SlideShare una empresa de Scribd logo

Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing

Andrew Petukhov
Andrew Petukhov

This talk was given at OWASP AppSec Europe 2008. Full paper can be downloaded from here: http://www.owasp.org/images/3/3e/OWASP-AppSecEU08-Petukhov.pdf

Tecnología
1 de 14
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing Andrew Petukhov [email_address] Department of Computer Science Moscow State University
Contents ,[object Object],[object Object],[object Object],[object Object],[object Object]
Input Validation Vulnerabilities Common approaches: Taint propagation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Input Validation Vulnerabilities Common approaches: Syntactic checking ,[object Object],[object Object],[object Object],[object Object],[object Object]
Approaches-Do-Not-Work example ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Drawbacks of the Taint Propagation approach ,[object Object],[object Object],[object Object],[object Object]
Possible solutions ,[object Object],[object Object],[object Object],[object Object]
Implementation considerations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Security and Development Life Cycle ,[object Object],[object Object],[object Object],[object Object],[object Object]
Decision: Dynamic analysis with Pentesting Our Motivation ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Implementation architecture ,[object Object],[object Object],[object Object]
Conclusions ,[object Object],[object Object],[object Object],[object Object]
Future work ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Thank You! Any question?

Recomendados

Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code
Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems CodeBugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code
Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code
Miro Cupak
 
Tc Checklist
Tc ChecklistTc Checklist
Tc Checklist
nazeer pasha
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Nameen Singh
 
Testcase Preparation Checklist
Testcase Preparation ChecklistTestcase Preparation Checklist
Testcase Preparation Checklist
Sreeram Kishore Chavali
 
Fundamentals of Software Engineering
Fundamentals of Software Engineering Fundamentals of Software Engineering
Fundamentals of Software Engineering
Madhar Khan Pathan
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
chennaijp
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack
Papitha Velumani
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attackSecurity evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack
Shakas Technologies
 

Recomendados

Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code
Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems CodeBugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code
Bugs as Deviant Behavior: A General Approach to Inferring Errors in Systems Code
Miro Cupak
 
Tc Checklist
Tc ChecklistTc Checklist
Tc Checklist
nazeer pasha
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
Nameen Singh
 
Testcase Preparation Checklist
Testcase Preparation ChecklistTestcase Preparation Checklist
Testcase Preparation Checklist
Sreeram Kishore Chavali
 
Fundamentals of Software Engineering
Fundamentals of Software Engineering Fundamentals of Software Engineering
Fundamentals of Software Engineering
Madhar Khan Pathan
 
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under AttackJPJ1425 Security Evaluation of Pattern Classifiers under Attack
JPJ1425 Security Evaluation of Pattern Classifiers under Attack
chennaijp
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack
Papitha Velumani
 
Security evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attackSecurity evaluation of pattern classifiers under attack
Security evaluation of pattern classifiers under attack
Shakas Technologies
 
Tool support for..
Tool support for.. Tool support for..
Tool support for..
Johnsonstephen Jsstc
 
Fundamentals of Software Engineering
Fundamentals of Software Engineering Fundamentals of Software Engineering
Fundamentals of Software Engineering
Madhar Khan Pathan
 
Black boxtestingmethodsforsoftwarecomponents
Black boxtestingmethodsforsoftwarecomponentsBlack boxtestingmethodsforsoftwarecomponents
Black boxtestingmethodsforsoftwarecomponents
Astrid yolanda
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
claric241
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
agathachristie266
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
VSNaipaul15
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
KeatonJennings104
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
agathachristie113
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
chrysanthemu49
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
kopiko147
 
04 test controlling and tracking
04 test controlling and tracking04 test controlling and tracking
04 test controlling and tracking
Clemens Reijnen
 
Levels of testing
Levels of testingLevels of testing
Levels of testing
Ranjeet Singh
 
INGI2252 Software Measures & Maintenance
INGI2252 Software Measures & MaintenanceINGI2252 Software Measures & Maintenance
INGI2252 Software Measures & Maintenance
kim.mens
 
Odin2018_Minh_ML_Risk_Prediction
Odin2018_Minh_ML_Risk_PredictionOdin2018_Minh_ML_Risk_Prediction
Odin2018_Minh_ML_Risk_Prediction
Minh Nguyen
 
Automated Inference of Access Control Policies for Web Applications
Automated Inference of Access Control Policies for Web ApplicationsAutomated Inference of Access Control Policies for Web Applications
Automated Inference of Access Control Policies for Web Applications
Lionel Briand
 
Cyber intrusion analyst occupational brief
Cyber intrusion analyst occupational briefCyber intrusion analyst occupational brief
Cyber intrusion analyst occupational brief
Enda Crossan
 
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEEFINALYEARSTUDENTPROJECTS
 
security evaluation of pattern classifiers under attack
security evaluation of pattern classifiers under attacksecurity evaluation of pattern classifiers under attack
security evaluation of pattern classifiers under attack
swathi78
 
Comparative of risk analysis methodologies
Comparative of risk analysis methodologiesComparative of risk analysis methodologies
Comparative of risk analysis methodologies
Ramiro Cid
 
TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...
TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...
TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...
Iosif Itkin
 
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
Positive Hack Days
 

Más contenido relacionado

La actualidad más candente

INGI2252 Software Measures & Maintenance
INGI2252 Software Measures & MaintenanceINGI2252 Software Measures & Maintenance
INGI2252 Software Measures & Maintenance
kim.mens
 
Automated Inference of Access Control Policies for Web Applications
Automated Inference of Access Control Policies for Web ApplicationsAutomated Inference of Access Control Policies for Web Applications
Automated Inference of Access Control Policies for Web Applications
Lionel Briand
 

La actualidad más candente (20)

Tool support for..
Tool support for.. Tool support for..
Tool support for..
 
Fundamentals of Software Engineering
Fundamentals of Software Engineering Fundamentals of Software Engineering
Fundamentals of Software Engineering
 
Black boxtestingmethodsforsoftwarecomponents
Black boxtestingmethodsforsoftwarecomponentsBlack boxtestingmethodsforsoftwarecomponents
Black boxtestingmethodsforsoftwarecomponents
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.com
 
04 test controlling and tracking
04 test controlling and tracking04 test controlling and tracking
04 test controlling and tracking
 
Levels of testing
Levels of testingLevels of testing
Levels of testing
 
INGI2252 Software Measures & Maintenance
INGI2252 Software Measures & MaintenanceINGI2252 Software Measures & Maintenance
INGI2252 Software Measures & Maintenance
 
Odin2018_Minh_ML_Risk_Prediction
Odin2018_Minh_ML_Risk_PredictionOdin2018_Minh_ML_Risk_Prediction
Odin2018_Minh_ML_Risk_Prediction
 
Automated Inference of Access Control Policies for Web Applications
Automated Inference of Access Control Policies for Web ApplicationsAutomated Inference of Access Control Policies for Web Applications
Automated Inference of Access Control Policies for Web Applications
 
Cyber intrusion analyst occupational brief
Cyber intrusion analyst occupational briefCyber intrusion analyst occupational brief
Cyber intrusion analyst occupational brief
 
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
 
security evaluation of pattern classifiers under attack
security evaluation of pattern classifiers under attacksecurity evaluation of pattern classifiers under attack
security evaluation of pattern classifiers under attack
 
Comparative of risk analysis methodologies
Comparative of risk analysis methodologiesComparative of risk analysis methodologies
Comparative of risk analysis methodologies
 
TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...
TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...
TMPA-2015: Towards a Usable Defect Prediction Tool: Crossbreeding Machine Lea...
 

Destacado

The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
Positive Hack Days
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Porfirio Tramontana
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
Black Duck by Synopsys
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryption
KaashivInfoTech Company
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
Kevin Fealey
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security application
bharatsvnit
 
Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012
Karen Brooks
 

Destacado (20)

OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP HackathonOWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
 
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
The System of Automatic Searching for Vulnerabilities or how to use Taint Ana...
 
Taint analysis
Taint analysisTaint analysis
Taint analysis
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities Analysis of field data on web security vulnerabilities
Analysis of field data on web security vulnerabilities
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникацииАрмия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
 
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
 
Analysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security VulnerabilitiesAnalysis of Field Data on Web Security Vulnerabilities
Analysis of Field Data on Web Security Vulnerabilities
 
A Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application VulnerabilitiesA Study on Dynamic Detection of Web Application Vulnerabilities
A Study on Dynamic Detection of Web Application Vulnerabilities
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security
 
Managing Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development LifecycleManaging Open Source in Application Security and Software Development Lifecycle
Managing Open Source in Application Security and Software Development Lifecycle
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSEWEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
WEB APPLICATION VULNERABILITIES: DAWN, DETECTION, EXPLOITATION AND DEFENSE
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web AppsCODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
 
Attributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryptionAttributes based encryption with verifiable outsourced decryption
Attributes based encryption with verifiable outsourced decryption
 
Static Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and YouStatic Analysis Security Testing for Dummies... and You
Static Analysis Security Testing for Dummies... and You
 
data mining for security application
data mining for security applicationdata mining for security application
data mining for security application
 
Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012Technology buffet for new teachers march 2012
Technology buffet for new teachers march 2012
 

Similar a Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing

Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
Kupili Archana
 
A web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tamA web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tam
eSAT Journals
 
Reliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software ApplicationsReliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software Applications
CSEIJJournal
 

Similar a Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing (20)

NSA and PT
NSA and PTNSA and PT
NSA and PT
 
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
Beyond Static Analysis: Integrating .NET Static Analysis with Unit Testing a...
 
Software Risk Analysis
Software Risk AnalysisSoftware Risk Analysis
Software Risk Analysis
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.ppt
 
testing
testingtesting
testing
 
Model based vulnerability testing report
Model based vulnerability testing reportModel based vulnerability testing report
Model based vulnerability testing report
 
A web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tamA web application detecting dos attack using mca and tam
A web application detecting dos attack using mca and tam
 
Chapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESSChapter 3 SOFTWARE TESTING PROCESS
Chapter 3 SOFTWARE TESTING PROCESS
 
Chapter 8 - Software Testing.ppt
Chapter 8 - Software Testing.pptChapter 8 - Software Testing.ppt
Chapter 8 - Software Testing.ppt
 
Information hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted ImagesInformation hiding based on optimization technique for Encrypted Images
Information hiding based on optimization technique for Encrypted Images
 
A Brief Introduction to Penetration Testing
A Brief Introduction to Penetration TestingA Brief Introduction to Penetration Testing
A Brief Introduction to Penetration Testing
 
The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.The Art of Penetration Testing in Cybersecurity.
The Art of Penetration Testing in Cybersecurity.
 
Reliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software ApplicationsReliability Improvement with PSP of Web-Based Software Applications
Reliability Improvement with PSP of Web-Based Software Applications
 
Infrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration TestingInfrastructure & Network Vulnerability Assessment and Penetration Testing
Infrastructure & Network Vulnerability Assessment and Penetration Testing
 
Testing Throughout the Software Life Cycle - Section 2
Testing Throughout the Software Life Cycle - Section 2Testing Throughout the Software Life Cycle - Section 2
Testing Throughout the Software Life Cycle - Section 2
 
Testing and Mocking Object - The Art of Mocking.
Testing and Mocking Object - The Art of Mocking.Testing and Mocking Object - The Art of Mocking.
Testing and Mocking Object - The Art of Mocking.
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Chapter 3 - Analytical Techniques
Chapter 3 - Analytical TechniquesChapter 3 - Analytical Techniques
Chapter 3 - Analytical Techniques
 
Automating The Process For Building Reliable Software
Automating The Process For Building Reliable SoftwareAutomating The Process For Building Reliable Software
Automating The Process For Building Reliable Software
 

Más de Andrew Petukhov

You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
Andrew Petukhov
 
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Andrew Petukhov
 
Обеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системахОбеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системах
Andrew Petukhov
 
Detecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web ApplicationsDetecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web Applications
Andrew Petukhov
 

Más de Andrew Petukhov (8)

You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
You Can Be Anything You Want to Be: Breaking Through Certified Crypto in Bank...
 
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
Обнаружение уязвимостей логики приложений методом статического анализа. Где п...
 
Безопасность веб-приложений: starter edition
Безопасность веб-приложений: starter editionБезопасность веб-приложений: starter edition
Безопасность веб-приложений: starter edition
 
Обеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системахОбеспечение безопасности расширений в корпоративных информационных системах
Обеспечение безопасности расширений в корпоративных информационных системах
 
Detecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web ApplicationsDetecting Insufficient Access Control in Web Applications
Detecting Insufficient Access Control in Web Applications
 
Benchmark сканеров SQL injection
Benchmark сканеров SQL injectionBenchmark сканеров SQL injection
Benchmark сканеров SQL injection
 
Обнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложенииОбнаружение уязвимостей в механизме авторизации веб-приложении
Обнаружение уязвимостей в механизме авторизации веб-приложении
 
Access Control Rules Tester
Access Control Rules TesterAccess Control Rules Tester
Access Control Rules Tester
 

Último

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing

  • 1. Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis with Penetration Testing Andrew Petukhov [email_address] Department of Computer Science Moscow State University
  • 2.
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14. Thank You! Any question?