net/proxy/ FoxyProxy Browser Plugin https://addons.mozilla.org/en-US/firefox/addon/2464/ Skipfish A fully automated, active web application security reconnaissance tool * Server-side SQL injection (including blind vectors, numerical parameters). * Stored and reflected XSS * Directory listing bypass vectors. * External untrusted embedded content. http://code.google.com/p/skipfish/ Cheat Sheet Quick Cheat Sheet Cheat Sheet AppSec Tools Demonstration Prioritizing Threat Risk D R E A D amage potential eproducibility xploitability ffected users iscoverability Scoring D R E A D 0-3 = 0-15 Total Severity Rating Low 1-7 Medium 8-10 High 11-14 Critical 15 Threat Risk Modeling • STRIDE (Microsoft) • OWASP Risk Ranking • Trike • CVSS Questions? Thanks!