Web Application Penetration Testing - OWASP
By: Frank Coburn &Haris MahboobWeb ApplicationPenetrationTesting
Take AwaysOverview of the webapp penetrationtesting processWeb proxy toolReportingGaps in the process
§ Penetration testing vs vulnerabilityWhat is it?assessment§ Finding security issues, exploiting them,and reporting on it
FINDINGVULNERABILITIESBEFORE THE BADGUYS DOUNDERSTANDINGTHE APPLICATIONSECURITY POSTURELEGALREQUIREMENTS (E.GPCI COMPLIANCE)Why is it needed?
Scoping theapplication§ Requirements for testing§ Effort days§ Software/hardware requirements§ Whitelisting§ Testing window§ Special requests§ Cost
ProvidingsupportInformationgatheringOur MethodologyReportingRisk analysisVulnerabilitydiscovery &exploitationDevelopingtest cases
Methodology 2 – Information Gathering Your browser and dev tools are your best friendUnauthenticated vulnerabilities and exposures are the most criticalDepending on the timeline, proceed in order of attacks that are most likely to succeedTry non-intrusive methods such as searching DNS records, as well as traceroute and otherenumeration*** Stakeholders need to be notified about public exposures and unauthenticatedvulnerabilities right away! ***
Case studyA WordPress site running version 4.7.0 was vulnerable to Content Injectionleading to an embarrassing and potentially reputation impacting message from a script kiddie.
Acting on Information GatheredApplication walkthroughFingerprintingAnalyzeDiscover the app’sfunctionality by investigatingusing your browser firstWhat JS framework are theyusing?Maybe you have someexperience writing code inthese languagesSee how much can be foundwithout authentication.Sometimes session cookienames give away theunderlying platform:Look for common URLs,directories, and error pages"JSESSIONID","ASP.NetSessionID"Think about how you wouldimplement this functionality,assumptions made, cornerscut, etcChallenge what thedeveloper’s assumptions inyour testing
Developing Test CasesBreaking componentsof the application byissues: Authentication andauthorization issues Session management Data validation Misconfigurations Network Level issuesDeveloping Businesslogic test cases: Jumping user flows Testing authorizationcontrols
Carrying out the test casesVulnerabilityDiscovery &ExploitationObserving application behaviorImprovising as the test proceedsGoogle everything
ication-security-computer-sec-4965837/
Risk AnalysisImpact of a successful attack How much damage can it cause Taking business into contextLikelihood of a successfulattack Vulnerability discovery Payload creation difficulty Any mitigating controls in place
ReportingSecurity issuedescriptionEvidenceImpact/Likelihoodof an attackRecommendationsPresentationSupport
§ Burp Suite Pro:Our FavoriteTool§ Proxy HTTP traffic§ Allows modification of URL parametersand HTTP request body§ Useful for business logic testing§ Easy searching of information sent orreceived
ASSESSMENTS ARETIMEBOXEDLIMITED TO THETESTER’S TECHNICALABILITIESNARROW SCOPESTEST ENVIRONMENTMISREPRESENTATIONATTACK SURFACELIMITATIONSGaps in theprocess
Q&AQuestions?
Web Application Penetration Testing By: Frank Coburn & Haris Mahboob. Take Aways Overview of the web app penetration testing process Web proxy tool Reporting Gaps in the process. What is it?
OWASP Code review guide, V1.1 The Ruby on Rails Security Guide v2 OWASP UI Component Verification Project (a.k.a. OWASP JSP Testing Tool) Internationalization Guidelines and OWASP-Spanish Project OWASP Application Security Desk Reference (ASDR) OWASP .NET Project Leader OWASP Education Project
Assessment, Penetration Testing, Vulnerability Assessment, and Which Option is Ideal to Practice? Types of Penetration Testing: Types of Pen Testing, Black Box Penetration Testing. White Box Penetration Testing, Grey Box Penetration Testing, Areas of Penetration Testing. Penetration Testing Tools, Limitations of Penetration Testing, Conclusion.
Open Web Application Security Project (OWASP) National Institute of Standards and Technology (NIST) Penetration Testing Execution Standard (PTES) What is PTES? PTES, penetration testing execution standard, as the name implies is an assessment methodology for penetration testing. It covers everything related to a penetration test.
Planning the OWASP Testing Guide v4 Matteo Meucci, Giorgio Fedon, Pavol Luptak Few words about the TG history and adoption by the Companies Why we need the Common Numbering . -"OWASP Testing Guide", Version 2.0 December 16, 2008 -"OWASP Testing Guide", Version 3.0 -Released at the OWASP Summit 08. Project Complexity 0 50 100 .
Application penetration test includes all the items in the OWASP Top 10 and more. The penetration tester remotely tries to compromise the OWASP Top 10 flaws. The flaws listed by OWASP in its most recent Top 10 and the status of the application against those are depicted in the table below.
Application using OWASP Testing Guide Version 4 framework to known there is any security issues on that application. there are ten things that were tested, that is from OTG-INFO-001 until OTG-INFO-010 and the result is seven test get positif value. Keywords : penetration testing, information gathering, OWASP testing guide version 4, cyber
Threat Prevention Coverage – OWASP Top 10 Analysis of Check Point Coverage for OWASP Top 10 Website Vulnerability Classes The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. OWASP mission is to make software security visible, so that individuals and
Korean and Chinese belong to different language families. In terms of their linguistic structures, they are extremely dissimilar. Beginning Korean: A Grammar Guide 2 Autumn 2004 Finally, hangeul is uniquely associated with the language, literature, and people of the Korean peninsula. No other community uses the hangeul system for graphically representing the sounds of their language. Given the .
