Hands on Demonstration for Testing Security in Web Applications

Aaron Weaver August 2010

Agenda

• What kind of application security vulnerabilities should be tested?

• Methodology for testing

• Open source tools available

• Prioritizing application security defects

In the news...

the Solution?

AND NO

Not in the Cloud!

Web Application Security Testing

OWASP Top 10 list

• SQL Injection

• Cross Site Scripting

• Authentication

Top attacks

Fire

wal

l

Hardened OS

Web Server

App Server

Fire

wal

l

Dat

abas

es

Leg

acy

Syst

ems

Web

Ser

vice

s

Dir

ecto

ries

Hum

an R

esrc

s

Bill

ing

Custom Code

APPLICATIONATTACK

Net

wor

k L

ayer

App

licat

ion

Lay

er

Acc

ount

s

Fina

nce

Adm

inis

trat

ion

Tra

nsac

tions

Com

mun

icat

ion

Kno

wle

dge

Mgm

t

E-C

omm

erce

Bus

. Fun

ctio

ns

HTTP

requestSQL

queryDB Table

HTTP response

"SELECT * FROM accounts WHERE acct=‘’ OR 1=1--’"

1. Application presents a form to the attacker

2. Attacker sends an attack in the form data3. Application forwards attack to the database in a SQL query

Account Summary

Acct:5424-6066-2134-4334Acct:4128-7574-3921-0192Acct:5424-9383-2039-4029Acct:4128-0004-1234-0293

4. Database runs query containing attack and sends encrypted results back to application

5. Application decrypts data as normal and sends results to the user

Account:

SKU:

Account:

SKU:

SQL Injection

Application with stored XSS vulnerability

3

2

Attacker sets the trap – update my profile

Attacker enters a malicious script into a web page that stores the data on the server

1

Victim views page – sees attacker profile

Script silently sends attacker Victim’s session cookie

Script runs inside victim’s browser with full access to the DOM and cookies

Custom Code

Acc

ount

s

Fina

nce

Adm

inis

trat

ion

Tra

nsac

tions

Com

mun

icat

ion

Kno

wle

dge

Mgm

t

E-C

omm

erce

Bus

. Fun

ctio

ns

Cross-Site Scripting

Authentication

Tools Overview

Tools• Proxies

• Burp Suite

• Paros

• WebScarab

• Fiddler

• FoxyProxy plugin

• Open source scanners

• Skipfish

Burp Suite

http://portswigger.net/proxy/

FoxyProxy Browser Plugin

https://addons.mozilla.org/en-US/firefox/addon/2464/

Skipfish

http://code.google.com/p/skipfish/

A fully automated, active web application security reconnaissance tool

* Server-side SQL injection (including blind vectors, numerical parameters).* Stored and reflected XSS* Directory listing bypass vectors.

* External untrusted embedded content.

Cheat Sheet

Quick Cheat Sheet

Cheat Sheet

AppSec Tools Demonstration

Prioritizing

DRE

A

D

amage potential

eproducibility

xploitability

ffected users

iscoverability

Threat Risk

Scoring

0-3 =

DRE

A

D

} 0-15Total

Severity Rating

Low

Medium

High

Critical

1-7

8-10

11-14

15

Threat Risk Modeling

• STRIDE (Microsoft)

• OWASP Risk Ranking

• Trike

• CVSS

Questions?

Thanks!