security testing

Security Testing

Rihab CHEBBAH

Contents

IntroductionSQL InjectionDisclosure of sensitive dataUnauthorized access

Security flawsTypesMethods

Security Testing Conclusion

Introduction

• Testing a partial verification process of a system. • Its main objective is to identify a maximum number of problematic behavior of the software in order to increase the quality

Security flaws

Security flawsSQL Injection

Vulnerabilities:• Poor input validation in your Web applications• Unsafe, dynamically constructed SQL commands• Over-privileged application logins to the database• Weak permissions that fail to restrict the application's login to the database

Countermeasures:• Constrain and sanitize input data.• Use type safe SQL parameters for data access..• Use an account that has restricted permissions in the database.

Security flawsSQL Injection - Example

105 or 1=1UserID

SELECT * FROM CreditCard WHERE UserID= 105 or 1=1

Security flawsUnauthorized Access

Vulnerabilities:• Lack of authorization in data access code providing unrestricted access• Over-privileged database accounts

Countermeasures:• Use principal permission demands to authorize the calling user.• Use code access security permission demands to authorize the calling code.• Use limited permissions to restrict the application's login to the database and to prevent direct table access.

Security flawsUnauthorized Access

Security flawsDisclosure of sensitive data

Vulnerabilities:• Clear text credentials passed over the network during SQL authentication• Unencrypted sensitive application data sent to and from the database server

Countermeasures:• Install a server certificate on the database server. • Use an SSL connection between the Web server and database server to protect sensitive application data. • Use an IPSec encrypted channel between Web and database server.

4010 3190 9662 53594010 3190 9662 5359

Security flawsDisclosure of sensitive data - example

Application

Security testing involves testing a software in order to identify any flaws and gaps from security and vulnerability point of view.

TestingSecurityTesting

Security Testing

Security Testing in the coding phase : Unit Tests

₪ Test isolation₪ Operate at the method d and class level₪ Written by developers₪ Executed the most frequently

Tests are run very quickly : issues are identified quicklyHigh test coverage

Not many security vulnerabilities can be tested

Security Testing

Security Testing during the integration and validation phase :Integrated system Test & Operation Test

₪ Test integration between classes and modules₪ Test integration between tiers₪ Written by developers₪ Executed often, but not as often as unit tests

• Can test in the application server• Many security vulnerabilities can be tested : Injections, authentification flaws and authorization flaws

• Some vulnerabilities may not easily tested : XSS, URL filtering performed byA web server or application firewall• Not executable as often as unit tests• Overhead of starting an application server

Integrated system Test

Security Testing

Security Testing during the integration and validation phase :Integrated system Test & Functional acceptance Test

₪ Performed on the external API₪ Low test coverage₪ Performed by quality assurance testers₪ Executed the least frequently

• Full testing of external API• Security consultants can use tools to script vulnerabilities :

documents vulnerabilities easy retesting

• Low test coverage• Developers aren’t include in testing

Functional acceptance Test

Security TestingMethods

Static test Dynamic test


Fuzzing Test

Fuzzing is about injecting invalid or random inputs in order - to reveal unexpected behaviour - to identify errors and expose potential vulnerabilities.


Fuzzing Test - Process

Input data preparation

Definition of input data

Program preparation

Environment Preparation

Setup Data transfer to application Reporting

Monitoring

Observation of program behavior Logs Debuggers (!exploitable...) Files, processes and network monitors Virtualization (VMWare) Source code modifications (breakpoints) Additional techniques (Valgrind, GuardMalloc) Combined techniques

Security TestingTypes

Fuzzing Test - Monitoring


Fuzzing Test – Fuzzing Test and SDLC

Initial analysis

Design

Implementation

Testing

Maintenance

Fuzzing


Fuzzing Test – Fuzzers

Frameworks: Peach (http://peachfuzzer.com/) Sulley

Specialized fuzzers: JBroFuzz (OWASP) WSFuzzer (OWASP) TAOF Wfuzz Spike Proxy WebFuzz


Fuzzing Test – advantages and disadvantages

Full automatization (in most cases) Fuzzers find real vulnerabilities Ability to identify bugs which are hard to find by manual testing Ability to quickly obtain satisfactory results (first bug)

Inability to find logical bugs Inability to find complex bugs Time required for performing test is very hard to specify

Security test cases checklistSecurity Testing

Input validation

Buffer overflaws Injection attacks Disclosure of sensitive data ….

Conduct all data validation on a trusted system (e.g., The server) Identify all data sources and classify them into trusted and untrusted. Validate all data from untrusted sources (e.g., Databases, file streams, etc.) There should be a centralized input validation routine for the application Specify proper character sets, such as UTF-8, for all sources of input Encode data to a common character set before validating All validation failures should result in input rejection Validate for expected data types Validate data range Validate data length Validate all input against a "white" list of allowed characters, whenever possible ….


Access Control

Unauthorized access Disclosure of sensitive data Tampering DOS & DDOS Attacks …

Restrict access to protected functions to only authorized users Restrict direct object references to only authorized users Restrict access to services to only authorized users Restrict access to application data to only authorized users Restrict access to user and data attributes and policy information used by access controls Access controls should fail securely Deny all access if the application cannot access its security configuration information Use only trusted system objects, e.g. server side session objects, for making access authorization decisions If state data must be stored on the client, use encryption and integrity checking on the server side to catch state tampering. ….


Cryptography practices

Network eavesdropping Disclosure of sensitive data …..

All cryptographic functions used to protect secrets from the application user must be implemented on a trusted system (e.g., The server) Protect master secrets from unauthorized access Cryptographic modules should fail securely All random numbers, random file names, random GUIDs, and random strings should be generated using the cryptographic module’s approved random number generator when these random values are intended to be un-guessable Cryptographic modules used by the application should be compliant to FIPS 140-2 or an equivalent standard. Establish and utilize a policy and process for how cryptographic keys will be managed


Authentification and Password management

Network eavesdropping Disclosure of sensitive data Unauthorized access ….

Require authentication for all pages and resources, except those specifically intended to be public All authentication controls must be enforced on a trusted system (e.g., The server) Establish and utilize standard, tested, authentication services whenever possible Use a centralized implementation for all authentication controls, including libraries that call external authentication services Segregate authentication logic from the resource being requested and use redirection to and from the centralized authentication control All authentication controls should fail securely All administrative and account management functions must be at least as secure as the primary authentication mechanism …


Data protection

Network eavesdropping Disclosure of sensitive data Tampering Unauthorized access ….

Implement least privilege, restrict users to only the functionality, data and system information that is required to perform their tasks Encrypt highly sensitive stored information, like authentication verification data, even on the server side. Always use well vetted algorithms, see "Cryptographic Practices" for additional guidance Protect server-side source-code from being downloaded by a user Do not store passwords, connection strings or other sensitive information in clear text or in any non-cryptographically secure manner on the client side Remove comments in user accessible production code that may reveal backend system or other sensitive information Do not include sensitive information in HTTP GET request parameters …


Communication Security

Network eavesdropping Disclosure of sensitive data Buffer overflow DOS attack

Implement encryption for the transmission of all sensitive information TLS certificates should be valid and have the correct domain name, not be expired, and be installed with intermediate certificates when required Failed TLS connections should not fall back to an insecure connection Utilize TLS connections for all content requiring authenticated access and for all other sensitive information Utilize TLS for connections to external systems that involve sensitive information or functions Utilize a single standard TLS implementation that is configured appropriately Specify character encodings for all connections Filter parameters containing sensitive information from the HTTP referer, when linking to external sites

Testing toolsSecurity Testing

OWASP Zed Attack Proxy

Testing toolsSecurity Testing

OWASP WFuzz

Conclusion

Security testing is an important and integral part of the software developmental process. You will need to conduct this test to find security loopholes and later close them with appropriate security measures and techniques

Thank you for your attention !!

security testing

Education