Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun...
Transcript of Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun...
![Page 1: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/1.jpg)
Integrating Web Application Penetration Testing into Your
Vulnerability Management Program
Rich MogullSecurosis, L.L.C.
![Page 2: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/2.jpg)
ecurosis.com
Top Threats
ClientsideWeb Applications
![Page 3: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/3.jpg)
ecurosis.com
Why Web Applications Are Such a Problem
• Rapid development with limited QA
• Eternal beta cycles
• Un(security)trained developers
• New vulnerability classes
• Insecure browsers
• Inherent insecurity of web model
![Page 4: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/4.jpg)
ecurosis.com
Major Webapp AttacksBreaking Trust Relationships
Cross Site Scripting
Cross Site Request Forgery
SQL InjectionBrowser Server
![Page 5: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/5.jpg)
ecurosis.com
Cross Site Scripting
2) Malicious script stored
Stored
1
2) User follows to
trusted site
3) Malicious script injected
by site
Reflected
1) Malicious URL
23
Victim VictimAttacker Attacker
![Page 6: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/6.jpg)
ecurosis.com
Cross Site Request Forgery
Script/link to submit
transaction to trusted site
Malicious transactions
Session 1
Authenticates
Session 2 StealthSession
![Page 7: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/7.jpg)
ecurosis.com
SQL Injection
SQL Statement
Statement: “SELECT * FROM users WHERE name = '" + uName + "‘ AND password =
‘” + upass + “’;”
admin‘--
Attack Input
SELECT * FROM users WHERE name = ‘admin’-- "‘ AND password = ‘” + upass
+ “’;”
Executed Statement
![Page 8: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/8.jpg)
ecurosis.com
Accidental/Directory Traversal
+ Or - “/” =
![Page 9: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/9.jpg)
ecurosis.com
How we used to manage web applications
![Page 10: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/10.jpg)
ecurosis.com
Vulnerability Management
![Page 11: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/11.jpg)
ecurosis.com
Web Application Security Program Overview
![Page 12: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/12.jpg)
ecurosis.com
Application Security Lifecycle
![Page 13: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/13.jpg)
ecurosis.com
Development Phases
![Page 14: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/14.jpg)
ecurosis.com
Integration
Pla$ormvulns
![Page 15: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/15.jpg)
ecurosis.com
Integration
Pla$ormvulns
![Page 16: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/16.jpg)
ecurosis.com
Limitations of static analysis/scanning
• Can’t catch everything
• No validation
• No exploitability/Impact
• Miss logic flaws
• Fire and forget
• The bad guys don’t use them
![Page 17: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/17.jpg)
ecurosis.com
Best Practices for Web App Pen Testing
• Begun testing in the development process.
• Use a combination of tools and manual process.
• Include traditional pen testing of the underlying platform.
• Perform periodic testing post-deployment, especially as new exploits appear.
![Page 18: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/18.jpg)
ecurosis.com
Adapting your program for the long term
• Understand the different requirements of web application vulnerability management.
• Establish web application configuration standards and begin enforcement during development.
• Include code and vulnerability scanning, but you cannot skip penetration testing.
![Page 19: Web Application Assessmentsecurosis.com/assets/library/presentations/Web... · Pen Testing •Begun testing in the development process. •Use a combination of tools and manual process.](https://reader033.fdocuments.in/reader033/viewer/2022060521/6050499c7b1b3206da753fb9/html5/thumbnails/19.jpg)
ecurosis.com
Integrating Web Application Penetration Testing into Your
Vulnerability Management Program
Rich MogullSecurosis, L.L.C.
http://[email protected]