Each step includes:
- links to a few resources as a starting point, but you are likely to need to do your own additional research as you explore each topic.
- a suggested exercise or two, which focus on reflection, practical application and discussion, as a tool to connect the resources with your reality.
Take your time. Dig deep into areas that interest you. Apply what you learn as you go.
This pathway was developed in conjunction with Daniel Billing & Sarah Burgess
STEP - Introduction to oWASP
The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organisation focused on improving the security of software. Understand the breadth of information and resources available on the oWASP site:- 2013 - oWASP Top 10
- 2015 - Common Application Security Attacks - oWASP
- 2015 - Common Types of Software Vulnerabilities - oWASP
- 2015 - oWASP Testing Guide (PDF)
- 2015 - Application Security Verification Standards - oWASP
[1 hour] The volume of information available on the oWASP site can be overwhelming. The resources on the site are a product of thousands of active wiki users, however the aspects of security that your organisation prioritises will depend on the views of individuals. To bring your focus back to what is relevant for your context, talk to someone in your team about security. You may like to find out:
- What security testing does your organisation currently prioritise? Why?
- Have you been attacked in the past? In what way?
- How are developers preventing vulnerabilities in your applications?
STEP - Threat Modelling
Understand how threat modeling can help clarify risks to the organisation:- 2002 - The STRIDE Threat Model - Microsoft Developer Network
- 2015 - STRIDE mind map - Katrina Clokie
- 2015 - Application Threat Modeling - oWASP
- 2015 - Threat Modeling Cheat Sheet - oWASP
- 2014 - Trust instead of threats - Jim Bird
[1 hour] Use the STRIDE model to think about threats to your application. Try to get specific about the ways in which your organisation is vulnerable to each threat. Share your thinking with a security specialist or technical lead, see if you can add anything extra to your threat model with their help.
STEP - Approach to security testing
Learn about how others plan security testing and integrate it into their development process:- 2015 - Web Security Testing Mind Map - Test Insane
- 2012 - Security testing checklist for web applications - Santhosh Tuppad
- 2014 - Confessions of an accidental security tester - Alan Richardson
- 2013 - Don’t go live with simple security problems - Alan Richardson
- 2013 - Cocktail strings - Quick test for web security testing - Erik Brickarp
- 2014 - Security Testing Part I (audio) - Stephen Janaway & Daniel Billing
- 2014 - Security Testing Part II (audio) - Stephen Janaway & Daniel Billing
- 2015 - 3 epiphanies of Security Testing (audio) - Stephen Janaway & Declan O’Riordan
- 2015 - Continuous Security - Laura Bell
- Security sandwich - Thought Works
[1 hour] Talk to your team about who is currently responsible for security testing and how it is integrated into your existing development process. Talk to a technical lead or coach about the opportunities for improving what you do now.
WARNING: In many countries it is illegal to use the following attacks. Please make sure that you practice your security testing skills in the demonstration environments specified in the exercises only.
STEP - SQL injection attack
Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Understand more about SQL injection:- 2013 - Hacking websites with SQL injection (video) - Tom Scott
- 2014 - #1 Injection (video) - Warren Moynihan
- 2014 - SQL injection example - Pete Houghton
- 2015 - Top 10 2013 - Injection - oWASP
- 2007 - SQL injection attacks by example - Steve Friedl
- 2013 - Everything you wanted to know about SQL injection - Troy Hunt
- Exploits of a Mom - XKCD
[1 hour] Work through the exercises in how to exploit a SQL injection attack. Using this intentionally vulnerable demonstration site, you should learn how to gain unauthorised access to an application, find user account and password details, and discover details of the underlying database.
[1 hour] The Altoro Mutual website is published by Watchfire, Inc. for the sole purpose of demonstrating the effectiveness of Watchfire products in detecting web application vulnerabilities and website defects. Based on what you’ve learned, how many ways can you gain access to the application using SQL injection? If you’re unsure where to begin, you may wish to try the Online Banking Login form as a starting point for your attack.
STEP - Cross site scripting attack
Cross site scripting, or XSS, flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Understand more about XSS:- 2013 - Cracking websites with Cross Site Scripting (video) - Tom Scott
- 2014 - #3 Cross-Site Scripting (video) - Warren Moynihan
- 2014 - XSS and open redirect example - Pete Houghton
- 2015 - Top 10 2013 - Cross site scripting - oWASP
- Cross site scripting - Google Application Security
- Cross site scripting (XSS Attack) - Acunetix
[2 hours] Gruyere is an application with a number of security vulnerabilities for use as a learning tool. Using a Firefox browser, start up your own instance of Gruyere and try to complete the XSS Challenges. Each challenge includes hints to help you expose the vulnerabilities independently, then explains one way to exploit and fix the problems in the application.
[3 hours] For this exercise you’ll need a proxy application that allows you to capture, edit and resubmit network traffic. You may wish to download Fiddler, ZAP, Burp Suite, or use another tool of your choice.
Use the deliberately insecure Supercar Showdown website, complete the following challenges:
EXERCISE
[8 hours] Take the opportunity to practise the three types of exploit that have been introduced in this pathway: SQL injection attacks, XSS attacks, and authentication exploitation. Re-visit each learning environment and see how many additional vulnerabilities you can discover:
[8 hours] If you’d like to get deeper into security testing, the next logical step is to run your own vulnerable learning environment. oWASP WebGoat aims to provide a de-facto interactive teaching environment for web application security. The application must be downloaded and installed on a local web server, the user guide includes instructions. When running the application, your machine will be very susceptible to attack and should disconnected from the internet. WebGoat is for educational purposes and it includes a number of lesson plans to teach the different aspects of application security.
STEP - Exploiting authentication and session management
Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities.- 2014 - #2 Broken authentication and session management (video) - Warren Moynihan
- 2013 - How not to Store Passwords (video) - Tom Scott
- 2012 - Hacking web authentication - Prateek Gianchandani
- 2015 - Security Question and Security Answer Testing - Test Maniac
- 2014 - The difference between two factor and two step authentication - Paul Moore
- 2015 - Top 10 2013 - Broken authentication and session management - oWASP
[3 hours] For this exercise you’ll need a proxy application that allows you to capture, edit and resubmit network traffic. You may wish to download Fiddler, ZAP, Burp Suite, or use another tool of your choice.
Use the deliberately insecure Supercar Showdown website, complete the following challenges:
- Spoof another user’s session and perform actions against their user account
- Elevate your access privileges from a standard user to an administrative user
- Attempt to reset the password of another user
STEP - Practice makes perfect
The previous steps give information and exercises for the Top 3 attacks in the oWASP Top 10. All of the vulnerable learning environments provided so far are susceptible to these attacks in some way.EXERCISE
[8 hours] Take the opportunity to practise the three types of exploit that have been introduced in this pathway: SQL injection attacks, XSS attacks, and authentication exploitation. Re-visit each learning environment and see how many additional vulnerabilities you can discover:
STEP - Serious security
Security testing is a rich, specialised discipline. Beyond this taster of what’s possible, there are a number of other aspects of application security to consider:- 2015 - oWASP Top 10 vulnerabilities (10 videos) - Ethical Hacking Team IBM
- 2014 - The attack that could disrupt the whole internet (video) - Tom Scott
- 2013 - Hashing algorithms and security (video) - Tom Scott
- 2014 - Public Key Cryptography (video) - Robert Miles
- 2014 - Security Testing Tools Mind Map - Nagasahas Dasa
[8 hours] If you’d like to get deeper into security testing, the next logical step is to run your own vulnerable learning environment. oWASP WebGoat aims to provide a de-facto interactive teaching environment for web application security. The application must be downloaded and installed on a local web server, the user guide includes instructions. When running the application, your machine will be very susceptible to attack and should disconnected from the internet. WebGoat is for educational purposes and it includes a number of lesson plans to teach the different aspects of application security.
Too Good..Thnaks
ReplyDeleteOMG Thank you for this resource! This is exactly what I have been looking for, in the way I like to read things. Perfection.
ReplyDelete