Slide Used by Sreenath Sasikumar in OWASP Kerala chapter Meet April 2015

1. Introduction to OWASP &
Web Application Security
Sreenath Sasikumar
Information Security Consultant

2. Information Security Consultatnt
IBM, QBurst, DBG
Technical Reviewer - 3 Books (2 security books)
Dev – 8 Mozilla Addons
Dev – World's first security testing browser
Speaker at Google DevFest, Unicom, Gtech ...
sreenath.sasikumar@gmail.com
www.sreenathsasikumar.com/about

3. OWASP
●
What is it?
●
Why do we need it?
●
How does it work?
●
Where is this?
●
Who can join?

4. OWASP Kerala
●
Founded 2006
●
Recent Activities
●
Planned Activities
●
How you can Contribute

5. Take Away
• Understanding web application security
• How to security test web applications
• Mitigating web application security risks
• Open source tools

6. How do web applications work

7. Understanding web security

8. Security testing web applications
• Information Gathering
• Configuration Management Testing
• Authentication Testing
• Session Management Testing
• Authorization Testing
• Business Logic Testing
• Data Validation Testing
• Denial of Service Testing

9. Information Gathering

10. www.google.com/robots.txt
Spiders Robots and Crawlers

11. Search Engine Discovery
Google Hacking
• site
• cache
• inurl
• filetype
How to:
Manual
HackSearch

12. Identify Application Entry points
• GET
• POST
• Cookies
• Server Parameters
• Files
How to:
Tamper Data, WebScarab, ZAP

13. Web Application Fingerprinting
How to:
Nikto
Vulnerability Scanners

14. Application Discovery
Different Base URL
• www.example.com/abc
Different port
• www.example.com:8000
Different sub domain ( Virtual host )
• abc.example.com
How to:
Zap, WebSlayer

15. Analysis of Error Code

16. Configuration Management

17. SSL Testing
Identify ssl ports and services
How strong is you cipher?
How to:
Nmap -sV, Nessus, OpenSSL

18. Configuration Management Testing
• Infrastructure Configuration Management
• Application Configuration Management

19. Old, Backup & Unreferenced Files
User-agent: *
Disallow: /Admin
Disallow: /uploads
Disallow: /backup
Disallow: /~jbloggs
How to:
HackSearch, Webslayer

20. Testing for HTTP Methods
• HEAD
• GET
• POST
• PUT
• DELETE
• TRACE
• OPTIONS
• CONNECT
How to:
Netcat
Nikto

21. Authentication Testing

22. Credentials transport over an
encrypted channel
Prevent man in the middle attack

23. Testing for user enumeration
Error Messages/Notifications
"Sorry, please enter a valid password"
"Sorry, please enter a valid username"
"Sorry, this user does not exist"
"Sorry, this user is no longer active"

24. Testing for Guessable Users
& BruteForce Attacks
How to:
John the Ripper
Hydra

25. Testing for CAPTCHA

26. Testing Session & Cookies

27. Authorization Testing

28. Testing for privilege escalation
• vertical escalation
• horizontal escalation
www.example.com/?user=1&groupID=2

29. Business Logic Testing

30. Data Validation Testing

31. Injections
SQL
XSS

32. • SQL Injection
• XSS Injection
• LDAP Injection
• XML Injection
• HTML Injection
• SSI Injection
• ORM Injection
• XPath Injection
• IMAP/SMTP Injection
• Buffer Overflow

33. Testing for Denial of Service

34. Testing for SQL Wildcard Attacks
SELECT * FROM Article WHERE Content LIKE '%foo%'
SELECT TOP 10 * FROM Article WHERE Content LIKE
'%_[^!_%/%a?F%_D)_(F%)_%([)({}%){()}£$&N%_)$*£()
$*R"_)][%](%[x])%a][$*"£$-9]_%'

35. Testing for DoS Locking Customer
Accounts

36. Open Source Tools
Nikto
Nessus
W3AF
ZAP
WebSlayer
Netcat
Nmap
Skipfish
Hydra
Mozilla Firefox addons
Lots & lots more...

37. Questions ?