"web applications security testing" by kirill semenov for lohika odessa qa techtalks
TRANSCRIPT
• Basic principles of security discredit• Server side vulnerability• Client side vulnerability• SOAP API and JSON API
Agenda
• Security testing essentials• WEB applications security• HTTP overview
Basic principles of security discreditPart I
Basic principles of security discredit
WEB applications security
Network
What can be attacked?Client Server
Basic principles of security discredit
HTTP
WEB Server + Logics ServerWEB Server + Logics Server
DBMSDBMS OSOS
SQL • commands• files
BrowserBrowser(X)HTTP(S)
Server side vulnerabilityPart II
• A1 – Injection:– SQL injection– File injection– Code injection
• A2 – Broken Session Management• A4 – Insecure Direct Object Reference• A8 – Cross-Site Request Forgery (CSRF)
Client side vulnerability
A8 – Cross Site Request Forgery
XSS
Trap
Victim
CSRF
Site1
Site2
Trap
Victim
Client side vulnerabilityPart III
• A3 – Cross-Site Scripting (XSS)o storedo reflected
• A10 – Unvalidated Redirects
Client side vulnerability
A3 - XSS
XSS - execute malicious Java Script code inside authorized user session, who has higher privileges than attacker
Client side vulnerability
A3 - XSS
WEB Server + Logics Server
WEB Server + Logics Server
DBMSDBMS OSOS
SQL • commands• files
(X)HTTP(S)BrowserBrowser
WEB Server + Logics ServerWEB Server + Logics Server
DBMSDBMS OSOS
SQL • commands• files
BrowserBrowser
(X)HTTP(S)
User data
Stored Reflected
Client side vulnerability
A10 – Unvalidated redirectshttp://gmail.com/redirect.jsp?url=http://gmeil.com
Same interface
TrapVictim
Valid host Invalid host
SOAP API & JSON API
SOAP UI• SoapUI is a free and open source cross-platform Functional Testing solution• http://www.soapui.org/about-soapui/what-is-soapui-.html