Web application testing



Similar documents
Combined C/C++, Java and Web application security CL-CJW. Classroom 4 days

Application Security Testing

Adobe Systems Incorporated

(WAPT) Web Application Penetration Testing

Vulnerability Assessment and Penetration Testing

CYBERTRON NETWORK SOLUTIONS

Information Security. Training

Development Processes (Lecture outline)

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Where every interaction matters.

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Web Application Penetration Testing

elearning for Secure Application Development

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Intrusion detection for web applications

Web Application Security

Ethical Hacking as a Professional Penetration Testing Technique

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Passing PCI Compliance How to Address the Application Security Mandates

Essential IT Security Testing

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008


Professional Penetration Testing Techniques and Vulnerability Assessment ...

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Annex B - Content Management System (CMS) Qualifying Procedure

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Overview of the Penetration Test Implementation and Service. Peter Kanters

Software Security Touchpoint: Architectural Risk Analysis

Detailed Description about course module wise:

Threat Modeling. Frank Piessens ) KATHOLIEKE UNIVERSITEIT LEUVEN

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Smart (and safe) Lighting:

Web application security

A Network Administrator s Guide to Web App Security

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

TRAINING SERVICES elearning

Web Application Security 101

.NET, C# and ASP.NET security development

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

Integrating Security into the Application Development Process. Jerod Brennen, CISSP CTO & Principal Security Consultant, Jacadis

The Top Web Application Attacks: Are you vulnerable?

What is Web Security? Motivation

OWASP Top Ten Tools and Tactics

Cloud Security:Threats & Mitgations

Chapter 1 Web Application (In)security 1

Using Free Tools To Test Web Application Security

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Magento Security and Vulnerabilities. Roman Stepanov

Application Code Development Standards

CRYPTUS DIPLOMA IN IT SECURITY

IBM Protocol Analysis Module

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Guidelines for Website Security and Security Counter Measures for e-e Governance Project

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Vulnerability Scanner by Using HTTP Method

Web App Security Audit Services

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

SQuAD: Application Security Testing

Web Application Security

TRAINING SERVICES elearning

Integrating Web Application Security into the IT Curriculum

IJMIE Volume 2, Issue 9 ISSN:

OWASP AND APPLICATION SECURITY

Integrating Security Testing into Quality Control

Sitefinity Security and Best Practices

Statistics Whitepaper

CEH Version8 Course Outline

PTSv2 in pills: The Best First for Beginners who want to become Penetration Testers. Self-paced, online, flexible access

Last update: February 23, 2004

05.0 Application Development

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Hack Proof Your Webapps

Penetration Testing with Kali Linux

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Learn Ethical Hacking, Become a Pentester

Pentests more than just using the proper tools

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

THE HACKERS NEXT TARGET

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Application security testing: Protecting your application and data

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Computer Forensics Training - Digital Forensics and Electronic Discovery (Mile2)

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Transcription:

CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration testing to ethical hacking can be applied to find vulnerabilities of different types. However if you want to go beyond the easy-to-find low-hanging fruits, security testing should be well planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, while for adversaries it is enough to find one exploitable vulnerability to penetrate into it. Attending this course will prepare software testers to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to find even hidden security flaws. Practical exercises will help understanding web application vulnerabilities and mitigation techniques, together with hands-on trials of various testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to static source code analyzers, this course gives the essential practical skills that can be applied on the next day at the workplace. Audience: Web application testers Preparedness: Basic Web application Exercises: Hands-on Outline IT security and secure coding Web application vulnerabilities Client-side security Security of RESTful web services Security testing Using security testing tools Content Web-based attacks overview: dangers of Internet Protocol technologies: IP/port scanning, zero day exploits, virus infections, botnets, spamming, phishing, vishing, distributed denial-of-service (DoS) attacks, identity theft, man-in-the-browser attack against internet banking services, organized large-scale cash-out by abusing hijacked bank accounts Topics include: security auditing, security testing vs. penetration tests and ethical hacking; threat modeling and risk analysis; STRIDE classification: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege; OWASP top 10 vulnerabilities, SQL Injection and similar flaws, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF); organized process of internet attacks: IP/port scanning, zero day exploits, virus infections, botnets, spamming, phishing, vishing, distributed denial-of-service (DoS) attacks, internet bank frauds; Web application security testing: white-box, black-box and grey-box testing; structured code review, validating implemented mitigation techniques, checking for misconfigurations; Tools and methods: security scanners (Nikto/Wikto, Nessus, Netsparker), SQL injection tools (SqlMap, SqlNinja, Safe3 SQL Injector), knowledge sources (CVE, NVD, BSI, SHIELDS), Metasploit penetration testing resources, finding security holes (Google hacking, SiteDigger, FSDB, GHDB), sniffers (Tcpdump, Ngrep, Wireshark), proxy servers (BurpSuite, Paros proxy), fuzzing robustness and security testing tools, static source code analyzers (FlawFinder, FindBugs, RIPS, Pixy, Fortify) Exercises: exploiting SQL injection step-by-step; crafting Cross-Site Scripting attacks through both reflective and persistent XSS; committing Cross-Site Request Forgery (CSRF); malicious file execution; insecure direct object reference; uploading and running executable code; cracking hashed values with search engines; information leakage through error reporting; using security testing tools: crafting fuzztesting, using the NetSparker Web vulnerability scanner, using Safe3 SQL Injector to automate injection flaw exploit, understanding vulnerability databases and working with exploit collections, google hacking exercise, using SiteDigger, sniffing network traffic with WireShark and the Burp Suite proxy, using the FindBugs source code analyzer.

Participants attending this course will: Understand basic concepts of security, IT security and secure coding Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices Understand security testing approach and methodology Get practical knowledge in using security testing tools Get sources and further reading on secure coding practices Other courses that relate to the topic of this course: CL-JAD - Advanced Java security (Classroom, 3 days) CL-CJW - Combined C/C++, Java and Web application security (Classroom, 4 days) CL-CNA - Combined C/C++/C#, ASP.NET and Web application security (Classroom, 4 days) CL-WSC - Web application security (Classroom, 2 days) RT-JST - Java security technologies (Remote, 2x1.5h) RT-JVL - Java specific vulnerabilities (Remote, 2x1.5h) RT-NST -.NET and ASP.NET security technologies (Remote, 2x1.5h) RT-AVL - ASP.NET specific vulnerabilities (Remote, 2x1.5h) RT-WVL - Web application vulnerabilities (Remote, 2x1.5h) Note: Our classroom trainings come with a number of easy-to-understand exercises providing live hacking fun. By accomplishing these exercises with the lead of the trainer, participants can analyze vulnerable code snippets and commit attacks against them in order to fully understand the root causes of certain security problems. All exercises are prepared in a plug-and-play manner by using a pre-set desktop virtual machine, which provides a uniform development environment.

Detailed table of contents Day 1 IT security and secure coding Nature of security IT security related terms Definition of risk Different aspects of IT security Requirements of different application areas IT security vs. secure coding From vulnerabilities to botnets and cyber crime Nature of security flaws Reasons of difficulty From an infected computer to targeted attacks Cyber-crime an organized network of criminals Classification of security flaws Landwehr s taxonomy The Fortify taxonomy The Seven Pernicious Kingdoms OWASP Top Ten 2013 OWASP Top Ten comparison 2003 2013 Web application vulnerabilities SQL Injection Exercise cars.com SQL Injection SQL Injection exercise Typical SQL Injection attack methods Blind and time-based SQL injection SQL Injection protection methods Other injection flaws Command injection Exercise Command injection Cross-Site Scripting (XSS) Persistent / Reflected XSS exercise XSS prevention XSS prevention tools in Java Broken authentication and session management Exercise cars.com Authentication bypass Cross Site Request Forgery (CSRF) Exercise cars.com Cross Site Request Forgery (CSRF) CSRF prevention Insecure direct object reference Unvalidated file upload Security misconfiguration

Failure to restrict URL access Transport layer security issues Unvalidated redirects and forwards Client-side security Day 2 JavaScript security Same Origin Policy Exercise Client-side authentication Client-side authentication and password management Protecting JavaScript code Exercise JavaScript obfuscation Clickjacking Exercise Do you Like me? Protection against Clickjacking Ajax security XSS in AJAX Script injection attack in AJAX Exercise XSS in AJAX Exercise CSRF in AJAX JavaScript hijacking CSRF protection in AJAX HTML5 Security HTML5 clickjacking attack text field injection HTML5 clickjacking content extraction Form tampering Exercise Form tampering Cross-origin requests Exercise Client side include Security of RESTful web services Securing web services two general approaches Authentication with REST Pseudo-authentication with OAuth REST-related technologies for security XML security Signing XML documents spot the bug! XML Digital Signature XML Encryption XML Security with Username/Password JAX-RS Spring Security REST-related vulnerabilities Vulnerabilities in connection with REST Hash collision with XML Digital Signature XML Signature Wrapping attack OAuth vulnerability broken authorization

Security testing Introduction to security testing Functional testing vs. security testing The paradigm shift of security testing Security vulnerabilities Security auditing vs. security testing Approach to security testing System level hardening and mitigation techniques Hardening Checking for misconfigurations Security testing methodology Steps of test planning (risk analysis) Preparation and scoping Identifying security objectives Threat modelling Threat modeling Threat modeling based on attack trees Threat modeling based on attack trees an example Threat modeling based on misuse/abuse cases Misuse/abuse cases a simple Web shop example STRIDE per element approach to threat modeling MS SDL (1) Diagramming examples of DFD elements Data flow diagram example (2) Threat enumeration MS SDL s STRIDE and DFD elements (3) Mitigation concepts Standard mitigation techniques of MS SDL (4) Validation Risk analysis classification of threats Security testing techniques Test planning general testing approaches Manual inspection and review Code review Code review exercise Exploitable security flaws Protection principles Specific protection methods Protection methods at different layers The PreDeCo matrix of software security Input validation concepts Integer overflow in Java The actual mistake in java.utils.zip.crc32 Representation of negative integers Integer ranges Integer representation by using the two s complement Arithmetic overflow spot the bug! So why ABS(INT_MIN)==INT_MIN? Avoiding arithmetic overflow multiplication Dealing with signed/unsigned integer promotion

Implementation of a command dispatcher Unsafe reflection spot the bug! Compliance with software quality standards Compliance Common Criteria Penetration testing Manual run-time verification Manual vs. automated security testing Automated security testing - fuzzing Unsafe JNI Exercise A simple custom fuzzer Processing test results Using security testing tools Security testing tools - overview Web vulnerability scanners Exercise Finding vulnerabilities with a vulnerability scanner SQL injection tools Exercise Automated finding and exploiting of SQL injection Public database The most exploited flaw in Java The actual mistake in java.util.calendar spot the bug! Exercise Test the exploit Google hacking Exercise Manual Google hacking Exercise Google Hacking by using tools Proxy servers and sniffers Exercise Capturing network traffic Exercise Sniffing with proxy Static code analysis Exercise Using source code analyzers Summary

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information