Scribd Logo
Upload

Welcome to Scribd!

  • Applicationsecurity Overview 130101022807 Phpapp01

    Uploaded by

    Muh Fauzi Natsir
    19 views34 pages
    App Security

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    App Security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    19 views34 pages

    Applicationsecurity Overview 130101022807 Phpapp01

    Uploaded by

    Muh Fauzi Natsir
    App Security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    Application

    Security
    Dilan Warnakulasooriya

    Asanka Fernandopulle

    Information Security Engineer


    99X Technology

    Senior Software Engineer


    99X Technology

    10/17/15

    99X Technology(c)

    Basics of Application Security


    HTTP and HTTPS

    10/17/15

    Symmetric key
    Asymmetric key
    Session key
    Analyzing a certificate
    Sniffing HTTP and HTTPS
    Calomel plugin

    99X Technology(c)

    Basics of Application Security


    Man in the middle
    Analyzing browser requests
    Analyzing server response
    https communication

    10/17/15

    https and s-http

    99X Technology(c)

    Basics of Application Security


    What OWASP does
    Builders , Breakers and Defenders

    10/17/15

    99X Technology(c)

    Web Application penetration testing


    Basic web testing methodology
    Vulnerability, Threat and Exploit

    Developer level application security overview

    10/17/15

    99X Technology(c)

    Web Application penetration testing


    Application Security frameworks

    10/17/15

    Before development begins


    During definition and design
    During development
    During deployment
    Maintenance and operations

    99X Technology(c)

    Web Application penetration testing


    Web application security review frameworks

    10/17/15

    Samurai WTF
    Websecurify
    Wapiti
    Skiffish
    Acunetix
    Webscarab
    W3af

    99X Technology(c)

    Secure Authentication
    Authentication/Access control methods

    10/17/15

    99X Technology(c)

    Secure Authentication
    Authentication bypass techniques

    Direct page request


    Parameter modification
    Session ID prediction
    Sql injection

    Session predictability - webscarab/burpsuite

    10/17/15

    99X Technology(c)

    Secure Authentication
    Bypass authentication matrix

    10/17/15

    Basic authentication
    Multi-Level login 1
    Multi-Level login 2

    99X Technology(c)

    10

    Secure Authentication
    Password remember
    Password strength
    Forgot password

    Browser cache management

    10/17/15

    99X Technology(c)

    11

    Secure Authentication
    Parameter tampering
    Bypass HTML Field restrictions
    Exploit hidden fields
    Bypass client side JavaScript validation

    10/17/15

    Coding controls for Parameter Tampering

    99X Technology(c)

    12

    Secure Authentication
    Access control flaws
    Using an Access control matrix
    Bypass a path based access control scheme
    Bypass data layer access control

    10/17/15

    99X Technology(c)

    13

    Injections
    SQL injection classes
    In band
    Out of band
    Inferential

    10/17/15

    99X Technology(c)

    14

    Injections
    Techniques to exploit sql injections

    10/17/15

    Union operator
    Boolean
    Error based
    Out of band
    Time delay

    99X Technology(c)

    15

    Injections
    Standard SQL injection testing
    SELECT * FROM Users WHERE
    Username='$username' AND
    Password='$password'
    Numeric sql injection

    10/17/15

    99X Technology(c)

    16

    Injections
    Union Exploitation technique
    Xpath injection
    String sql injection

    10/17/15

    99X Technology(c)

    17

    Injections
    Boolean Exploitation technique
    Sql injection : stage 1 : String sql injection
    Stage 3 : Numeric sql injection

    10/17/15

    99X Technology(c)

    18

    Injections
    Error based Exploitation technique
    Modify data with sql injection
    Add data with sql injection

    10/17/15

    99X Technology(c)

    19

    Injections
    Out of band Exploitation technique

    10/17/15

    99X Technology(c)

    20

    Injections
    Time delay Exploitation technique
    Stored procedure Exploitation technique
    Automated Exploitation technique

    10/17/15

    99X Technology(c)

    21

    Injections
    How developers work on SQL injection
    Automate your injection
    sqlmap

    10/17/15

    99X Technology(c)

    22

    Session Management
    Session management techniques
    Session management vulnerability
    insufficient session id length
    Session fixation
    Session variable overloading

    10/17/15

    99X Technology(c)

    23

    Session Management
    Check your cookies
    Cookie collection
    Cookie reverse engineering
    Cookie manipulation

    Hijack a session
    Hijack a session
    Spoof an authentication cookie
    Session fixation

    10/17/15

    99X Technology(c)

    24

    Session Management

    10/17/15

    How developers work on session handling

    99X Technology(c)

    25

    Code Quality
    Code quality breach
    Discover clues in the HTML

    10/17/15

    99X Technology(c)

    26

    Cross Site Scripting


    Scripting types

    10/17/15

    Reflected cross site scripting (non-persistent XSS)


    Stored cross site scripting (second-order XSS)
    DOM based cross site scripting (type 0 xss)

    99X Technology(c)

    27

    Cross Site Scripting

    Reflected cross site scripting (non-persistent


    XSS)

    Testing for reflected XSS

    10/17/15

    Reflected xss

    99X Technology(c)

    28

    Cross Site Scripting

    Bypass XSS filters

    10/17/15

    Tag Attribute Value


    Different syntax or enconding
    Bypassing non-recursive filtering

    99X Technology(c)

    29

    Cross Site Scripting

    Stored cross site scripting (second-order XSS)

    XSS attack scenario

    10/17/15

    Stored XSS

    99X Technology(c)

    30

    Cross Site Scripting

    Testing for Stored cross site scripting

    10/17/15

    Input forms
    Analyze HTML code
    Exploitation framework
    File upload

    99X Technology(c)

    31

    Cross Site Scripting

    10/17/15

    How developer handle XSS and CSRF

    99X Technology(c)

    32

    Testing Tools
    Proxy
    How to write secure programs

    10/17/15

    99X Technology(c)

    33

    Thank you

    10/17/15

    99X Technology(c)

    34

    You might also like