Web application penetration testing automation - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

Web application penetration testing automation

Description:

... for intercepting and modification of requests (Burp suite, Webscarab, Paros) ... etc.) sometimes are part of intercepting proxy tools (Crowbar, JAD, Burp suite) ... – PowerPoint PPT presentation

Number of Views:168
Avg rating:3.0/5.0
Slides: 11
Provided by: marili6
Category:

less

Transcript and Presenter's Notes

Title: Web application penetration testing automation


1
Web application penetration testing automation
  • Dmitrijs Krjukovs

2
Complexity of modern Web applications and need
for penetration testing
  • Nowadays Web sites have become highly functional
    and complicated Applications that
  • Ensure critical business processes
  • Should be able to reach internal resources (Data
    bases, logistical systems etc)
  • Have dynamic and interactive content
  • Becomes part of organizations security perimeter
  • Web application penetration testing is necessary
    to provide assurance that implemented controls
    are effective and to minimize the risks of
    successful attack, application misuse or
    application malfunctioning resulting in financial
    loss

3
Security testing vs penetration testing whats
the difference
  • Security testing as any other testing might be
  • White-box
  • Security requirements are defined
  • Information about security controls and
    architecture is fully available
  • Access to source code and log files
  • Maximum cooperation with Application owner
  • Grey-box
  • Some general information about security and
    application architecture
  • Limited cooperation with Application owner
  • Black box (AttackPenetration testing)
  • No information about Application, security
    controls and architecture
  • Cooperation with Application owner as minimal as
    possible

4
Objectives and possibilities for testing
automation
  • Testing automation has the following objectives
  • Minimize resource investments (e.g. man-hours)
  • Improve quality of tests
  • Maximize number of tests performed per timeframe
  • Maximize number of tested vulnerabilities
  • Maximize tested payloads for each vulnerability
    (e.g. payloads for cross-site scripting)
  • Myth Modern Web application vulnerability
    scanners with rich functionality may automate
    most of tests and substitute human tester

5
Testing methodology
  • The attack and penetration testing classically
    includes the following steps
  • Application content mapping
  • Analysis of the application and mapping of attack
    surface
  • Risk analysis and preparation of test plan
  • Tests
  • Client-side control tests
  • Authentication mechanism tests
  • Session management mechanism tests
  • Access control tests
  • Input based vulnerability and injection tests
  • Function-specific input validation tests
  • Logic flaw tests
  • Web server vulnerability tests
  • Results analysis

Mostly supported by different automation tools
6
Web application security testing tools and their
functionality
  • Tools used for Web application penetration could
    be grouped into
  • Web server software vulnerability scanners for
    back-end server scans, server configuration
    analysis, Google Hack DB (Wikto, Nikto)
  • Intercepring proxy for intercepting and
    modification of requests (Burp suite, Webscarab,
    Paros)
  • Web application vulnerability scanners (IBM
    Appscan, HP WebInspect, Acunetix Web Scanner)
  • Specific tools (e.g. for scripting attacks,
    session token analysis, parameter brute forcing,
    decompilers etc.) sometimes are part of
    intercepting proxy tools (Crowbar, JAD, Burp
    suite)

7
Challenges for scanning automation
  • Web application scanning automation faces
    different challenges like
  • Every application is different, its impossible
    to rely on precomputed database of checks
  • Scanners operate on syntax although lots of
    attacks require an understanding of meaning
    (prices, account numbers, usernames etc)
  • Scanners are not intuitive and unlike human
    tester will not see suspicious patterns, work to
    understand application defenses etc
  • Working with unusual login and session
    mechanisms
  • Anti-automation defenses implemented in
    applications.

8
Experience from penetration testing automation
  • Vulnerabilities without standard signatures are
    hardly diagnosable.
  • Scanners miss a lot of injection bugs and trivial
    input-based bugs or even dont check for several
    categories of them.
  • From experience effectiveness of penetration
    testing automation tools (vulnerability scanners)

9
Conclusion
  • Web application vulnerability scanners and
    testing tools
  • can find some of the low hanging fruit in an
    application
  • miss a lot of easy bugs.
  • Scanners can provide information that application
    is insecure but scanners cannot provide assurance
    that application is secure.
  • Web application vulnerability scanners and
    testing automation tools may effectively support
    testing process but still cannot substitute human.

10
Questions and contact information
  • Dmitrijs Krjukovs
  • dmitrijs.krjukovs_at_lv.ey.com
  • Ernst Young Baltic, Muitas str. 1
  • www.ey.com/lv
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Web application penetration testing automation" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!