2. What is Security Testing
• Security testing is the process that determines that confidential data
stays confidential and users can perform only those tasks that they
are authorized to perform.
• It also helps in detecting all possible security risks in the system and
help developers in fixing these problems through coding
• Security testing is vital for e-commerce website that store sensitive
customer information like credit cards.
3. Why web application security is of
high importance
• Web applications are increasing day by day
• Most web applications are vulnerable.
• 98 % of the web applications are vulnerable .
• 78 % of easily exploitable weakness occur in web applications.
4. Types of web application
vulnerabilities
Security Testing is deemed successful when the below attributes of
an application are intact
• Authentication
• Authorization
• Client side attacks
• Command Execution
• Information Disclosure
• Logical Attacks
5. Authentication – Stealing user account
identities
The Authentication section covers attacks that target a websites
method of validating the identity of a user.
To confirm that something or someone is authentic – true to the claims.
The digital identity of a user is validated and verified.
Brute Force attack automates a process of trial and error to guess a person’s
username, password, credit-card number or cryptographic key.
Insufficient Authentication permits an attacker to access sensitive content or
functionality without proper authentication.
Weak Password Recovery Validation permits an attacker to illegally obtain,
change or recover another user’s password.
6. Authorization – illegal access to applications
The Authorization section covers attacks that target a web sites method
of determining if a user has the necessary permissions to perform a
requested action.
Is the Person allowed to do this operation
Insufficient Session Expiration permits an attacker to reuse old session
credentials or session IDs for authorization.
Credential / Session Prediction is a method of hijacking or impersonating
a user .
7. Client side attacks – illegal execution of
foreign code
• Content Spoofing tricks a user into believing that certain content appearing
on a web site is legitimate and not from an external source.
Cross-site Scripting (XSS) forces a web site to echo attacker-supplied
executable code, which loads into a user’s browser.
8. Command Execution – hijacks control of web
application
SQL Injection constructs illegal SQL statements on a web site application
from user-supplied input.
Buffer Overflow occurs when a program or process tries to store more data
in a buffer (temporary data storage area) than it was intended to hold.
9. Information Disclosure – shows sensitive data to
attackers
The Information Disclosure section covers attacks designed to acquire system
specific information about a web site.
Information leakage : Information Leakage is when a web site reveals
sensitive data, such as developer comments or error messages, which may
aid an attacker in exploiting the system.
Path traversal : The Path Traversal attack technique forces access to files,
directories, and commands that potentially reside outside the web
document root directory.
10. Logical Attacks – interfere with application usage
Abuse of Functionality uses a web site’s own features and functionality to
consume, defraud, or circumvent access control mechanisms.
Denial of Service (DoS) attacks prevent a web site from serving normal user
activity.
11. Burp Suite
Burp Suite is an integrated
platform for performing security
testing of web applications.
The Burp Suite is made up of
tools
12. Burp Suite
Proxy: It operates as a man-in-the-middle between the end browser and the
target web server, and allows the user to intercept, inspect and modify the raw
traffic passing in both directions.
Spider: Burp Spider is a tool for mapping web applications.
Scanner: Burp Scanner is a tool for performing automated discovery of security
vulnerabilities in web applications.
Intruder: For performing powerful customized attacks to find and exploit unusual
vulnerabilities.
Repeater: Burp Repeater is a tool for manually modifying and reissuing individual
HTTP requests, and analyzing their responses.
Comparer: Burp Comparer is a simple tool for performing a comparison (a visual
“diff”) between any two items of data.
Limitations of tools: Unrealistic expectations from the tool & People depend on the
tool a lot.
14. Brute force attack (Ex For Authentication
vulnerabilities)
• Brute Force Attack
Brute Force Attack aims at being the simplest kind of method to
gain access to a site: it tries usernames and passwords, over and
over again, until it gets in.
The most obvious way to block brute-force attacks is to simply lock
out accounts after a defined number of incorrect password
attempts.
15. Brute force attack (Ex For Authentication
vulnerabilities)
This is a web application having
vulnerabilities. I am going to
explain brute force attack with
the help of burp suite.
19. Brute force attack
Give the
payload 1 datas.
Here in this
example I had
given only some
values actually
you can upload
username and
password lists
from outside.
22. Brute force attack
Now the brute
force attack is
successfully
launched with
the username
admin and
password
password.
23. Password Passing to server( Ex for Information
leakage )
• Password Passing to server
The password should be encrypted while
being transmitted over the network.
In the below example password between
server and client is being passed in clear text
during the registration process.
24. Session Hijacking (Ex for Session Management)
This test is to check whether the cookie can be reused in
another computer during the log-in phase.
1. Login in the application and capture the request in that valid session
along with the authenticated URL:
26. Session Hijacking (Ex for Session Management)
• Open the new browser and go to the authenticated URL captured
in step 1. Then, capture the request and replace the cookie with
earlier captured cookie value:
27. Session Hijacking (Ex for Session Management)
Successfully
launched the
session
hijacking
attack.
28. Directory Scanning (Ex for Authorization)
This type of attacks exploits bugs in the web server to gain unauthorized access to
files and folders that are not in the public domain. Once the attacker has gained
access, they can download sensitive information, execute commands on the
server or install malicious software.
http://demo.guru99.com/Security/SEC_V1/index.php
A small example for directory scanning can be shown from this site
Here the login credentials are user id: 1303 and pass:Guru99.
This is an ordinary customer login, having the rights to view his payments fund
transfer etc. he is not having the permission to add, edit or delete other customers
data. Enter the below url in the browser and check Now customer can add new
customers.
http://demo.guru99.com/Security/SEC_V1/customer/addcustomerpage.php
I hope you checked it and understand how to perform it.
29. File uploads
Only valid files should be permitted for uploading.
http://demo.guru99.com/Security/SEC_V1/customer/contactus.php
In the above link the upload file menu, currently accepts any file
format including exe,php, js, etc. A malicious user can upload a virus
or executable file and using
The file size should also be checked so that users do not upload large
files which would eat up the server space.
30. Forceful browsing
A malicious user can access the complete application from different
browsers without login.
How to perform: Log in to an application then copy the url now paste it
in another browser and check whether user is logging in or redirected
to the login page.
Recommendation: The application must implement proper
session/cookie management on the server side, to ensure strict access
control. This would avoid any user in directly copy-pasting of the link to
get unauthorized access into the internal pages.
31. Audi trail Implementation
An Audit trail should be incorporated in the application, where all
user activities have to be logged.
32. Phishing attacks
Phishing. It is a technique that uses trickery and deceit to obtain private
data from users. A hacker may try to impersonate a genuine website such
as yahoo and then ask the unsuspecting user to confirm their account name
and password. This technique could also be used to get credit card
information or any other valuable personal data.
http://bank.83answers.com/
http://demo.guru99.com/Security/SEC_V1/index.php
33. SQL Injection
SQL injection is a code injection technique in which
malicious SQL statements are inserted into an entry field for execution.
The targeted site to perform sql injection is dvwa
34. SQL Injection
Enter User ID, click submit and intercept the request with Burp Suite Proxy. The
next step is sending the request to Burp Suite Intruder (click right on the request
and choose “Send to Intruder”).
35. SQL Injection
A penetration tester can create his own list of payloads or use an existing one.
Exemplary payloads can be found, for example, in Kali Linux (penetration
testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let’s
use SQL.txt from this location to test the parameter id for SQL injection
vulnerability.
36. SQL Injection
It might suggest that more data was read from the database. Let’s check
the response for this payload.
37. SQL Injection
As we can see, this payload can be used to extract first names and
surnames of all users from the database.
38. XSS
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in Web applications. XSS enables attackers to inject
client-side script into Web pages viewed by other users.
There are two types of injection active and passive.
39. XSS
How to test XSS:
Visit the page of the website you wish to test for XSS vulnerabilities
Enter some appropriate input in to the web application and submit
the request.
40. XSS
Alternatively, return to the Proxy "Intercept" tab and right click on the
request to bring up the context menu.
Click "Send to Repeater".
41. XSS
Go to the "Repeater" tab.
Here we can input various XSS payloads in to the input field of a web
application. We can test various inputs by editing the "Value" of the
appropriate parameter in the "Raw" or "Params" tabs.
42. XSS
The "Response" section of the "Repeater" tab shows the response from
the server.
43. XSS
Ensure that "Intercept is off" in the Proxy "Intercept" tab and go to your
browser.
Enter the payload into the input field and submit the request.
Assess the response in the browser to check that the payload has
performed as expected.
44. Dos attack
A denial of service (DoS) attack is a malicious attempt to make a
server or a network resource unavailable to users,
Consider a functionality (such as registration) which typically does not
require authentication. An attacker can easily place a heavy load on
the server by simulate multiple registration operations and by feeding
in arbitrarily huge input data through the registration fields, thus placing
further load on the server and also consuming database connections.
This could cause the server to crash or slow down to a crawl.
45. Other Security Checks
• Session Time out
• Session should terminate when user is gone through an error page
• Auto fill should be off
• Check whether application is able to view the authenticated page using back
button of the browser
• Check whether It is possible to view the contents of the authenticated pages by
fetching the page from the browser cache memory and history.
• User should not have the option to remember password as this may give
unauthorized access to malicious users.