Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Transcript of Web Applications Security Assessment In The Portuguese World Wide Web Panorama
![Page 1: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/1.jpg)
Web Applications Security Assessment
in the Portuguese WWW Panorama
ISCTE-IUL/DCTI
Instituto Superior do Trabalho e da EmpresaInstituto Universitário de Lisboa
Departamento de Ciências e Tecnologias de Informação
Carlos Serrã[email protected]@gmail.com
http://www.carlosserrao.nethttp://blog.carlosserrao.nethttp://www.linkedin.com/in/carlosserrao
Nuno [email protected]@hotmail.com
http://www.linkedin.com/in/nunoteodoro
![Page 2: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/2.jpg)
Iberic Web Application Security Conference 2009
2
Motivation
Master thesis project
Great academic interest
Original study in Portugal
Important in the Portuguese community- Recent events expose the Portuguese network insecurity
Growing insecurity in web applications
![Page 3: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/3.jpg)
Iberic Web Application Security Conference 2009
3
Assessment…how?
1. Web application security assessment methodologies analysis
2. Vulnerabilities identification
3. Selection of the Web applications to be tested
4. Web applications security assessment methodology
5. Apply the methodology to the web applications‐
6. Tests results
![Page 4: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/4.jpg)
Iberic Web Application Security Conference 2009
4
Web application security assessment methodologies analysis
What do we have to start with?
Source code? Online Access to te Web Application?
Inside knowledge about the Web Application?
What we can’t do What we can do
- Application Security Architecture Review - Automated Source Code Analysis - Manual Security-Focused Code Review
- Automated External Application Scanning- Manual Penetration Testing
![Page 5: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/5.jpg)
Iberic Web Application Security Conference 2009
5
Vulnerabilities identification
![Page 6: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/6.jpg)
Iberic Web Application Security Conference 2009
6
Selection of the Web applications to be tested
Public Administration Services Banks
Main critical areas to assess
Most representative
set
Most representative
set
![Page 7: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/7.jpg)
Iberic Web Application Security Conference 2009
7
Selection of the Web applications to be tested
Public Administration Services
Finances
Health Care
Social Security
Citizens’ Portal
Banks
![Page 8: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/8.jpg)
Iberic Web Application Security Conference 2009
8
Selection of the Web applications to be tested
Why were these Web Applications chosen?
Critical operations
Portuguese domain
Massive utilization
Interesting in the Portuguese WWW panorama
![Page 9: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/9.jpg)
Iberic Web Application Security Conference 2009
9
Selection of the Web applications to be tested
Finances
Citizens
Companies
Public entities
Other entities
IRS IVA IES
IRC Open Activity Confirm TOC
IMI IMT Circulation Tax
Ask NIF Change NIB
Critical operations
![Page 10: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/10.jpg)
Iberic Web Application Security Conference 2009
10
Selection of the Web applications to be tested
Health Care
Critical operations
Register Pay servicesCitizens
Public entities
Health entities
![Page 11: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/11.jpg)
Iberic Web Application Security Conference 2009
11
Selection of the Web applications to be tested
Social Security
Critical operations
Companies
Employees
Others
Register Payments Penalties
Retirement Pensions
Family pensions Unemployed pensions
![Page 12: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/12.jpg)
Iberic Web Application Security Conference 2009
12
Selection of the Web applications to be tested
Citizen’ Portal
Critical operations
Companies
Citizens
Create company General services
![Page 13: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/13.jpg)
Iberic Web Application Security Conference 2009
13
Web applications security assessment methodology
Penetration Testing
Passive Mode
Active Mode
![Page 14: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/14.jpg)
Iberic Web Application Security Conference 2009
14
Web applications security assessment methodology
Discovery
Document and analysis of the Discovery results
Create attack simulations on the target entity
Analysis of each attack
Document the results of the Attacks
Solutions to mitigate the problems
Presentation of the results to the entity
![Page 15: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/15.jpg)
Iberic Web Application Security Conference 2009
15
Apply the methodology to the web‐applications
OWASP Testing Guide WASC Threat Classification
Why combine both?
Bigger Issues Coverage
Two important organizations
![Page 16: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/16.jpg)
Iberic Web Application Security Conference 2009
16
Tests results
The aim is to produce a report for each tested Web Application
The typical modus operandi of the attacker
The techniques and tools attackers will rely to conduct these attacks
Which exploits attackers will use
Data they are being exposed from the web application
![Page 17: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/17.jpg)
Iberic Web Application Security Conference 2009
17
Legal constraints
Most of the work described in this paper has to be bounded by legislation
Getting the target entity to establish clear time frames for pen testing exercise
Getting the target entity to clearly agree that we are not liable foranything going wrong
Find if the target entity has any non disclosure agreements that have tobe signed
Getting the target entity relevant contacts for any unexpected situation
![Page 18: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/18.jpg)
Iberic Web Application Security Conference 2009
18
Legal constraints
NOT doing that…
Might get us, or more precisely, ME, arrested…
…and I don’t want that!
![Page 19: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/19.jpg)
Iberic Web Application Security Conference 2009
19
Legal constraints
Presents crutial point in this work
Can lead to work invalidation if
permissions are denied
Can lead to entire work scope change
![Page 20: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/20.jpg)
Iberic Web Application Security Conference 2009
20
Legal constraints
Mitigate legal constraints
Change target entities
Lost of some interest… ?
![Page 21: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/21.jpg)
Iberic Web Application Security Conference 2009
21
Future Work
Ask for authorizations
Better understand the government services and identify processes workflows
Get better insight on tools, processes, methodologies, etc, to perform these assessments
Start working…
![Page 22: Web Applications Security Assessment In The Portuguese World Wide Web Panorama](https://reader034.fdocuments.in/reader034/viewer/2022052506/5575c25dd8b42a312a8b4aa5/html5/thumbnails/22.jpg)
Iberic Web Application Security Conference 2009
22
Questions
?