CL-WTS
Web application testing
Classroom
2 days
Testing plays a very important role in ensuring security and robustness of web
applications. Various approaches – from high level auditing through penetration testing
to ethical hacking – can be applied to find vulnerabilities of different types. However if
you want to go beyond the easy-to-find low-hanging fruits, security testing should be
well planned and properly executed. Remember: security testers should ideally find all
bugs to protect a system, while for adversaries it is enough to find one exploitable
vulnerability to penetrate into it.
Attending this course will prepare software testers to adequately plan and precisely
execute security tests, select and use the most appropriate tools and techniques to find
even hidden security flaws. Practical exercises will help understanding web application
vulnerabilities and mitigation techniques, together with hands-on trials of various
testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to
static source code analyzers, this course gives the essential practical skills that can be
applied on the next day at the workplace.
Audience: Web application testers Preparedness: Basic Web application
Exercises: Hands-on
Outline
IT security and secure coding Web application vulnerabilities Client-side security
Security of RESTful web services Security testing
Using security testing tools
Content
Web-based attacks overview: dangers of Internet Protocol technologies: IP/port scanning, zero day
exploits, virus infections, botnets, spamming, phishing, vishing, distributed denial-of-service (DoS) attacks, identity theft, man-in-the-browser attack against internet banking services, organized large-scale cash-out by abusing hijacked bank accounts
Topics include: security auditing, security testing vs. penetration tests and ethical hacking; threat
modeling and risk analysis; STRIDE classification: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege; OWASP top 10 vulnerabilities, SQL Injection and similar flaws, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF); organized process of internet attacks: IP/port scanning, zero day exploits, virus infections, botnets, spamming, phishing, vishing, distributed denial-of-service (DoS) attacks, internet bank frauds; Web application security testing: white-box, black-box and grey-box testing; structured code review, validating implemented mitigation techniques, checking for misconfigurations; Tools and methods: security scanners (Nikto/Wikto, Nessus, Netsparker), SQL injection tools (SqlMap, SqlNinja, Safe3 SQL Injector), knowledge sources (CVE, NVD, BSI, SHIELDS), Metasploit penetration testing resources, finding security holes (Google hacking, SiteDigger, FSDB, GHDB), sniffers (Tcpdump, Ngrep, Wireshark), proxy servers (BurpSuite, Paros proxy), fuzzing robustness and security testing tools, static source code analyzers (FlawFinder, FindBugs, RIPS, Pixy, Fortify)
Exercises: exploiting SQL injection step-by-step; crafting Cross-Site Scripting attacks through both
reflective and persistent XSS; committing Cross-Site Request Forgery (CSRF); malicious file execution; insecure direct object reference; uploading and running executable code; cracking hashed values with search engines; information leakage through error reporting; using security testing tools: crafting fuzz-testing, using the NetSparker Web vulnerability scanner, using Safe3 SQL Injector to automate injection flaw exploit, understanding vulnerability databases and working with exploit collections, google hacking exercise, using SiteDigger, sniffing network traffic with WireShark and the Burp Suite proxy, using the FindBugs source code analyzer.
Participants attending this course will:
Understand basic concepts of security, IT security and secure coding
Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them Learn client-side vulnerabilities and secure coding practices
Understand security testing approach and methodology Get practical knowledge in using security testing tools Get sources and further reading on secure coding practices
Other courses that relate to the topic of this course:
CL-JAD - Advanced Java security (Classroom, 3 days)
CL-CJW - Combined C/C++, Java and Web application security (Classroom, 4 days)
CL-CNA - Combined C/C++/C#, ASP.NET and Web application security (Classroom, 4 days) CL-WSC - Web application security (Classroom, 2 days)
RT-JST - Java security technologies (Remote, 2x1.5h) RT-JVL - Java specific vulnerabilities (Remote, 2x1.5h)
RT-NST - .NET and ASP.NET security technologies (Remote, 2x1.5h) RT-AVL - ASP.NET specific vulnerabilities (Remote, 2x1.5h)
RT-WVL - Web application vulnerabilities (Remote, 2x1.5h)
Note: Our classroom trainings come with a number of easy-to-understand exercises providing live hacking
fun. By accomplishing these exercises with the lead of the trainer, participants can analyze vulnerable code snippets and commit attacks against them in order to fully understand the root causes of certain security problems. All exercises are prepared in a plug-and-play manner by using a pre-set desktop virtual machine, which provides a uniform development environment.
Detailed table of contents
Day 1
IT security and secure coding
Nature of security
IT security related terms
Definition of risk
Different aspects of IT security
Requirements of different application areas
IT security vs. secure coding
From vulnerabilities to botnets and cyber crime
Nature of security flaws Reasons of difficulty
From an infected computer to targeted attacks Cyber-crime – an organized network of criminals
Classification of security flaws
Landwehr’s taxonomy The Fortify taxonomy
The Seven Pernicious Kingdoms OWASP Top Ten 2013
OWASP Top Ten comparison 2003 – 2013
Web application vulnerabilities
SQL Injection
Exercise cars.com – SQL Injection SQL Injection exercise
Typical SQL Injection attack methods Blind and time-based SQL injection SQL Injection protection methods
Other injection flaws
Command injection Exercise – Command injection
Cross-Site Scripting (XSS)
Persistent / Reflected XSS exercise XSS prevention
XSS prevention tools in Java
Broken authentication and session management
Exercise cars.com – Authentication bypass
Cross Site Request Forgery (CSRF)
Exercise cars.com –Cross Site Request Forgery (CSRF) CSRF prevention
Insecure direct object reference
Unvalidated file upload
Failure to restrict URL access
Transport layer security issues
Unvalidated redirects and forwards
Client-side security
JavaScript security
Same Origin Policy Exercise – Client-side authentication
Client-side authentication and password management Protecting JavaScript code
Exercise – JavaScript obfuscation Clickjacking
Exercise – Do you Like me? Protection against Clickjacking
Ajax security
XSS in AJAX Script injection attack in AJAX Exercise – XSS in AJAX
Exercise CSRF in AJAX – JavaScript hijacking CSRF protection in AJAX
HTML5 Security
HTML5 clickjacking attack – text field injection HTML5 clickjacking – content extraction Form tampering
Exercise – Form tampering Cross-origin requests
Exercise – Client side include
Day 2
Security of RESTful web services
Securing web services – two general approaches Authentication with REST
Pseudo-authentication with OAuth
REST-related technologies for security
XML security Signing XML documents – spot the bug!
XML Digital Signature
XML Encryption
XML Security with Username/Password
JAX-RS
Spring Security
REST-related vulnerabilities
Vulnerabilities in connection with REST Hash collision with XML Digital Signature XML Signature Wrapping attack
Security testing
Introduction to security testing
Functional testing vs. security testing The paradigm shift of security testing Security vulnerabilities
Security auditing vs. security testing Approach to security testing
System level hardening and mitigation techniques
Hardening Checking for misconfigurations
Security testing methodology
Steps of test planning (risk analysis) Preparation and scoping
Identifying security objectives Threat modelling
Threat modeling
Threat modeling based on attack trees
Threat modeling based on attack trees – an example
Threat modeling based on misuse/abuse cases
Misuse/abuse cases – a simple Web shop example
STRIDE per element approach to threat modeling – MS SDL
(1) Diagramming – examples of DFD elements
Data flow diagram – example
(2) Threat enumeration – MS SDL’s STRIDE and DFD elements
(3) Mitigation concepts
Standard mitigation techniques of MS SDL
(4) Validation
Risk analysis – classification of threats
Security testing techniques
Test planning – general testing approaches Manual inspection and review
Code review
Code review exercise Exploitable security flaws
Protection principles
Specific protection methods
Protection methods at different layers The PreDeCo matrix of software security Input validation concepts
Integer overflow in Java
The actual mistake in java.utils.zip.CRC32 Representation of negative integers Integer ranges
Integer representation by using the two’s complement Arithmetic overflow – spot the bug!
So why ABS(INT_MIN)==INT_MIN?
Avoiding arithmetic overflow – multiplication Dealing with signed/unsigned integer promotion
Implementation of a command dispatcher Unsafe reflection – spot the bug!
Compliance with software quality standards Compliance – Common Criteria
Penetration testing
Manual run-time verification
Manual vs. automated security testing Automated security testing - fuzzing Unsafe JNI
Exercise – A simple custom fuzzer Processing test results
