Professional Documents
Culture Documents
TM
Agenda
Web 2.0 Defined Top Web 2.0 security vulnerabilities Secure development of Web 2.0 applications
Insufficient Authentication
TM
11
13
Example of XSRF
14
TM
TM
18
TM
TM
TM
TM
23
24
25
Injection Flaws
SQL injection XML injection JSON injection E-mail injection
26
TM
TM
Do not use dynamic statements Escape or encode meta characters Validate input Authentication and access control
29
SDLC
30
Make sure the PM has budgeted hours and dollars for security requirements, implementation, code review, testing and monitoring.
If its not in the PMs level-of-effort, it will not get done. Finds many more problems than scanning or black-box testing Side benefit: Developers gain training
Extremely cost-effective
31
governance to say how new content will be posted to the site Standard for classifying web site type or content Obvious example is inaccurate Wiki entries Protect against internal-confidential information being shared on your public site
32
33
Collection & Analysis Test Plan with security tests Release plan with control verification Initial System Security Plan Risk Assessment Updates
Requirements
34
Web applications consume XML blocks (such as SOAP messages) coming from AJAX clients Risk: Attacker will send repeated payloads, malformed XML blocks, for DoS Requirement: XML parsing on the server side Requirement: Check XML external entity reference (XML property) Requirement: Malware protection for file uploads Requirement: Restrict redirects
Include these in your test plan, regression testing, on-going controls testing Be able to tell the PM and developers why a requirement is there Non-traceable requirements tend to disappear from the final product Especially non-functional requirements like security
Maintain traceability
35
Testing
Usual
quasi-penetration testing, e.g. with metasploit or nmap Discover hosts, check for services that are listening Try to gain access Find high-risk modules Find / exploit known vulnerabilities Hit client-side vulnerabilities Try to alter application behavior, manipulate sessions, try to expose, alter or delete data, try to take control
36
Testing
Walk
Test
37
Sample Tests
~= SQL injection Can bypass authentication Input validation before passing values to an XPATH statement Need SOAP parameter input validation Binary runs from clients machine and shares browser's session Can bypass authentication, if the binary is tampered with Check binary signature
38
at periodic intervals
If you have external services, their operations are probably changing, and they are probably not notifying you.
Periodic
39
Conclusion
Web
2.0 is powerful and very useful As regular Web 2.0 user, you need to be careful As Web 2.0 developer
Source Code Review Security Testing