Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

New Adventures In Security Testing

No description
by

Daniel Billing

on 15 April 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of New Adventures In Security Testing

Why Security?
Discovered an interest through personal learning
Reflections
How far has just being a 'functional tester' taken me?
Boldly Going...?
New Adventures In Security Testing
Have I maintained and developed my skills as a tester?
What do I have to do to make a change?
Am I excited by my work any more?
Driven equally by curiosity and frustration
Desired a better understanding of applications under test
Play it safe!
AltoroMutual - http://www.altoromutual.com
IBM AppScan Demo site
Deliberately vulnerable
Free to use
No set up required
Gruyere - http://google-gruyere.appspot.com/
Created by Google
Open Source
Structured approach to learning exploits and vulnerabilities
First Steps
Learn the OWASP Top 10 2013!
Learn some techniques
Understand your applications and their infrastructure
Get to know your Ops and Dev team
"To know what skills to focus on learning you need to know what skills you need for your chosen career or job and compare this to what skills you currently have. The difference between the two is where you should focus your learning"
Remaining Relevant and employable in a changing world - Testers Edition
Rob Lambert, Leanpub, 2013
OWASP
www.owasp.org
Open Web Application Security Project
"Thats good, you have taken your first step into a larger world" - Obi Wan Kenobi
...because they want to get to know you! These sites will help you understand some of the more straightforward ways that your web applications could be exploited
Try HackThisSite.org or HackThis.co.uk
"Once you start down the dark path forever it will dominate your destiny. Consume you it will" - Yoda
Weapon of Choice!
Zed Attack Proxy
BurpSuite
Q & A
xkcd.com/327 - Exploits of a Mom
Example - altoromutual.com
...is all about the attacks!
Potential Threats
Source: nccgroup 2012
Data from April - June 2012
Recent Significant Attacks
Syrian Electronic Army attacked the Skype Twitter and Facebook page, sending out a message against NSA surveillance - 1st Jan 2014
A Pakistani Hacker group hacked an Australian financial services company - 1st Jan 2014 via an unknown method, stealing 527 affiliate account credentials.
Unknown hackers launced a DDos attack against Steam, Origin, Battle.net and League of Legends - 3rd Jan 2014
Source: Hackmageddon.com Feb 5th 2014
RedHack collective launched an XSS attack against Turkish government agencies and also Vodafone, in an effort to prove that personal voicemails were being logged - 10th Jan 2014. Redacted call data was posted online.
Unknown hackers attacked 1 of 8 computers in the Reactor Room at Monju Nuclear Plant, Japan. The machine contained 42000 emails and staff records - the attack was originated or routed through South Korea - 2nd Jan 2014
Know Your Enemy!
Potential Vulnerabilities
Injection
Cross Site Scripting XSS
XSS Explained!
Source: Gem www.cigital.com
Example - altoromutual.com
SQL Injection Explained!
Security Misconfiguration
Cross Site Request Forgery
Exploits the trust the user has in a website
Exploits vulnerabilities in the database layer of an application or website
Poorly configured websites expose potentially sensitive files and data
Tricks a victim into sending requests to a malicious site through the trust they have in the browser
Unvalidated Redirects and Forwards
SEEK...LOCATE
EX - EXPLORE
Example: redirect to a third party site - http://altoromutual.com/disclaimer.htm
A user can be redirected to a malicious site
Dan Billing
@thetestdoctor

Example: CRSF allows credentials to be reused without the knowledge of the victim
@thetestdoctor
thetestdoctor.blogspot.co.uk
T - THREATS
E - EXPERIMENT
R - RISKS
M - MONITOR
IN - INTERROGATE
A - ANALYSIS
T - TARGETED
E - EXPEDITED
Fiddler
Browser Tools and plugins
@newvoicemedia
www.newvoicemedia.com
A final thought...
Full transcript