Boutique product development company It is amazing what you can accomplish when you have a client-centric team to deliver outstanding products.

Boutique product development company It is amazing what you can accomplish when you have a client-centric team to deliver outstanding products.

Workshop Sikandar Ahmed | Presenter

Arooj Un Nisa | Co-presenter

If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. — Bruce Schneier

Security Testing

• What is Security Testing?

• Top 10 Security Risks

• Security Testing Types

• Security Exposures Revealing —Practice

• Security Tools

Arooj | QA Mentor

Security Testing

What is Security Testing?

Arooj | QA Mentor

―Security Testing‖

Tests the ability of the system/software to

prevent unauthorized access to the resources

and data

Security Testing

Arooj | QA Mentor

What it Covers?

Security Testing needs to cover the six basic security concepts:

• Confidentiality

• Integrity

• Authentication

• Authorization

• Availability

• Non-repudiation

Security Testing

Top Ten Security Risks

Arooj | QA Mentor

• SQL Injections

• Cross Site Scripting (XSS)

• Broken Authentication and Session Management

• Insecure Direct Object References

• Security Misconfiguration

• Insecure Cryptographic Storage

• Failure to Restrict URL Access

• Insufficient Transport Layer Protection

• Invalidated Redirects and Forwards

Security Testing

Types: Black Box and White Box Hacking

Arooj | QA Mentor

In Black Box Hacking, you try

to find security bugs by

experimenting with the

application and manipulating

input fields and URL

parameters, trying to cause

application errors, and looking

at the HTTP requests and

responses to guess server

behavior.

Watcher can be used for the

black box hacking.

While in White-Box Hacking,

you have access to the source

code and can use automated or

manual analysis to identify bugs.

Gruyere in which through the

source code you can find the

bugs.

Security Testing

Security Exposure Revealing-Practice

Arooj | QA Mentor

Want to beat the hackers at their own game ??

Meet Me: I am Gruyere Reach me: Am here at Google Code Labs

Security Testing

Gruyere: Practice

Arooj | QA Mentor

Learn • How hackers find security vulnerabilities!

• How hackers exploit web applications!

• How to stop them!

How web application vulnerabilities can be exploited and how to defend against

these attacks?

• How an application can be attacked using common web security vulnerabilities, like

cross-site scripting vulnerabilities (XSS) and cross-site request forgery (XSRF)?

• How to find, fix, and avoid these common vulnerabilities and other bugs that have a

security impact, such as denial-of-service, information disclosure, or remote code

execution?

Security Testing

Cross Site Scripting XSS

Sikandar Ahmed| QA Mentor

• Cross-site scripting (XSS) is a vulnerability that permits

an attacker to inject code (typically HTML or JavaScript)

into contents of a website not under the attacker's control

• When a victim views such a page, the injected code

executes in the victim's browser.

• Types of XSS:

• Reflected

• Stored

Security Testing

XSS Types

Sikandar Ahmed| QA Mentor

• In a reflected XSS attack, the attack is in the request itself (frequently the URL)

and the vulnerability occurs when the server inserts the attack in the response

verbatim or incorrectly escaped or sanitized

• The victim triggers the attack by browsing to a malicious URL created by the

attacker

• In a stored XSS attack, the attacker stores the attack in the application (e.g., in a

snippet) and the victim triggers the attack by browsing to a page on the server that

renders the attack, by not properly escaping or sanitizing the stored data

Security Testing

XSS Attack

Sikandar Ahmed| QA Mentor

Security Testing

SQL Injection

Sikandar Ahmed| QA Mentor

• SQL injection vulnerabilities allow attackers to inject

arbitrary scripts into SQL queries

• When a SQL query is executed it can either read or

write data, so it can be used to read your entire

database as well as overwrite it, as described in the

classic Bobby Tables XKCD comic

• If you use SQL, the most important advice is to

avoid building queries by string concatenation, use

API calls instead

Security Testing

How To Exploit SQL Injection Attack?

Sikandar Ahmed| QA Mentor

The SQL Injection attack allows external users to read details from the database

• In a well designed system this will only include data that is available to the

public anyway

• In a poorly designed system this may allow external users to discover other

users' passwords

Security Testing

Client State Manipulation

Sikandar Ahmed| QA Mentor

• When a user interacts with a web application, they do it indirectly through a

browser

• When the user clicks a button or submits a form, the browser sends a request

back to the web server. Because the browser runs on a machine that can be

controlled by an attacker, the application must not trust any data sent by the

browser

• It might seem that not trusting any user data would make it impossible to write

a web application but that's not the case

• If the user submits a form that says they wish to purchase an item, it's OK to

trust that data

• But if the submitted form also includes the price of the item, that's something

that cannot be trusted

Security Testing

Cross Site Request Forgery XSRF

Sikandar Ahmed| QA Mentor

• Also known as a One-Click Attack or Session Riding or CSRF (Sea-Surf )

• XSRF is a type of malicious exploit of a website whereby unauthorized

commands are transmitted from a user that the website trusts.

• Unlike XSS, which exploits the trust a user has fro a particular site, XSRF

exploits the trust a site has in a user‘s browser

Security Testing

Cross Site Script Inclusion (XSSI)

Sikandar Ahmed| QA Mentor

• When a browser makes requests to a site, it always sends along any cookies

it has for that site, regardless of where the request comes from

• Additionally, web servers generally cannot distinguish between a request

initiated by a deliberate user action (e.g., user clicking on "Submit" button)

versus a request made by the browser without user action (e.g., request for an

embedded image in a page)

• Therefore, if a site receives a request to perform some action (like deleting a

mail, changing contact address), it cannot know whether this action was

knowingly initiated by the user — even if the request contains authentication

cookies. An attacker can use this fact to fool the server into performing actions

the user did not intend to perform

Security Testing

Path Traversal

Sikandar Ahmed| QA Mentor

• Most web applications serve static resources like images and CSS files. Frequently,

applications simply serve all the files in a folder

• If the application isn't careful, the user can use a path traversal attack to read files

from other folders that they shouldn't have access to

For example, in both Windows and Linux, .. represents the parent directory, so if you

can inject ../ in a path you can "escape" to the parent directory

• If an attacker knows the structure of your file system, then they can craft a URL that

will traverse out of the installation directory to /etc

Security Testing

Denial of Service

Sikandar Ahmed| QA Mentor

• A denial of service (DoS) attack is an attempt to make a server unable to service

ordinary requests

• A common form of DoS attack is sending more requests to a server than it can

handle. The server spends all its time servicing the attacker's requests that it has

very little time to service legitimate requests

• Hackers can also prevent a server from servicing requests by taking advantage

of server bugs, such as sending requests that crash a server, make it run out of

memory, or otherwise cause it fail serving legitimate requests in some way

Security Testing

DoS Attack

Sikandar Ahmed| QA Mentor

Security Testing

Configuration Vulnerabilities

Sikandar Ahmed| QA Mentor

• Applications are often installed with default settings

• A particularly issue with third party software where an attacker has easy access

to a copy of the same application or framework you are running

• Hackers know the default account names and passwords. Configuration

vulnerabilities also include features that increase attack surface

• A common example is a feature that is on by default but you are not using, so

you didn't configure it and the default configuration is vulnerable

• It also includes debug features like status pages or dumping stack traces on

failures

Security Testing

AJAX vulnerabilities

Sikandar Ahmed| QA Mentor

• Bad AJAX code allows attackers to modify parts of your application in ways

that you might not expect

• In traditional client development, there is a clear separation between the

application and the data it displays. That's not true in web applications as

the next two attacks will make clear

Security Testing

Security Testing Tools

Sikandar Ahmed| QA Mentor

• Havij– http://itsecteam.com/products/havij-advanced-sql-injection Havij is

an automated SQL Injection tool that helps penetration testers to find and

exploit SQL Injection vulnerabilities on a web page

• WebSecurify (www.websecurify.com), Websecurify is an integrated web

security testing environment, which can be used to identify web vulnerabilities

by using advanced browser automation, discovery and fuzzing technologies

• Watcher(http://websecuritytool.codeplex.com/), Watcher is a runtime

passive-analysis tool for HTTP-based Web applications. Being passive means

it won't damage production systems, it's completely safe to use in Cloud

computing, shared hosting, and dedicated hosting environments

Watcher detects Web-application security issues as well as operational

configuration issues

Security Testing

Security Testing Tools

Sikandar Ahmed| QA Mentor

• Wapiti(http://wapiti.sourceforge.net/), File Handling Errors (Local and remote

include/require, fopen, readfile...)Wapiti allows you to audit the security of your

web applications

It performs "black-box" scans, i.e. it does not study the source code of the

application but will scans the webpages of the deployed webapp, looking for

scripts and forms where it can inject data

• FlawFinder (http://www.dwheeler.com/flawfinder/), searches through C/C++

source code looking for potential security flaws. It is designed in Python and

produces a list of ‗‗hits‘‘ (potential security flaws), sorted by risk; the riskiest hits

are shown first

• Honeyd (http://www.honeyd.org/), Honeyd is a small daemon that creates

virtual hosts on a network. The hosts can be configured to run arbitrary services,

and their personality can be adapted so that they appear to be running certain

operating systems. Honeyd enables a single host to claim multiple addresses

Security Testing

Security Testing Tools

Sikandar Ahmed| QA Mentor

• Brakeman(http://brakemanscanner.org/), Brakeman is an open source

vulnerability scanner specifically designed for Ruby on Rails applications

• It statically analyzes Rails application code to find security issues at any

stage of development

• If you happen to use the Hudson/Jenkins continuous integration tool,

there is a Brakeman plugin for it

• Its requirement is Rails 3

Security Testing

Server Security--Linux

Sikandar Ahmed| QA Mentor

• Set the complex root password

• Install Fail2ban

• Require public key authentication

• Lock Down SSH

• Set Up a Firewall

• Enable Automatic Security Updates

• Install Logwatch To Keep An Eye On Things

Security Testing

References

Sikandar Ahmed| QA Mentor

• http://google-gruyere.appspot.com

• https://www.owasp.org/index.php/Top_10_2010-Main

• http://www.softwaretestingmentor.com/types-of-testing/security-testing/

• http://vishnuvalentino.com/tips-and-trick/penetration-testing-pros-and-cons/

• http://www.toolsjournal.com/testing-lists/item/217-10-free-and-opensource-tools-

for-security-testing

• http://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-

linux-servers