Security Testing Web Applications
Testing plays a very important role in ensuring security and robustness of web applications. Various approaches – from high level auditing through penetration testing to ethical hacking – can be applied to find vulnerabilities of different types. However if you want to go beyond the easy-to-find low-hanging fruits, security testing should be well planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, while for adversaries it is enough to find one exploitable vulnerability to penetrate into it.
Attending this course will prepare software testers to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to find even hidden security flaws. Practical exercises will help understanding web application vulnerabilities and mitigation techniques, together with hands-on trials of various testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to static source code analyzers, this course gives the essential practical skills that can be applied on the next day at the workplace.
Course outline
- IT security and secure coding
- Web application security (OWASP Top Ten 2017)
- Client-side security
- Denial of service
- Security testing
- Security testing techniques and tools
- Knowledge sources
Training formats
Classroom
Remote
Duration
3 days
Price
1990 €
Target Group
Web application testers
Goal
Participants attending this course will
- Understand basic concepts of security, IT security and secure coding
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Learn about XML security
- Learn client-side vulnerabilities and secure coding practices
- Understand security concepts of Web services
- Learn about JSON security
- Learn about denial of service attacks and protections
- Understand security testing approaches and methodologies
- Get practical knowledge in using security testing techniques and tools
- Get sources and further readings on secure coding practices
Prerequisites
Preparedness: General Web application development and testing
Contents of Security Testing Web Applications
Day 1
Security basics
What is security?
Threat and risk
Types of threats against computer systems
Consequences of insecure software
Constraints and the market
The dark side
Categorization of bugs
- The Seven Pernicious Kingdoms
- Common Weakness Enumeration (CWE)
- CWE/SANS Top 25 Most Dangerous Software Errors
- Vulnerabilities in the environment and dependencies
The OWASP Top Ten
OWASP Top 10 – 2017
A1 - Injection
- Injection principles
- Injection attacks
- SQL injection
- SQL injection basics
- Lab – SQL injection
- Attack techniques
- Content-based blind SQL injection
- Time-based blind SQL injection
- SQL injection best practices
- Input validation
- Parameterized queries
- Additional considerations
- Lab – Using prepared statements
- Case study – Hacking Fortnite accounts
- Testing for SQL injection
- Code injection
- OS command injection
- Lab – Command injection
- OS command injection best practices
- Lab – Command injection best practices
- Case study – Command injection via ping
- Testing for command injection
- Injection best practices
A2 - Broken Authentication
- Authentication basics
- Authentication weaknesses
- Spoofing on the Web
- Testing for weak authentication
- Case study – PayPal 2FA bypass
- User interface best practices
- Password management
- Inbound password management
- Storing account passwords
- Password in transit
- Lab – Why is just hashing passwords not enough?
- Dictionary attacks and brute forcing
- Salting
- Adaptive hash functions for password storage
- (Mis)handling passwords
- Password policy
- NIST authenticator requirements for memorized secrets
- Password length
- Password hardening
- Using passphrases
- Lab – Applying a password policy
- The Ashley Madison data breach
- The dictionary attack
- The ultimate crack
- Exploitation and the lessons learned
- Password database migration
- Testing for password management issues
- Outbound password management
- Hard coded passwords
- Password in configuration file
- Lab – Hardcoded password
- Protecting sensitive information in memory
- Challenges in protecting memory
- Session management
- Session management essentials
- Why do we protect session IDs – Session hijacking
- Session ID best practices
- Session expiration
- Session fixation
- Testing for session management issues
- Cross-site Request Forgery (CSRF)
- Lab – Cross-site Request Forgery
- CSRF best practices
- Lab – CSRF protection with tokens
- Testing for CSRF
- Cookie security
- Cookie security best practices
- Cookie attributes
- Testing cookie security
Day 2
Security testing
Security testing methodology
- Preparation
- Identifying assets
- Identifying the attack surface
- Assigning security requirements
- Lab – Identifying and rating assets
- Attacker profiling
- Threat modelling
- SDL threat modelling
- Data flow diagram elements
- Mapping STRIDE to DFD
- Lab – SDL threat modelling
- Attack trees
- Misuse cases
- Risk analysis
- Lab – Risk analysis
- Security testing approaches
- Review and recommendations
- Standard and proprietary mitigations
The OWASP Top Ten
A3 - Sensitive Data Exposure
- Information exposure
- Exposure through extracted data and aggregation
- System information leakage
- Leaking system information
- Information exposure best practices
A4 - XML External Entities (XXE)
- DTD and the entities
- Entity expansion
- External Entity Attack (XXE)
- File inclusion with external entities
- Server-Side Request Forgery with external entities
- Lab – External entity attack
- Case study – XXE vulnerability in SAP Store
- Lab – Prohibiting DTE
- Testing for XXE and XML entity-related vulnerabilities
A5 - Broken Access Control
- Access control basics
- Missing or improper authorization
- Failure to restrict URL access
- Testing for authorization issues
- Confused deputy
- Insecure direct object reference (IDOR)
- Lab – Insecure Direct Object Reference
- Authorization bypass through user-controlled keys
- Case study – Authorization bypass on Facebook
- Testing for confused deputy weaknesses
- File upload
- Unrestricted file upload
- Good practices
- Lab – Unrestricted file upload
- Testing for file upload vulnerabilities
A6 - Security Misconfiguration
- Configuration principles
- Server misconfiguration
- Configuration management
A7 - Cross-site Scripting (XSS)
- Cross-site scripting basics
- Cross-site scripting types
- Persistent cross-site scripting
- Reflected cross-site scripting
- Client-side (DOM-based) cross-site scripting
- Case study – XSS in Fortnite accounts
- XSS protection best practices
- Protection principles - escaping
- Additional protection layers
- Client-side protection principles
- Lab – XSS fix / stored
- Lab – XSS fix / reflected
- Testing for XSS
A8 - Insecure Deserialization
- Serialization and deserialization challenges
- Deserializing untrusted streams
- Deserializing best practices
- Property Oriented Programming (POP)
- POP best practices
- Lab – Creating a POP payload
- Lab – Using the POP payload
- Testing for insecure deserialization
Day 3
Security testing
Security testing techniques and tools
- Security testing vs functional testing
- Manual and automated methods
- Penetration testing
- Stress testing
- Code analysis
- Security aspects of code review
- Static analysis
- Dynamic analysis
- Security testing at runtime
- Dynamic analysis tools
- Testing web applications
- Web vulnerability scanners
- SQL injection tools
- Man-in-the-middle sniffing and interference
- Proxy servers
- Lab – Using a proxy
The OWASP Top Ten
A9 - Using Components with Known Vulnerabilities
- Using vulnerable components
- Assessing the environment
- Hardening
- Untrusted functionality import
- Importing JavaScript
- Case study – The British Airways data breach
- Vulnerability management
- Patch management
- Vulnerability databases and scanning tools
- Vulnerability rating – CVSS
A10 - Insufficient Logging & Monitoring
- Logging and monitoring principles
- Insufficient logging
- Plaintext passwords at Facebook
- Logging best practices
- Monitoring best practices
Web application security beyond the Top Ten
- Client-side security
- Same Origin Policy
- Relaxing the Same Origin Policy
- Relaxing with Cross-Origin Resource Sharing (CORS)
- Simple request
- Preflight request
- Tabnabbing
- Frame sandboxing
- Cross-Frame Scripting (XFS) attack
- Lab - Clickjacking
- Clickjacking beyond hijacking a click
- Clickjacking protection best practices
- Testing for client-side security weaknesses
Common software security weaknesses
Input validation
- Input validation principles
- Blacklists and whitelists
- Data validation techniques
- What to validate – the attack surface
- When to validate – validation vs transformations
- Where to validate – defense in depth
- Output sanitization
- Encoding challenges
- Validation with regex
- Integer handling problems
- Representing signed numbers
- Integer visualization
- Integer overflow
- Integer truncation
- Best practices
- Upcasting
- Precondition testing
- Postcondition testing
- Testing for numeric problems
- Files and streams
- Path traversal
- Path traversal-related examples
- Additional challenges in Windows
- Virtual resources
- Path traversal best practices
- Testing for path traversal
JSON security
JSON injection
Dangers of JSONP
JSON/JavaScript hijacking
Best practices
Testing
ReactJS vulnerability in HackerOne
Wrap up
Secure coding principles
- Principles of robust programming by Matt Bishop
- Secure design principles of Saltzer and Schröder
- Some more principles
And now what?
- Further sources and readings
Schedule
Course begins at 9.00 and ends at 16.-16.30. Breakfast is served from 8.15 onwards.
You might be interested in these courses: