Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Integrating Web Application Penetration Testing into Your
Vulnerability Management Program
Rich MogullSecurosis, L.L.C.
ecurosis.com
Top Threats
ClientsideWeb Applications
ecurosis.com
Why Web Applications Are Such a Problem
• Rapid development with limited QA
• Eternal beta cycles
• Un(security)trained developers
• New vulnerability classes
• Insecure browsers
• Inherent insecurity of web model
ecurosis.com
Major Webapp AttacksBreaking Trust Relationships
Cross Site Scripting
Cross Site Request Forgery
SQL InjectionBrowser Server
ecurosis.com
Cross Site Scripting
2) Malicious script stored
Stored
1
2) User follows to
trusted site
3) Malicious script injected
by site
Reflected
1) Malicious URL
23
Victim VictimAttacker Attacker
ecurosis.com
Cross Site Request Forgery
Script/link to submit
transaction to trusted site
Malicious transactions
Session 1
Authenticates
Session 2 StealthSession
ecurosis.com
SQL Injection
SQL Statement
Statement: “SELECT * FROM users WHERE name = '" + uName + "‘ AND password =
‘” + upass + “’;”
admin‘--
Attack Input
SELECT * FROM users WHERE name = ‘admin’-- "‘ AND password = ‘” + upass
+ “’;”
Executed Statement
ecurosis.com
Accidental/Directory Traversal
+ Or - “/” =
ecurosis.com
How we used to manage web applications
ecurosis.com
Vulnerability Management
ecurosis.com
Web Application Security Program Overview
ecurosis.com
Application Security Lifecycle
ecurosis.com
Development Phases
ecurosis.com
Integration
Pla$ormvulns
ecurosis.com
Integration
Pla$ormvulns
ecurosis.com
Limitations of static analysis/scanning
• Can’t catch everything
• No validation
• No exploitability/Impact
• Miss logic flaws
• Fire and forget
• The bad guys don’t use them
ecurosis.com
Best Practices for Web App Pen Testing
• Begun testing in the development process.
• Use a combination of tools and manual process.
• Include traditional pen testing of the underlying platform.
• Perform periodic testing post-deployment, especially as new exploits appear.
ecurosis.com
Adapting your program for the long term
• Understand the different requirements of web application vulnerability management.
• Establish web application configuration standards and begin enforcement during development.
• Include code and vulnerability scanning, but you cannot skip penetration testing.
ecurosis.com
Integrating Web Application Penetration Testing into Your
Vulnerability Management Program
Rich MogullSecurosis, L.L.C.
http://[email protected]