Embed Size (px)
DESCRIPTION
A brief overview of common techniques and tools which can be applied to web application security testing
Citation preview
Introduction to web application security testing
Alexandr Romanov
What is security testing and why it is neccessary?
Prepare your mind for security testing
- Think like a hacker :)
- Concentrate on negative testing
- Vulnerabilities = bugs
Security testing in action - stage 1Mapping the application
- web spidering
- user directed spidering
- brute force scanning
Security testing in action - stage 2Analyze the application
- application functionality
- data entry points
- application technologies
Security testing in action - stage 3Test/break the application
Test: - client-side controls - authentication mechanizm - session management mechanizm - access controls - input-based vulnerabilities.....
Security testing in action - stage 4Report the results
1. Exclusive summary
2. Detailed report
3. Raw output
Security tester tools
Firefox: - Firebug/FirePath - HTTPWatch - FoxyProxy - XSSme/SQLme Chrome: - XSSRaysIE: - HTTPWatch/IEWatch
Security tester tools
Complex tools: - BurpSuite - WebScarab - Zed Attack Proxy - FiddlerVulnerability scanners: - Acunetix - Nikto - Nessus
