Application Security
Asanka Fernandopulle
Senior Software Engineer99X Technology
Dilan Warnakulasooriya
Information Security Engineer99X Technology
04/11/2023 99X Technology(c) 1
Basics of Application Security
• HTTP and HTTPS
• Symmetric key• Asymmetric key• Session key• Analyzing a certificate• Sniffing HTTP and HTTPS• Calomel plugin
04/11/2023 99X Technology(c) 2
Basics of Application Security
• Man in the middle
• Analyzing browser requests• Analyzing server response• https communication
• https and s-http
04/11/2023 99X Technology(c) 3
Basics of Application Security
• What OWASP does
• Builders , Breakers and Defenders
04/11/2023 99X Technology(c) 4
Web Application penetration testing
• Basic web testing methodology
• Vulnerability, Threat and Exploit
• Developer level application security overview
04/11/2023 99X Technology(c) 5
Web Application penetration testing
• Application Security frameworks
• Before development begins• During definition and design• During development• During deployment• Maintenance and operations
04/11/2023 99X Technology(c) 6
Web Application penetration testing
• Web application security review frameworks
• Samurai WTF• Websecurify• Wapiti• Skiffish• Acunetix• Webscarab• W3af
04/11/2023 99X Technology(c) 7
Secure Authentication
• Authentication/Access control methods
04/11/2023 99X Technology(c) 8
Secure Authentication
• Authentication bypass techniques
• Direct page request• Parameter modification• Session ID prediction• Sql injection
Session predictability - webscarab/burpsuite
04/11/2023 99X Technology(c) 9
Secure Authentication
• Bypass authentication matrix
• Basic authentication• Multi-Level login 1• Multi-Level login 2
04/11/2023 99X Technology(c) 10
Secure Authentication
• Password remember
• Password strength• Forgot password
• Browser cache management
04/11/2023 99X Technology(c) 11
Secure Authentication
• Parameter tampering
• Bypass HTML Field restrictions• Exploit hidden fields• Bypass client side JavaScript validation
• Coding controls for Parameter Tampering
04/11/2023 99X Technology(c) 12
Secure Authentication
• Access control flaws
• Using an Access control matrix• Bypass a path based access control scheme• Bypass data layer access control
04/11/2023 99X Technology(c) 13
Injections
• SQL injection classes
• In band• Out of band• Inferential
04/11/2023 99X Technology(c) 14
Injections
• Techniques to exploit sql injections
• Union operator• Boolean• Error based• Out of band• Time delay
04/11/2023 99X Technology(c) 15
Injections
• Standard SQL injection testing
• SELECT * FROM Users WHERE Username='$username' AND Password='$password'
• Numeric sql injection
04/11/2023 99X Technology(c) 16
Injections
• Union Exploitation technique
• Xpath injection• String sql injection
04/11/2023 99X Technology(c) 17
Injections
• Boolean Exploitation technique
• Sql injection : stage 1 : String sql injection
• Stage 3 : Numeric sql injection
04/11/2023 99X Technology(c) 18
Injections
• Error based Exploitation technique
• Modify data with sql injection
• Add data with sql injection
04/11/2023 99X Technology(c) 19
Injections
• Out of band Exploitation technique
04/11/2023 99X Technology(c) 20
Injections
• Time delay Exploitation technique
• Stored procedure Exploitation technique
• Automated Exploitation technique
04/11/2023 99X Technology(c) 21
Injections
• How developers work on SQL injection
• Automate your injection
• sqlmap
04/11/2023 99X Technology(c) 22
Session Management
• Session management techniques
• Session management vulnerability
• insufficient session id length• Session fixation• Session variable overloading
04/11/2023 99X Technology(c) 23
Session Management
• Check your cookies
• Cookie collection• Cookie reverse engineering• Cookie manipulation
• Hijack a session
• Hijack a session• Spoof an authentication cookie• Session fixation
04/11/2023 99X Technology(c) 24
Session Management
• How developers work on session handling
04/11/2023 99X Technology(c) 25
Code Quality
• Code quality breach
• Discover clues in the HTML
04/11/2023 99X Technology(c) 26
Cross Site Scripting
• Scripting types
• Reflected cross site scripting (non-persistent XSS)• Stored cross site scripting (second-order XSS)• DOM based cross site scripting (type 0 xss)
04/11/2023 99X Technology(c) 27
Cross Site Scripting
• Reflected cross site scripting (non-persistent XSS)
• Testing for reflected XSS
• Reflected xss
04/11/2023 99X Technology(c) 28
Cross Site Scripting
• Bypass XSS filters
• Tag Attribute Value • Different syntax or enconding • Bypassing non-recursive filtering
04/11/2023 99X Technology(c) 29
Cross Site Scripting
• Stored cross site scripting (second-order XSS)
• XSS attack scenario
• Stored XSS
04/11/2023 99X Technology(c) 30
Cross Site Scripting
• Testing for Stored cross site scripting
• Input forms • Analyze HTML code• Exploitation framework• File upload
04/11/2023 99X Technology(c) 31
Cross Site Scripting
• How developer handle XSS and CSRF
04/11/2023 99X Technology(c) 32
Testing Tools
• Proxy
• How to write secure programs
04/11/2023 99X Technology(c) 33
Thank you
04/11/2023 99X Technology(c) 34
Recommended
