Application security overview

Application Security

Asanka Fernandopulle

Senior Software Engineer99X Technology

Dilan Warnakulasooriya

Information Security Engineer99X Technology

04/11/2023 99X Technology(c) 1

Basics of Application Security

• HTTP and HTTPS

• Symmetric key• Asymmetric key• Session key• Analyzing a certificate• Sniffing HTTP and HTTPS• Calomel plugin

• Man in the middle

• Analyzing browser requests• Analyzing server response• https communication

• https and s-http

• What OWASP does

• Builders , Breakers and Defenders

Web Application penetration testing

• Basic web testing methodology

• Vulnerability, Threat and Exploit

• Developer level application security overview

• Application Security frameworks

• Before development begins• During definition and design• During development• During deployment• Maintenance and operations

• Web application security review frameworks

• Samurai WTF• Websecurify• Wapiti• Skiffish• Acunetix• Webscarab• W3af

Secure Authentication

• Authentication/Access control methods

• Authentication bypass techniques

• Direct page request• Parameter modification• Session ID prediction• Sql injection

Session predictability - webscarab/burpsuite

• Bypass authentication matrix

• Basic authentication• Multi-Level login 1• Multi-Level login 2

04/11/2023 99X Technology(c) 10

• Password remember

• Password strength• Forgot password

• Browser cache management

04/11/2023 99X Technology(c) 11

• Parameter tampering

• Bypass HTML Field restrictions• Exploit hidden fields• Bypass client side JavaScript validation

• Coding controls for Parameter Tampering

04/11/2023 99X Technology(c) 12

• Access control flaws

• Using an Access control matrix• Bypass a path based access control scheme• Bypass data layer access control

04/11/2023 99X Technology(c) 13

Injections

• SQL injection classes

• In band• Out of band• Inferential

04/11/2023 99X Technology(c) 14

Injections

• Techniques to exploit sql injections

• Union operator• Boolean• Error based• Out of band• Time delay

04/11/2023 99X Technology(c) 15

Injections

• Standard SQL injection testing

• SELECT * FROM Users WHERE Username='$username' AND Password='$password'

• Numeric sql injection

04/11/2023 99X Technology(c) 16

Injections

• Union Exploitation technique

• Xpath injection• String sql injection

04/11/2023 99X Technology(c) 17

Injections

• Boolean Exploitation technique

• Sql injection : stage 1 : String sql injection

• Stage 3 : Numeric sql injection

04/11/2023 99X Technology(c) 18

Injections

• Error based Exploitation technique

• Modify data with sql injection

• Add data with sql injection

04/11/2023 99X Technology(c) 19

Injections

• Out of band Exploitation technique

04/11/2023 99X Technology(c) 20

Injections

• Time delay Exploitation technique

• Stored procedure Exploitation technique

• Automated Exploitation technique

04/11/2023 99X Technology(c) 21

Injections

• How developers work on SQL injection

• Automate your injection

• sqlmap

04/11/2023 99X Technology(c) 22

Session Management

• Session management techniques

• Session management vulnerability

• insufficient session id length• Session fixation• Session variable overloading

04/11/2023 99X Technology(c) 23

Session Management

• Check your cookies

• Cookie collection• Cookie reverse engineering• Cookie manipulation

• Hijack a session

• Hijack a session• Spoof an authentication cookie• Session fixation

04/11/2023 99X Technology(c) 24

Session Management

• How developers work on session handling

04/11/2023 99X Technology(c) 25

Code Quality

• Code quality breach

• Discover clues in the HTML

04/11/2023 99X Technology(c) 26

Cross Site Scripting

• Scripting types

• Reflected cross site scripting (non-persistent XSS)• Stored cross site scripting (second-order XSS)• DOM based cross site scripting (type 0 xss)

04/11/2023 99X Technology(c) 27

• Reflected cross site scripting (non-persistent XSS)

• Testing for reflected XSS

• Reflected xss

04/11/2023 99X Technology(c) 28

• Bypass XSS filters

• Tag Attribute Value • Different syntax or enconding • Bypassing non-recursive filtering

04/11/2023 99X Technology(c) 29

• Stored cross site scripting (second-order XSS)

• XSS attack scenario

• Stored XSS

04/11/2023 99X Technology(c) 30

• Testing for Stored cross site scripting

• Input forms • Analyze HTML code• Exploitation framework• File upload

04/11/2023 99X Technology(c) 31

• How developer handle XSS and CSRF

04/11/2023 99X Technology(c) 32

Testing Tools

• Proxy

• How to write secure programs

04/11/2023 99X Technology(c) 33

Thank you

04/11/2023 99X Technology(c) 34

Application security overview

Technology

Session 11: Security with ASP.NET. Overview Web Application Security: Authentication vs. Authorization – What Are ASP.NET Authentication Methods? – Comparing

Security Model Overview - LivePerson · 2017-02-03 · LIVEPERSON SECURITY MODEL OVERVIEW APPLICATION LEVEL SECURITY CHAT SESSION SECURITY The main service that LivePerson protects

Application Security 101web.uvic.ca/~garyperkins/Lecture 08 - Application Security 101.pdf · Application Security 101 Tanya Janca Security Trainer and Coach at SheHacksPurple.dev

CERIAS Tech Report 2017-3 The Application of Deception to ... · The Application of Deception to Software Security Patching ... 1.2 Patch Exploit Overview ... 6.2.1 Security Parameters

1 IP Security. 2 IP Security Overview We have considered some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS However there

Solution Overview Orchestrating Application … Application Connectivity with Cisco ACI and Tufin Managing Application Connectivity and Security with Cisco Application Centric Infrastructure

Database Application Security Models Database Application Security Models 1

Core-CT Application SecurityCore-CT Application Security Statewide HRMS, Financials and Reporting System Date Revised: January 10, 2019 1 . Core-CT Application Security Overview In

WPH301. announcement Overview Roadmap for Business Risk Management (security model, application security, security management) Deploying Windows Phone

Contents of this presentation are for your educational ... · Jairam Ramesh Security Research Consultant | Microsoft Corporation. General Overview Desktop Application Security Web

Web Application Security with the Application Security Manager (ASM)

Application security overview

AirWatch Overview - Mobile Security | Mobile Device ... · Mobile Security Mobile Device Management Mobile Application Management AirWatch Simpli˜ es Mobility in Education Schools

Application Security Center overview - SAST€¦ · Application Security Center overview Magnus Hillgren Presales –HP Software Sweden Fredrik Möller ... •Fortify 360 SCA HP Quality

An overview of building security into application software ... · An overview of building security into application software systems Secure software development Chris Horn April 2019

Module 1: Web Application Security Overview 1. Overview How Data is stored in a Web Application Types of Data that need to be secured Overview of common

BIG-IP® Application Security Manager™: Implementations · PDF fileImplementation Result ... Investigating DoS attacks and mitigation ... Displaying an application security overview

Application Security

MANAGING APPLICATION SECURITY...AN APPLICATION SECURITY PROGRAM MANAGING APPLICATION SECURITY PAGE 13 What do you use to track the effectiveness of your application security program?

Actian DataConnect Security Overview · security falls short. DataConnect’s architecture has been designed to focus on security at the user and application levels; leveraging existing