Web application testing

Transcription

1 CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration testing to ethical hacking can be applied to find vulnerabilities of different types. However if you want to go beyond the easy-to-find low-hanging fruits, security testing should be well planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, while for adversaries it is enough to find one exploitable vulnerability to penetrate into it. Attending this course will prepare software testers to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to find even hidden security flaws. Practical exercises will help understanding web application vulnerabilities and mitigation techniques, together with hands-on trials of various testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to static source code analyzers, this course gives the essential practical skills that can be applied on the next day at the workplace. Audience: Web application testers Preparedness: Basic Web application Exercises: Hands-on Outline IT security and secure coding Web application vulnerabilities Client-side security Security of RESTful web services Security testing Using security testing tools Content Web-based attacks overview: dangers of Internet Protocol technologies: IP/port scanning, zero day exploits, virus infections, botnets, spamming, phishing, vishing, distributed denial-of-service (DoS) attacks, identity theft, man-in-the-browser attack against internet banking services, organized large-scale cash-out by abusing hijacked bank accounts Topics include: security auditing, security testing vs. penetration tests and ethical hacking; threat modeling and risk analysis; STRIDE classification: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege; OWASP top 10 vulnerabilities, SQL Injection and similar flaws, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF); organized process of internet attacks: IP/port scanning, zero day exploits, virus infections, botnets, spamming, phishing, vishing, distributed denial-of-service (DoS) attacks, internet bank frauds; Web application security testing: white-box, black-box and grey-box testing; structured code review, validating implemented mitigation techniques, checking for misconfigurations; Tools and methods: security scanners (Nikto/Wikto, Nessus, Netsparker), SQL injection tools (SqlMap, SqlNinja, Safe3 SQL Injector), knowledge sources (CVE, NVD, BSI, SHIELDS), Metasploit penetration testing resources, finding security holes (Google hacking, SiteDigger, FSDB, GHDB), sniffers (Tcpdump, Ngrep, Wireshark), proxy servers (BurpSuite, Paros proxy), fuzzing robustness and security testing tools, static source code analyzers (FlawFinder, FindBugs, RIPS, Pixy, Fortify) Exercises: exploiting SQL injection step-by-step; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; committing Cross-Site Request Forgery (CSRF); malicious file execution; insecure direct object reference; uploading and running executable code; cracking hashed values with search engines; information leakage through error reporting; using security testing tools: crafting fuzztesting, using the NetSparker Web vulnerability scanner, using Safe3 SQL Injector to automate injection flaw exploit, understanding vulnerability databases and working with exploit collections, google hacking exercise, using SiteDigger, sniffing network traffic with WireShark and the Burp Suite proxy, using the FindBugs source code analyzer.

2 Participants attending this course will: Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Understand security testing approach and methodology Get practical knowledge in using security testing tools Get sources and further reading on secure coding practices Other courses that relate to the topic of this course: CL-JAD - Advanced Java security (Classroom, 3 days) CL-CJW - Combined C/C++, Java and Web application security (Classroom, 4 days) CL-CNA - Combined C/C++/C#, ASP.NET and Web application security (Classroom, 4 days) CL-WSC - Web application security (Classroom, 2 days) RT-JST - Java security technologies (Remote, 2x1.5h) RT-JVL - Java specific vulnerabilities (Remote, 2x1.5h) RT-NST -.NET and ASP.NET security technologies (Remote, 2x1.5h) RT-AVL - ASP.NET specific vulnerabilities (Remote, 2x1.5h) RT-WVL - Web application vulnerabilities (Remote, 2x1.5h) Note: Our classroom trainings come with a number of easy-to-understand exercises providing live hacking fun. By accomplishing these exercises with the lead of the trainer, participants can analyze vulnerable code snippets and commit attacks against them in order to fully understand the root causes of certain security problems. All exercises are prepared in a plug-and-play manner by using a pre-set desktop virtual machine, which provides a uniform development environment.

3 Detailed table of contents Day 1 IT security and secure coding Nature of security IT security related terms Definition of risk Different aspects of IT security Requirements of different application areas IT security vs. secure coding From vulnerabilities to botnets and cyber crime Nature of security flaws Reasons of difficulty From an infected computer to targeted attacks Cyber-crime an organized network of criminals Classification of security flaws Landwehr s taxonomy The Fortify taxonomy The Seven Pernicious Kingdoms OWASP Top Ten 2013 OWASP Top Ten comparison Web application vulnerabilities SQL Injection Exercise cars.com SQL Injection SQL Injection exercise Typical SQL Injection attack methods Blind and time-based SQL injection SQL Injection protection methods Other injection flaws Command injection Exercise Command injection Cross-Site Scripting (XSS) Persistent / Reflected XSS exercise XSS prevention XSS prevention tools in Java Broken authentication and session management Exercise cars.com Authentication bypass Cross Site Request Forgery (CSRF) Exercise cars.com Cross Site Request Forgery (CSRF) CSRF prevention Insecure direct object reference Unvalidated file upload Security misconfiguration

4 Failure to restrict URL access Transport layer security issues Unvalidated redirects and forwards Client-side security Day 2 JavaScript security Same Origin Policy Exercise Client-side authentication Client-side authentication and password management Protecting JavaScript code Exercise JavaScript obfuscation Clickjacking Exercise Do you Like me? Protection against Clickjacking Ajax security XSS in AJAX Script injection attack in AJAX Exercise XSS in AJAX Exercise CSRF in AJAX JavaScript hijacking CSRF protection in AJAX HTML5 Security HTML5 clickjacking attack text field injection HTML5 clickjacking content extraction Form tampering Exercise Form tampering Cross-origin requests Exercise Client side include Security of RESTful web services Securing web services two general approaches Authentication with REST Pseudo-authentication with OAuth REST-related technologies for security XML security Signing XML documents spot the bug! XML Digital Signature XML Encryption XML Security with Username/Password JAX-RS Spring Security REST-related vulnerabilities Vulnerabilities in connection with REST Hash collision with XML Digital Signature XML Signature Wrapping attack OAuth vulnerability broken authorization

5 Security testing Introduction to security testing Functional testing vs. security testing The paradigm shift of security testing Security vulnerabilities Security auditing vs. security testing Approach to security testing System level hardening and mitigation techniques Hardening Checking for misconfigurations Security testing methodology Steps of test planning (risk analysis) Preparation and scoping Identifying security objectives Threat modelling Threat modeling Threat modeling based on attack trees Threat modeling based on attack trees an example Threat modeling based on misuse/abuse cases Misuse/abuse cases a simple Web shop example STRIDE per element approach to threat modeling MS SDL (1) Diagramming examples of DFD elements Data flow diagram example (2) Threat enumeration MS SDL s STRIDE and DFD elements (3) Mitigation concepts Standard mitigation techniques of MS SDL (4) Validation Risk analysis classification of threats Security testing techniques Test planning general testing approaches Manual inspection and review Code review Code review exercise Exploitable security flaws Protection principles Specific protection methods Protection methods at different layers The PreDeCo matrix of software security Input validation concepts Integer overflow in Java The actual mistake in java.utils.zip.crc32 Representation of negative integers Integer ranges Integer representation by using the two s complement Arithmetic overflow spot the bug! So why ABS(INT_MIN)==INT_MIN? Avoiding arithmetic overflow multiplication Dealing with signed/unsigned integer promotion

6 Implementation of a command dispatcher Unsafe reflection spot the bug! Compliance with software quality standards Compliance Common Criteria Penetration testing Manual run-time verification Manual vs. automated security testing Automated security testing - fuzzing Unsafe JNI Exercise A simple custom fuzzer Processing test results Using security testing tools Security testing tools - overview Web vulnerability scanners Exercise Finding vulnerabilities with a vulnerability scanner SQL injection tools Exercise Automated finding and exploiting of SQL injection Public database The most exploited flaw in Java The actual mistake in java.util.calendar spot the bug! Exercise Test the exploit Google hacking Exercise Manual Google hacking Exercise Google Hacking by using tools Proxy servers and sniffers Exercise Capturing network traffic Exercise Sniffing with proxy Static code analysis Exercise Using source code analyzers Summary