Web Application Security

Only available on StudyMode
  • Download(s) : 193
  • Published : February 5, 2013
Open Document
Text Preview
Web Application Security

OWASP Top 10 - 2007

OWASP Top 10 - 2010

Need to Know for IT Manager about:
What is Web Application Security?
 How to ensure application security?
 What is application security audit?

Web Application Security
What is web application security audit?
 Why audit is required?
 How audit is different than testing
 How audit is performed
 Auditing standards

Web Penetration Testing Steps

Passive Mode

Gathering information
Tools used

Active Mode
Domains covered

Configuration Management Testing
Business Logic Testing
Authentication Testing
Authorization Testing
Session Management Testing
Data Validation Testing
Denial of Service Testing
Web Service Testing
Ajax Testing

Tools and Methodology used

Penetration Test – Information Gathering

Collecting information about target
application and target environment
 Identifying

Parameters, Form values, Cookies and Headers

 Web

application entry points

application fingerprint

Application stacks, versions used

 Application


Different applications, access mechanisms (olds
and obsoletes)

 Analysis

of the error codes

Configuration Management Testing
SSL Testing
 Infrastructure Configuration Management
 Application Configuration Management
 Testing for file extensions
 Testing for HTTP methods

Authentication Testing

Credentials transport over encrypted channels
Testing for user enumeration
Brute Force Attack
Testing for bypassing authentication scheme
Testing for logout and browser cache
Testing for CAPTCHA
Testing for vulnerable remember password and
password reset

Session Management Testing
 Testing

for session management

 Testing for cookies attributes
 Testing for exposed session variables

Authorization Testing
Testing for path traversal
 Testing for bypassing authorization
 Testing for Privilege Escalation

Business Logic Testing
 Understanding the application
 Creating raw data for logical tests
 Business

 Workflows
 User roles
 Privileges
 Policies

Developing logical tests

Data Validation Testing
Improper validation of input coming from
the client
 Vulnerabilities are many out of which
some are:


 Cross Site Scripting
 OS Commanding
 Code Injection

Denial of service testing
Locking customer accounts
 User input as loop counter
 Writing user provided data to disk
 Storing too much data in session

How do we take care?

 Education

of web application security
 Secure coding practices

 Code

 Penetration Testing

 Security

Policies and Standards
 Security seen part of development cycle

tracking img