SlideShare a Scribd company logo

Security testing ?

M
Maikel Ninaber

How serious is Web Apps Security Testing ?

Internet
1 of 46
Maikel Ninaber 19/04/2016 How serious is Web Apps Security Testing ?
2Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
3Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
4Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
5Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
6Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
7Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
8Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
9Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
10Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
11Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
12Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
13Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
14Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
15Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
16Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
17Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
18Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
19Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
20Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
21Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
22Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
23Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
24Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
25Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
26Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
27Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
28Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
29Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 OWASP top 10
30Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 No SQL injection today
31Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
32Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
33Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
34Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
35Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
36Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
37Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
38Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Demo
39Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
40Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
41Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
42Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
43Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Where to practice
44Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Limitations  Computer Fraud and Abuse Act • Using a computer to intrude upon or steal something from another computer is illegal  Unintended consequences, such as damaging hijacked computers belonging to innocent individuals, while real criminals remain hidden several layers back on the Internet (e.g., TOR)  The only kind of hacking that's considered tolerable is what you might enact defensively within your own computer or network. What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.
45Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Another Hacker goes to jail !
46Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Sources  http://www.telerik.com/fiddler  https://www.troyhunt.com/  https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sh eet  https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project  http://www.dvwa.co.uk/  https://hackyourselffirst.troyhunt.com/  https://nl.linkedin.com/in/maikelninaber  http://cookiecontroller.com/internet-cookies/secure-cookies/  http://stackoverflow.com/questions/1442863/how-can-i-set-the-secure-flag-on- an-asp-net-session-cookie

Recommended

Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 

Recommended

Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Security Testing
Security TestingSecurity Testing
Security TestingKiran Kumar
 
Owasp zap
Owasp zapOwasp zap
Owasp zappenetration Tester
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Security testing fundamentals
Security testing fundamentalsSecurity testing fundamentals
Security testing fundamentalsCygnet Infotech
 
Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Bug bounty null_owasp_2k17
Bug bounty null_owasp_2k17Sagar M Parmar
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumarVikesh Kumar
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top TenChristian Heinrich
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Security testing
Security testingSecurity testing
Security testingRihab Chebbah
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsStephan Kaps
 

More Related Content

What's hot

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopPaul Ionescu
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumarVikesh Kumar
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessRobert Grupe, CSSLP CISSP PE PMP
 
Security Testing
Security TestingSecurity Testing
Security TestingQualitest
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 

What's hot (20)

Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
Security testing vikesh kumar
Security testing vikesh kumarSecurity testing vikesh kumar
Security testing vikesh kumar
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure SuccessAppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
AppSec & DevSecOps Metrics: Key Performance Indicators (KPIs) to Measure Success
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
 
Security testing
Security testingSecurity testing
Security testing
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 

Viewers also liked

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsStephan Kaps
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing DocumentMinhas Kamal
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Kyle Lai
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information SystemsAhmad Tariq Bhatti
 

Viewers also liked (8)

Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-Security
 
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan KapsDevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
DevOpsCon 2016 - Continuous Security Testing - Stephan Kaps
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Software Project Management: Testing Document
Software Project Management: Testing DocumentSoftware Project Management: Testing Document
Software Project Management: Testing Document
 
we45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Studywe45 - Web Application Security Testing Case Study
we45 - Web Application Security Testing Case Study
 
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
Pactera Cybersecurity - Application Security Penetration Testing - Mobile, We...
 
8 Access Control
8 Access Control8 Access Control
8 Access Control
 
Audit Checklist for Information Systems
Audit Checklist for Information SystemsAudit Checklist for Information Systems
Audit Checklist for Information Systems
 

Similar to Security testing ?

No, you be the hacker !
No, you be the hacker !No, you be the hacker !
No, you be the hacker !Maikel Ninaber
 
Once upon a time... before UX became relevant
Once upon a time... before UX became relevantOnce upon a time... before UX became relevant
Once upon a time... before UX became relevantMichael Van der Gaag
 
Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7Keisuke Anzai
 
Webinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatWebinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatCyren, Inc
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareCyren, Inc
 
Nrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflectionsNrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflectionsCapgemini
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
 

Similar to Security testing ? (9)

No, you be the hacker !
No, you be the hacker !No, you be the hacker !
No, you be the hacker !
 
Once upon a time... before UX became relevant
Once upon a time... before UX became relevantOnce upon a time... before UX became relevant
Once upon a time... before UX became relevant
 
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open InternetION Hangzhou - Keynote: Collaborative Security and an Open Internet
ION Hangzhou - Keynote: Collaborative Security and an Open Internet
 
Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7Summit 2016 Wrap-up for eVar7
Summit 2016 Wrap-up for eVar7
 
Webinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threatWebinar: A deep dive on phishing, today's #1 business threat
Webinar: A deep dive on phishing, today's #1 business threat
 
Webinar: A deep dive on ransomware
Webinar: A deep dive on ransomwareWebinar: A deep dive on ransomware
Webinar: A deep dive on ransomware
 
Nrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflectionsNrf 2016 - Observations and reflections
Nrf 2016 - Observations and reflections
 
State of NetBeans
State of NetBeansState of NetBeans
State of NetBeans
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...[CB16] Background Story of "Operation neutralizing banking malware" and highl...
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
 

Recently uploaded

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 

Recently uploaded (20)

young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 

Security testing ?

  • 1. Maikel Ninaber 19/04/2016 How serious is Web Apps Security Testing ?
  • 2. 2Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
  • 3. 3Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Known facts
  • 4. 4Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 5. 5Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 6. 6Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 7. 7Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 8. 8Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 9. 9Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 10. 10Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Web Apps
  • 11. 11Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 12. 12Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 13. 13Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 14. 14Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Query strings
  • 15. 15Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
  • 16. 16Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
  • 17. 17Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Routing
  • 18. 18Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 19. 19Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 20. 20Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 21. 21Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 HTTP verbs
  • 22. 22Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 23. 23Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 24. 24Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 25. 25Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Browser protection
  • 26. 26Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
  • 27. 27Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
  • 28. 28Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 What the browser can’t defend against
  • 29. 29Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 OWASP top 10
  • 30. 30Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 No SQL injection today
  • 31. 31Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 32. 32Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 33. 33Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 34. 34Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 35. 35Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 36. 36Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 37. 37Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Understanding Untrusted Data
  • 38. 38Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Demo
  • 39. 39Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 40. 40Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 41. 41Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 42. 42Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Defending Against Tampering
  • 43. 43Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Where to practice
  • 44. 44Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Limitations  Computer Fraud and Abuse Act • Using a computer to intrude upon or steal something from another computer is illegal  Unintended consequences, such as damaging hijacked computers belonging to innocent individuals, while real criminals remain hidden several layers back on the Internet (e.g., TOR)  The only kind of hacking that's considered tolerable is what you might enact defensively within your own computer or network. What’s clearly illegal are offensive hacks, where you leave your territory and actively pursue an assailant online.
  • 45. 45Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Another Hacker goes to jail !
  • 46. 46Copyright © 2016 Maikel Ninaber. All Rights Reserved Security testing | May 2016 Sources  http://www.telerik.com/fiddler  https://www.troyhunt.com/  https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sh eet  https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project  http://www.dvwa.co.uk/  https://hackyourselffirst.troyhunt.com/  https://nl.linkedin.com/in/maikelninaber  http://cookiecontroller.com/internet-cookies/secure-cookies/  http://stackoverflow.com/questions/1442863/how-can-i-set-the-secure-flag-on- an-asp-net-session-cookie