SlideShare a Scribd company logo

Web Security Testing Training With Examples

Download as PPTX, PDF
Alwin Thayyil
Alwin Thayyil

This slide is for people who are new to security testing. This shows the basic examples to perform web application attacks.

Technology
1 of 47
Security Testing Training With Examples ALWIN JOSEPH THAYYIL
What is Security Testing • Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. • It also helps in detecting all possible security risks in the system and help developers in fixing these problems through coding • Security testing is vital for e-commerce website that store sensitive customer information like credit cards.
Why web application security is of high importance • Web applications are increasing day by day • Most web applications are vulnerable. • 98 % of the web applications are vulnerable . • 78 % of easily exploitable weakness occur in web applications.
Types of web application vulnerabilities  Security Testing is deemed successful when the below attributes of an application are intact • Authentication • Authorization • Client side attacks • Command Execution • Information Disclosure • Logical Attacks
Authentication – Stealing user account identities  The Authentication section covers attacks that target a websites method of validating the identity of a user.  To confirm that something or someone is authentic – true to the claims.  The digital identity of a user is validated and verified.  Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.  Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.  Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.
Authorization – illegal access to applications  The Authorization section covers attacks that target a web sites method of determining if a user has the necessary permissions to perform a requested action.  Is the Person allowed to do this operation  Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.  Credential / Session Prediction is a method of hijacking or impersonating a user .
Client side attacks – illegal execution of foreign code • Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.  Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.
Command Execution – hijacks control of web application  SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.  Buffer Overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
Information Disclosure – shows sensitive data to attackers  The Information Disclosure section covers attacks designed to acquire system specific information about a web site.  Information leakage : Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.  Path traversal : The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
Logical Attacks – interfere with application usage  Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms.  Denial of Service (DoS) attacks prevent a web site from serving normal user activity.
Burp Suite  Burp Suite is an integrated platform for performing security testing of web applications.  The Burp Suite is made up of tools
Burp Suite  Proxy: It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.  Spider: Burp Spider is a tool for mapping web applications.  Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications.  Intruder: For performing powerful customized attacks to find and exploit unusual vulnerabilities.  Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses.  Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data.  Limitations of tools: Unrealistic expectations from the tool & People depend on the tool a lot.
Configure your browser
Brute force attack (Ex For Authentication vulnerabilities) • Brute Force Attack  Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in.  The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts.
Brute force attack (Ex For Authentication vulnerabilities) This is a web application having vulnerabilities. I am going to explain brute force attack with the help of burp suite.
Brute force attack Then send it to intruder
Brute force attack
Brute force attack Then select the payloads and attack type.
Brute force attack  Give the payload 1 datas. Here in this example I had given only some values actually you can upload username and password lists from outside.
Brute force attack Give the payload 2 datas and from intruder give the attack.
Brute force attack Check the request and response of payloads having maximum length variation
Brute force attack Now the brute force attack is successfully launched with the username admin and password password.
Password Passing to server( Ex for Information leakage ) • Password Passing to server The password should be encrypted while being transmitted over the network. In the below example password between server and client is being passed in clear text during the registration process.
Session Hijacking (Ex for Session Management) This test is to check whether the cookie can be reused in another computer during the log-in phase. 1. Login in the application and capture the request in that valid session along with the authenticated URL:
Session Hijacking (Ex for Session Management) Then copy it to a notepad
Session Hijacking (Ex for Session Management) • Open the new browser and go to the authenticated URL captured in step 1. Then, capture the request and replace the cookie with earlier captured cookie value:
Session Hijacking (Ex for Session Management) Successfully launched the session hijacking attack.
Directory Scanning (Ex for Authorization)  This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.  http://demo.guru99.com/Security/SEC_V1/index.php  A small example for directory scanning can be shown from this site  Here the login credentials are user id: 1303 and pass:Guru99.  This is an ordinary customer login, having the rights to view his payments fund transfer etc. he is not having the permission to add, edit or delete other customers data. Enter the below url in the browser and check Now customer can add new customers.  http://demo.guru99.com/Security/SEC_V1/customer/addcustomerpage.php  I hope you checked it and understand how to perform it.
File uploads  Only valid files should be permitted for uploading.  http://demo.guru99.com/Security/SEC_V1/customer/contactus.php  In the above link the upload file menu, currently accepts any file format including exe,php, js, etc. A malicious user can upload a virus or executable file and using  The file size should also be checked so that users do not upload large files which would eat up the server space.
Forceful browsing A malicious user can access the complete application from different browsers without login. How to perform: Log in to an application then copy the url now paste it in another browser and check whether user is logging in or redirected to the login page. Recommendation: The application must implement proper session/cookie management on the server side, to ensure strict access control. This would avoid any user in directly copy-pasting of the link to get unauthorized access into the internal pages.
Audi trail Implementation  An Audit trail should be incorporated in the application, where all user activities have to be logged.
Phishing attacks  Phishing. It is a technique that uses trickery and deceit to obtain private data from users. A hacker may try to impersonate a genuine website such as yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.  http://bank.83answers.com/  http://demo.guru99.com/Security/SEC_V1/index.php
SQL Injection  SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution.  The targeted site to perform sql injection is dvwa
SQL Injection  Enter User ID, click submit and intercept the request with Burp Suite Proxy. The next step is sending the request to Burp Suite Intruder (click right on the request and choose “Send to Intruder”).
SQL Injection  A penetration tester can create his own list of payloads or use an existing one. Exemplary payloads can be found, for example, in Kali Linux (penetration testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let’s use SQL.txt from this location to test the parameter id for SQL injection vulnerability.
SQL Injection  It might suggest that more data was read from the database. Let’s check the response for this payload.
SQL Injection  As we can see, this payload can be used to extract first names and surnames of all users from the database.
XSS  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.  There are two types of injection active and passive.
XSS How to test XSS:  Visit the page of the website you wish to test for XSS vulnerabilities  Enter some appropriate input in to the web application and submit the request.
XSS  Alternatively, return to the Proxy "Intercept" tab and right click on the request to bring up the context menu.  Click "Send to Repeater".
XSS  Go to the "Repeater" tab.  Here we can input various XSS payloads in to the input field of a web application. We can test various inputs by editing the "Value" of the appropriate parameter in the "Raw" or "Params" tabs.
XSS  The "Response" section of the "Repeater" tab shows the response from the server.
XSS  Ensure that "Intercept is off" in the Proxy "Intercept" tab and go to your browser.  Enter the payload into the input field and submit the request.  Assess the response in the browser to check that the payload has performed as expected.
Dos attack A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, Consider a functionality (such as registration) which typically does not require authentication. An attacker can easily place a heavy load on the server by simulate multiple registration operations and by feeding in arbitrarily huge input data through the registration fields, thus placing further load on the server and also consuming database connections. This could cause the server to crash or slow down to a crawl.
Other Security Checks • Session Time out • Session should terminate when user is gone through an error page • Auto fill should be off • Check whether application is able to view the authenticated page using back button of the browser • Check whether It is possible to view the contents of the authenticated pages by fetching the page from the browser cache memory and history. • User should not have the option to remember password as this may give unauthorized access to malicious users.
References  https://www.owasp.org/index.php/  dvwa  http://searchsecurity.techtarget.com/  http://demo.guru99.com/Security/SEC_V1/index.php
THANK YOU

Recommended

Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 

Recommended

Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeamDan Vasile
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Api security-testing
Api security-testingApi security-testing
Api security-testingn|u - The Open Security Community
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 

More Related Content

What's hot

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingNetsparker
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solutionhearme limited company
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Andrea Hauser
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingRaghav Bisht
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 

What's hot (20)

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
IBM AppScan - the total software security solution
IBM AppScan - the total software security solutionIBM AppScan - the total software security solution
IBM AppScan - the total software security solution
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentals
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Web Application Penetration Testing - 101
Web Application Penetration Testing - 101Web Application Penetration Testing - 101
Web Application Penetration Testing - 101
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Security testing
Security testingSecurity testing
Security testing
 
Introduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration TestingIntroduction To Vulnerability Assessment & Penetration Testing
Introduction To Vulnerability Assessment & Penetration Testing
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 

Similar to Web Security Testing Training With Examples

Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsKaran Nagrecha
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfAmeliaJonas2
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Sumanth Damarla
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxInfosectrain3
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...appsec
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET Journal
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Manjyot Singh
 
Ethical Hacking .pptx
Ethical Hacking .pptxEthical Hacking .pptx
Ethical Hacking .pptxjohnnymaaza
 

Similar to Web Security Testing Training With Examples (20)

Security Testing
Security TestingSecurity Testing
Security Testing
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Core defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applicationsCore defense mechanisms against security attacks on web applications
Core defense mechanisms against security attacks on web applications
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Nii sample pt_report
Nii sample pt_reportNii sample pt_report
Nii sample pt_report
 
Security Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdfSecurity Testing Approach for Web Application Testing.pdf
Security Testing Approach for Web Application Testing.pdf
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
C01461422
C01461422C01461422
C01461422
 
Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptx
 
T04505103106
T04505103106T04505103106
T04505103106
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...05 application security fundamentals - part 2 - security mechanisms - autho...
05 application security fundamentals - part 2 - security mechanisms - autho...
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
 
Ethical Hacking .pptx
Ethical Hacking .pptxEthical Hacking .pptx
Ethical Hacking .pptx
 

Recently uploaded

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Web Security Testing Training With Examples

  • 1. Security Testing Training With Examples ALWIN JOSEPH THAYYIL
  • 2. What is Security Testing • Security testing is the process that determines that confidential data stays confidential and users can perform only those tasks that they are authorized to perform. • It also helps in detecting all possible security risks in the system and help developers in fixing these problems through coding • Security testing is vital for e-commerce website that store sensitive customer information like credit cards.
  • 3. Why web application security is of high importance • Web applications are increasing day by day • Most web applications are vulnerable. • 98 % of the web applications are vulnerable . • 78 % of easily exploitable weakness occur in web applications.
  • 4. Types of web application vulnerabilities  Security Testing is deemed successful when the below attributes of an application are intact • Authentication • Authorization • Client side attacks • Command Execution • Information Disclosure • Logical Attacks
  • 5. Authentication – Stealing user account identities  The Authentication section covers attacks that target a websites method of validating the identity of a user.  To confirm that something or someone is authentic – true to the claims.  The digital identity of a user is validated and verified.  Brute Force attack automates a process of trial and error to guess a person’s username, password, credit-card number or cryptographic key.  Insufficient Authentication permits an attacker to access sensitive content or functionality without proper authentication.  Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password.
  • 6. Authorization – illegal access to applications  The Authorization section covers attacks that target a web sites method of determining if a user has the necessary permissions to perform a requested action.  Is the Person allowed to do this operation  Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization.  Credential / Session Prediction is a method of hijacking or impersonating a user .
  • 7. Client side attacks – illegal execution of foreign code • Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source.  Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser.
  • 8. Command Execution – hijacks control of web application  SQL Injection constructs illegal SQL statements on a web site application from user-supplied input.  Buffer Overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.
  • 9. Information Disclosure – shows sensitive data to attackers  The Information Disclosure section covers attacks designed to acquire system specific information about a web site.  Information leakage : Information Leakage is when a web site reveals sensitive data, such as developer comments or error messages, which may aid an attacker in exploiting the system.  Path traversal : The Path Traversal attack technique forces access to files, directories, and commands that potentially reside outside the web document root directory.
  • 10. Logical Attacks – interfere with application usage  Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms.  Denial of Service (DoS) attacks prevent a web site from serving normal user activity.
  • 11. Burp Suite  Burp Suite is an integrated platform for performing security testing of web applications.  The Burp Suite is made up of tools
  • 12. Burp Suite  Proxy: It operates as a man-in-the-middle between the end browser and the target web server, and allows the user to intercept, inspect and modify the raw traffic passing in both directions.  Spider: Burp Spider is a tool for mapping web applications.  Scanner: Burp Scanner is a tool for performing automated discovery of security vulnerabilities in web applications.  Intruder: For performing powerful customized attacks to find and exploit unusual vulnerabilities.  Repeater: Burp Repeater is a tool for manually modifying and reissuing individual HTTP requests, and analyzing their responses.  Comparer: Burp Comparer is a simple tool for performing a comparison (a visual “diff”) between any two items of data.  Limitations of tools: Unrealistic expectations from the tool & People depend on the tool a lot.
  • 14. Brute force attack (Ex For Authentication vulnerabilities) • Brute Force Attack  Brute Force Attack aims at being the simplest kind of method to gain access to a site: it tries usernames and passwords, over and over again, until it gets in.  The most obvious way to block brute-force attacks is to simply lock out accounts after a defined number of incorrect password attempts.
  • 15. Brute force attack (Ex For Authentication vulnerabilities) This is a web application having vulnerabilities. I am going to explain brute force attack with the help of burp suite.
  • 16. Brute force attack Then send it to intruder
  • 18. Brute force attack Then select the payloads and attack type.
  • 19. Brute force attack  Give the payload 1 datas. Here in this example I had given only some values actually you can upload username and password lists from outside.
  • 20. Brute force attack Give the payload 2 datas and from intruder give the attack.
  • 21. Brute force attack Check the request and response of payloads having maximum length variation
  • 22. Brute force attack Now the brute force attack is successfully launched with the username admin and password password.
  • 23. Password Passing to server( Ex for Information leakage ) • Password Passing to server The password should be encrypted while being transmitted over the network. In the below example password between server and client is being passed in clear text during the registration process.
  • 24. Session Hijacking (Ex for Session Management) This test is to check whether the cookie can be reused in another computer during the log-in phase. 1. Login in the application and capture the request in that valid session along with the authenticated URL:
  • 25. Session Hijacking (Ex for Session Management) Then copy it to a notepad
  • 26. Session Hijacking (Ex for Session Management) • Open the new browser and go to the authenticated URL captured in step 1. Then, capture the request and replace the cookie with earlier captured cookie value:
  • 27. Session Hijacking (Ex for Session Management) Successfully launched the session hijacking attack.
  • 28. Directory Scanning (Ex for Authorization)  This type of attacks exploits bugs in the web server to gain unauthorized access to files and folders that are not in the public domain. Once the attacker has gained access, they can download sensitive information, execute commands on the server or install malicious software.  http://demo.guru99.com/Security/SEC_V1/index.php  A small example for directory scanning can be shown from this site  Here the login credentials are user id: 1303 and pass:Guru99.  This is an ordinary customer login, having the rights to view his payments fund transfer etc. he is not having the permission to add, edit or delete other customers data. Enter the below url in the browser and check Now customer can add new customers.  http://demo.guru99.com/Security/SEC_V1/customer/addcustomerpage.php  I hope you checked it and understand how to perform it.
  • 29. File uploads  Only valid files should be permitted for uploading.  http://demo.guru99.com/Security/SEC_V1/customer/contactus.php  In the above link the upload file menu, currently accepts any file format including exe,php, js, etc. A malicious user can upload a virus or executable file and using  The file size should also be checked so that users do not upload large files which would eat up the server space.
  • 30. Forceful browsing A malicious user can access the complete application from different browsers without login. How to perform: Log in to an application then copy the url now paste it in another browser and check whether user is logging in or redirected to the login page. Recommendation: The application must implement proper session/cookie management on the server side, to ensure strict access control. This would avoid any user in directly copy-pasting of the link to get unauthorized access into the internal pages.
  • 31. Audi trail Implementation  An Audit trail should be incorporated in the application, where all user activities have to be logged.
  • 32. Phishing attacks  Phishing. It is a technique that uses trickery and deceit to obtain private data from users. A hacker may try to impersonate a genuine website such as yahoo and then ask the unsuspecting user to confirm their account name and password. This technique could also be used to get credit card information or any other valuable personal data.  http://bank.83answers.com/  http://demo.guru99.com/Security/SEC_V1/index.php
  • 33. SQL Injection  SQL injection is a code injection technique in which malicious SQL statements are inserted into an entry field for execution.  The targeted site to perform sql injection is dvwa
  • 34. SQL Injection  Enter User ID, click submit and intercept the request with Burp Suite Proxy. The next step is sending the request to Burp Suite Intruder (click right on the request and choose “Send to Intruder”).
  • 35. SQL Injection  A penetration tester can create his own list of payloads or use an existing one. Exemplary payloads can be found, for example, in Kali Linux (penetration testing distribution [4]) in the /usr/share/wfuzz/wordlist/Injections directory. Let’s use SQL.txt from this location to test the parameter id for SQL injection vulnerability.
  • 36. SQL Injection  It might suggest that more data was read from the database. Let’s check the response for this payload.
  • 37. SQL Injection  As we can see, this payload can be used to extract first names and surnames of all users from the database.
  • 38. XSS  Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.  There are two types of injection active and passive.
  • 39. XSS How to test XSS:  Visit the page of the website you wish to test for XSS vulnerabilities  Enter some appropriate input in to the web application and submit the request.
  • 40. XSS  Alternatively, return to the Proxy "Intercept" tab and right click on the request to bring up the context menu.  Click "Send to Repeater".
  • 41. XSS  Go to the "Repeater" tab.  Here we can input various XSS payloads in to the input field of a web application. We can test various inputs by editing the "Value" of the appropriate parameter in the "Raw" or "Params" tabs.
  • 42. XSS  The "Response" section of the "Repeater" tab shows the response from the server.
  • 43. XSS  Ensure that "Intercept is off" in the Proxy "Intercept" tab and go to your browser.  Enter the payload into the input field and submit the request.  Assess the response in the browser to check that the payload has performed as expected.
  • 44. Dos attack A denial of service (DoS) attack is a malicious attempt to make a server or a network resource unavailable to users, Consider a functionality (such as registration) which typically does not require authentication. An attacker can easily place a heavy load on the server by simulate multiple registration operations and by feeding in arbitrarily huge input data through the registration fields, thus placing further load on the server and also consuming database connections. This could cause the server to crash or slow down to a crawl.
  • 45. Other Security Checks • Session Time out • Session should terminate when user is gone through an error page • Auto fill should be off • Check whether application is able to view the authenticated page using back button of the browser • Check whether It is possible to view the contents of the authenticated pages by fetching the page from the browser cache memory and history. • User should not have the option to remember password as this may give unauthorized access to malicious users.
  • 46. References  https://www.owasp.org/index.php/  dvwa  http://searchsecurity.techtarget.com/  http://demo.guru99.com/Security/SEC_V1/index.php