Beruflich Dokumente
Kultur Dokumente
Application
Security
Introduction to common classes of security
faws and testing methodologies
Cade Cairns
<cade@thoughtworks.com
!eb "#$%
&resented to'
(houghtWorks )uito
*oche +eek
"
Intent'
(arget analysis
2esearch
Automated scanning
(est authentication mechanisms
9erify access controls
(est input -alidation
>ook for ?SS8 CS2!
(esting
plan
@
(ypes of tools'
Content disco-ery
,ata analysis
!u66ing
Automated attacks
*etwork scanners
2esource scanner
(ools lists'
http'44sectools.org4
:ore reading'
http'44sectooladdict.blogspot.com4
(oolkit
A
&opular choice for use by security testers
Integrates a lot of tools'
Intercepting pro5y
!u66er
Content encoders4decoders
Supports thirdDparty plugDins
:ultiDplatform' written in Ea-a
!ree -ersion with crippled features; F"GG HS,4year
Iurp Suite
G
BighlyDrated security tool J$K
&ro-ides many useful functions'
Intercepting pro5y
!u66er
Intercepting pro5y
Scanner .acti-e/
,atabase Nngerprinting
nmap
,*Senum
netcat
stunnel
:ore tools
$=
0WAS& IWA .Iroken Web Applications/
>inu5 -irtual machine running applications with
known -ulnerabilities
Hseful for learning about web application security
testing and testing tools
!or this presentation8 focus on testing Wacko&icko8
which was used for the paper Why Johnny Can't
Pentest: An Analysis of Black-box Web Vulnerability
Scanners
(est target'
0WAS&
IWA
$@
Step $' mapping the application
&urpose'
*ikto
Information
gathering
"#
,emo
Identifying hidden content
"$
Step 1' target analysis
&urpose'
Identify functionality
3numerate inputs
Identify redirects
2e-iew robots.t5t
nmap
,*Senum
Information
gathering
"@
Step @' scan the target for security faws
Warning' do not run an automated scanner in a
production en-ironmentY
&urpose'
9ega
skipNsh
Automated
scanning
"A
,emo
Automated scanning
"G
0WAS& A"DIroken Authentication and Session
:anagement
Authentication is the main defense against
unauthori6ed access and typically core to security
3asy to make mistakes
Common types'
!ormDbased authentication
:ultifactor authentication
SS> certiNcates
Authentication ser-ices
Authentication
1#
Step A' test authentication mechanisms
:ethodology'
Web browser
Iurp
Authentication
1$
:ost common passwords of "#$1 J$K
$. $"1%<= .up $/
". password .down $/
1. $"1%<=@A .unchanged/
%. Cwerty .up $/
<. abc$"1 .down $/
=. $"1%<=@AG .new/
@. $$$$$$ .up "/
A. $"1%<=@ .up </
G. ilo-eyou .up "/
$#. adobe$"1 .new/
$$. $"1$"1 .up </
$". Admin .new/
$1. $"1%<=@AG# .new/
$%. letmein .down @/
$<. photoshop .new/
J$K http'44splashdata.com4press4worstpasswords"#$1.htm
Authentication
1"
Iasic guidelines for safer authentication
,atabase keys
!iles
,irectories
A-oid e5posing resources directly. When these
resources are e5posed8 it is important checks e5ist
to ensure a user is authori6ed to access them.
35ample'
Hse B((&S
https'44www.ssllabs.com4ssltest4
Bardening data'
S)> inLection
*oS)> inLection
?&ath inLection
>,A& inLection
S0A& inLection
0S command inLection
S:(& inLection