Upload
deepaklohani2
View
220
Download
0
Embed Size (px)
Citation preview
8/2/2019 Software Testing Best Pratices
1/22
8/2/2019 Software Testing Best Pratices
2/22
Top 5 Web App Security bugs
8/2/2019 Software Testing Best Pratices
3/22
Cross-Site Scripting
Normal execution
8/2/2019 Software Testing Best Pratices
4/22
Cross-Site Scripting
What attacker does
8/2/2019 Software Testing Best Pratices
5/22
Types of Cross-Site Scripting
Non-persistent Attack:
1. A often visits a particular website, which is hosted by B. B's website allowsA to log in with a username/password pair and stores sensitive data, such as
billing information.2. C observes that B's website contains a reflected XSS vulnerability.3. C crafts a URL to exploit the vulnerability, and sends A an email, enticing
her to click on a link for the URL under false pretenses. This URL will point to B'swebsite, but will contain C's malicious code, which the website will reflect.
4. A visits the URL provided by C while logged into B's website.5. The malicious script embedded in the URL executes in A's browser, as if it came
directly from B's server (this is the actual XSS vulnerability). The script can beused to send A's session cookie to C. C can then use the session cookie to stealsensitive information available to A(authentication credentials,billing info, etc.) withoutA's knowledge.
8/2/2019 Software Testing Best Pratices
6/22
8/2/2019 Software Testing Best Pratices
7/22
Prevention to Cross-Site Scripting
-Check that ASP.NET request validation is
enabled
-Review ASP.NET code that generates HTML
output
- Review potentially dangerous HTML tags and
attributes.
8/2/2019 Software Testing Best Pratices
8/22
Clear Text Secrets
Sensitive"data like User Credentials, cryptographic keysmust never be stored, cached, or sent unencrypted. For
instance: logon passwords, PINs, credit card numbers,
telephone calling card numbers, session ID that can be
used to gain access to goods, services, or confidential
information must always be stored and sent encrypted.
8/2/2019 Software Testing Best Pratices
9/22
Countermeasures to Clear Text Secrets
- Use trusted and proven standard algorithms
for encryption
Do not store secrets (passwords/ keys) in
code
Use the aspnet_regiis tool to encrypt
configuration settings
8/2/2019 Software Testing Best Pratices
10/22
Authorization Issues
Direct Object Reference (Normal execution)
8/2/2019 Software Testing Best Pratices
11/22
8/2/2019 Software Testing Best Pratices
12/22
Countermeasure to authorization issue
Perform server side authorization
Use a platform provided authorization mechanism
URL Authorization Declarative checks
Implement authorization controls in middle tiers like
gateways
8/2/2019 Software Testing Best Pratices
13/22
SQL Injection
User input without sufficient validation is used
to create and execute a dynamic SQL statement.
User can manipulate the SQL statement that gets
executed.
8/2/2019 Software Testing Best Pratices
14/22
SQL Injection
Normal execution
8/2/2019 Software Testing Best Pratices
15/22
SQL Injection
What attacker does
8/2/2019 Software Testing Best Pratices
16/22
Countermeasures to SQL Injection
* Constrain and sanitize input data:
Check for known good data by validating for type, length, format,and range.
* Use safe SQL parameters for data access:
If you use a parameters collection, input is treated as a literal
value, and SQL Server does not treat it as executable code.* Use an account that has restricted permissions in the database:
Ideally, you should only grant execute permissions to selected
stored procedures in the database and provide no direct
table access.* Avoid disclosing database error information:
In the event of database errors, make sure you do not disclose
detailed error messages to the user.
8/2/2019 Software Testing Best Pratices
17/22
Verbose Error messages
Leads to
8/2/2019 Software Testing Best Pratices
18/22
Countermeasures to Verbose Errors
You can display other message in the case of an exception or a
particular scenario when the verbose message is displayed
as a crash
8/2/2019 Software Testing Best Pratices
19/22
Other Bugs
Range Check
The range of all the similar fields should be
uniform. e.g. the phone/mobile number
Back button
Sometimes the Back Button present in the
page causes the user data to be revealed or
altered which is very serious in the case on
Transactions or user information.
8/2/2019 Software Testing Best Pratices
20/22
Bug RepetitionSuppose a bug-type has been resolved, then
the same bug should not be repeated. For
e.g. the hotel rule was not being properlyupdated at an earlier time but after some
patch the issue was noticed again.
Session expiry
The session expiry time is also non- uniform.
8/2/2019 Software Testing Best Pratices
21/22
Uniformity of the Error messagesThe error message displayed should be
uniform is terms of the displayed location
and type. Scrollbar
Suppose the input value for a particular field
is large, then there should be a scrollbarpresent so that the UI of the page does not
gets affected.
8/2/2019 Software Testing Best Pratices
22/22
Feedback / QnA