4/17/2014

1
Web Application
Testing and Security
By Joscelyn Dias
An IT Manager Needs to Know about:
What is Web Application Security?
How to ensure application security?
What is application security audit?
Software Testing
Testing principles
Levels of testing
Unit, Integration, System, User Acceptance (V-
Model)
Types of testing
Functional, Structural, Experience based,
Maintenance, Static and dynamic
Test Design Techniques
Static: Peer Review, Walkthrough, Inspection
Dynamic: Equivalence Partitioning, Boundary Value
Analysis, Decision tables, State transition, etc
OWASP Top 10
OWASP Top 10 - 2010
Open Web Application Security Project
(OWASP Top 10)
1 Injection
2 Cross Site Scripting
3 Broken Auth and Session Management
4 Insecure Direct Object References
5 - Cross Site Request Forgery
6 Security Misconfiguration
7 Insecure Cryptographic Storage
8 Failure to Restrict URL access
9 Insufficient Transport Layer Protection
10 Unvalidated Redirects and Forwards
4/17/2014
2
Web Testing
What is web testing?
Definition and approach
What specifics of software testing apply to web
testing?
Web Testing framework (OWASP Framework)
Before Development
During definition and design
During development
During deployment
Maintenance and operations
Web Application Security Audit
Why audit is required?
What is web application security audit?
How audit is different than testing
How audit is performed - Steps
Formal invitation / Sharing of application and
setup information / Audit /Reporting/
Standards
OWASP auditing standard
Web Penetration Testing Steps
Passive Mode
Gathering information
Tools
Active Mode
Domains covered
Configuration Management Testing
Business Logic Testing
Authentication Testing
Authorization Testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Service Testing,
Ajax Testing

Tools and Methodology used
Penetration Test Information Gathering
Collecting information about target
application and target environment
Identifying application entry points
Parameters, Form values, Cookies and Headers
Web application fingerprint
Application stacks, versions used
Application discovery
Different applications, access mechanisms (olds
and obsoletes)
Analysis of the error codes
Configuration Management Testing
SSL Testing
Usage of strong cipher algorithm, key size, etc
Infrastructure Configuration Management Testing
Location of the web server in the infrastructure
Application Configuration Management Testing
Sample files and folders
Source code comments review
Configuration review
Logging (location, storage, etc)
Testing for file extensions
Technology files (.pl, .aspx, etc), Other files
Authentication Testing
Credentials transport over encrypted channels
Test for SSL used or form (POST) based mechanisms
implemented
Testing for user enumeration
Test to guess user credentials by entering invalid user or
password and guessing from the messaged displayed
Brute Force Attack
Understanding Authentication methods
Basic, Digest, Form based
Dictionary attacks (based on dictionary file)
Search attacks (in defined range)
Testing for vulnerable remember password and password reset
Password remember feature (Set AutoComplete=off)
How password is resetted (questions asked, number of answer questions
has, etc)
4/17/2014
3
Authentication Testing (contd.)
Testing for bypassing authentication scheme
Direct page request
Parameter modification (fixed value used by the server for
authentication)
Session ID prediction
SQL Injection
Testing for logout
Importance of logout function (killing the session by
invalidating session)
Testing for CAPTCHA
ID and CAPTCHA image sent to the client
Replay attacks (server not maintaining session information
about image)
Session Management Testing
Testing for session management
schema
Session management technique used,
session ID predictability, renewing session ids
Testing for cookies attributes
Secure, HttpOnly, domain, path, expires
Testing for exposed session variables
How session data is transferred (https,
headers, body)
Authorization Testing
Testing for path traversal
Dot-dot-slash attack (able to read files by using
../../../etc/passwd)
Possible if file read or upload options are available
through HTML forms
Files other than application are always possible to
retrieve
Testing for bypassing authorization schema
Trying to access resources assigned to different roles
Testing for Privilege Escalation
Accessing resources not assigned to specific role
(because of application design issues)
Business Logic Testing
Approach:
Understanding the application
Creating raw data for logical tests
Business scenarios
Workflows
User roles
Privileges
Policies
Developing logical tests
Execution
Data Validation Testing
Improper validation of input coming from the client
Vulnerabilities are many out of which some are:
SQL Injection
executing SQL through user input
Cross Site Scripting
server sends user input back to the client without validation
or encoding
OS Commanding
Passing commands from inputs to get executed on server
Code Injection
Passing code through input fields which may get executed by
the server side programs
Denial of service testing
Locking customer accounts
Repeatedly wrong passwords could lock valid
accounts
User input as loop counter
The number of times the loop should execute
(possible to pass through checkbox fields)
Writing user provided data to disk
Can be passed through text area kind of inputs
Storing too much data in session
This should exhaust the server memory
4/17/2014
4
How does one take care?
Developers
Education of web application security
Secure coding practices
Verifiers
Code Review
Penetration Testing
Organization
Security Policies and Standards
Security seen part of development cycle