Valitse sivuston käyttötapa: Mobiili

Security Testing Web Applications

Tieturi
Yhteenveto
3 päivää
   
Helsinki
Avoin koulutus
Tieturin koulutukset

Security Testing Web Applications


Testing plays a very important role in ensuring security and robustness of web applications. Various approaches – from high level auditing through penetration testing to ethical hacking – can be applied to find vulnerabilities of different types. However if you want to go beyond the easy-to-find low-hanging fruits, security testing should be well planned and properly executed. Remember: security testers should ideally find all bugs to protect a system, while for adversaries it is enough to find one exploitable vulnerability to penetrate into it.
Attending this course will prepare software testers to adequately plan and precisely execute security tests, select and use the most appropriate tools and techniques to find even hidden security flaws. Practical exercises will help understanding web application vulnerabilities and mitigation techniques, together with hands-on trials of various testing tools from security scanners, through sniffers, proxy servers, fuzzing tools to static source code analyzers, this course gives the essential practical skills that can be applied on the next day at the workplace.
Course outline

IT security and secure coding
Web application security (OWASP Top Ten 2017)
Client-side security
Denial of service
Security testing
Security testing techniques and tools
Knowledge sources

Day 1
Security basics
What is security?
Threat and risk
Types of threats against computer systems
Consequences of insecure software
Constraints and the market
The dark sideCategorization of bugs

The Seven Pernicious Kingdoms
Common Weakness Enumeration (CWE)
CWE/SANS Top 25 Most Dangerous Software Errors
Vulnerabilities in the environment and dependencies

The OWASP Top Ten
OWASP Top 10 – 2017
A1 - Injection

Injection principles
Injection attacks
SQL injection

SQL injection basics
Lab – SQL injection
Attack techniques
Content-based blind SQL injection
Time-based blind SQL injection

SQL injection best practices

Input validation
Parameterized queries
Additional considerations
Lab – Using prepared statements
Case study – Hacking Fortnite accounts
Testing for SQL injection

Code injection

OS command injection

Lab – Command injection
OS command injection best practices
Lab – Command injection best practices
Case study – Command injection via ping
Testing for command injection

Injection best practices

A2 - Broken Authentication

Authentication basics
Authentication weaknesses
Spoofing on the Web
Testing for weak authentication
Case study – PayPal 2FA bypass
User interface best practices
Password management

Inbound password management

Storing account passwords
Password in transit
Lab – Why is just hashing passwords not enough?
Dictionary attacks and brute forcing
Salting
Adaptive hash functions for password storage
(Mis)handling passwords
Password policy
NIST authenticator requirements for memorized secrets
Password length
Password hardening
Using passphrases
Lab – Applying a password policy
The Ashley Madison data breach
The dictionary attack
The ultimate crack
Exploitation and the lessons learned
Password database migration
Testing for password management issues

Outbound password management

Hard coded passwords
Password in configuration file
Lab – Hardcoded password
Protecting sensitive information in memory
Challenges in protecting memory

Session management

Session management essentials
Why do we protect session IDs – Session hijacking
Session ID best practices
Session expiration
Session fixation
Testing for session management issues
Cross-site Request Forgery (CSRF)

Lab – Cross-site Request Forgery
CSRF best practices
Lab – CSRF protection with tokens
Testing for CSRF

Cookie security

Cookie security best practices
Cookie attributes
Testing cookie security

Day 2
Security testing
Security testing methodology

Preparation
Identifying assets
Identifying the attack surface
Assigning security requirements
Lab – Identifying and rating assets
Attacker profiling
Threat modelling

SDL threat modelling
Data flow diagram elements
Mapping STRIDE to DFD
Lab – SDL threat modelling
Attack trees
Misuse cases
Risk analysis
Lab – Risk analysis

Security testing approaches

Review and recommendations
Standard and proprietary mitigations

The OWASP Top Ten
A3 - Sensitive Data Exposure

Information exposure
Exposure through extracted data and aggregation
System information leakage

Leaking system information

Information exposure best practices

A4 - XML External Entities (XXE)

 DTD and the entities
Entity expansion
External Entity Attack (XXE)

File inclusion with external entities
Server-Side Request Forgery with external entities
Lab – External entity attack
Case study – XXE vulnerability in SAP Store
Lab – Prohibiting DTE
Testing for XXE and XML entity-related vulnerabilities

A5 - Broken Access Control

Access control basics
Missing or improper authorization
Failure to restrict URL access
Testing for authorization issues
Confused deputy

Insecure direct object reference (IDOR)
Lab – Insecure Direct Object Reference
Authorization bypass through user-controlled keys
Case study – Authorization bypass on Facebook
Testing for confused deputy weaknesses

File upload

Unrestricted file upload
Good practices
Lab – Unrestricted file upload
Testing for file upload vulnerabilities

A6 - Security Misconfiguration

Configuration principles
Server misconfiguration
Configuration management

A7 - Cross-site Scripting (XSS)

Cross-site scripting basics
Cross-site scripting types

Persistent cross-site scripting
Reflected cross-site scripting
Client-side (DOM-based) cross-site scripting
Case study – XSS in Fortnite accounts

XSS protection best practices

Protection principles - escaping
Additional protection layers
Client-side protection principles
Lab – XSS fix / stored
Lab – XSS fix / reflected
Testing for XSS

A8 - Insecure Deserialization

Serialization and deserialization challenges
Deserializing untrusted streams
Deserializing best practices
Property Oriented Programming (POP)

POP best practices
Lab – Creating a POP payload
Lab – Using the POP payload
Testing for insecure deserialization

Day 3
Security testing
Security testing techniques and tools

Security testing vs functional testing
Manual and automated methods
Penetration testing
Stress testing
Code analysis

Security aspects of code review
Static analysis

Dynamic analysis

Security testing at runtime
Dynamic analysis tools

Testing web applications

Web vulnerability scanners
SQL injection tools

Man-in-the-middle sniffing and interference

Proxy servers
Lab – Using a proxy

The OWASP Top Ten
A9 - Using Components with Known Vulnerabilities

Using vulnerable components
Assessing the environment
Hardening
Untrusted functionality import
Importing JavaScript
Case study – The British Airways data breach
Vulnerability management

Patch management
Vulnerability databases and scanning tools
Vulnerability rating – CVSS

A10 - Insufficient Logging & Monitoring

Logging and monitoring principles
Insufficient logging
Plaintext passwords at Facebook
Logging best practices
Monitoring best practices

Web application security beyond the Top Ten

Client-side security
Same Origin Policy

Relaxing the Same Origin Policy
Relaxing with Cross-Origin Resource Sharing (CORS)
Simple request
Preflight request
Tabnabbing

Frame sandboxing

Cross-Frame Scripting (XFS) attack
Lab - Clickjacking
Clickjacking beyond hijacking a click
Clickjacking protection best practices

Testing for client-side security weaknesses

Common software security weaknesses
Input validation

Input validation principles

Blacklists and whitelists
Data validation techniques
What to validate – the attack surface
When to validate – validation vs transformations
Where to validate – defense in depth
Output sanitization
Encoding challenges
Validation with regex

Integer handling problems

Representing signed numbers
Integer visualization
Integer overflow
Integer truncation
Best practices

Upcasting
Precondition testing
Postcondition testing

Testing for numeric problems

Files and streams

Path traversal
Path traversal-related examples
Additional challenges in Windows
Virtual resources
Path traversal best practices
Testing for path traversal

JSON security
JSON injection
Dangers of JSONP
JSON/JavaScript hijacking
Best practices
Testing
ReactJS vulnerability in HackerOne
Wrap up
Secure coding principles

Principles of robust programming by Matt Bishop
Secure design principles of Saltzer and Schröder
Some more principles

And now what?

Further sources and readings

Kohderyhmä



Preparedness: General Web application development and testing

Tieturi

Tieturi

Tieturi – valmentaa paremmaksi

Tieturi on koulutuksen edelläkävijä, jonka kasvattaa yksilöiden ja organisaatioiden osaamista ja tuottavuutta. Autamme kohtaamaan liiketoiminnan muutokset ja kääntämään ne voimavaraksi. Olemme alan monipuolisin toimija ja tarjoamme sekä avoimia että yritysten tarpeisiin räätälöityjä koulutuksia. Erityisiä osaamisalueitamme ovat ohjelmistokehitys, projektityö, infrastruktuuri, tiedonhallinta...


Lue lisää kouluttajasta Tieturi ja katso koulutustarjonta täältä

Yhteydenottopyyntö

Haluatko tietää lisää koulutuksesta Security Testing Web Applications? Täytä yhteystietosi, niin koulutuksen järjestäjä ottaa sinuun yhteyttä.

Arvioinnit
Arvioinnit
Arvioi tämä koulutus ensimmäisenä.

Arvioinnit kouluttajasta
(4,0)
Perustuu 13 arviointiin
Näytä kouluttajan kaikki arvioinnit
Yhteydenotto

Saadaksesi lisätietoa aiheesta Security Testing Web Applications täytä seuraavat tiedot: