Choose your language:

France
Germany
Hong Kong
India
Ireland
Japan
Malaysia
Netherlands
New Zealand
Singapore
Sweden
United Kingdom
United States

Testing Web Application Security

Course Code

SEC119

Duration

2 Days

It is impossible to build a secure web application without conducting thorough application security testing. This course brings the techniques of security testing to software testing professionals. Aspect’s Testing Web Application Security training raises tester awareness of application security issues and provides practical techniques of how to test for these problems. The class is based on Aspect’s years of application security testing experience and is led by an experienced application security practitioner.

This class includes hands-on exercises where the participants get to apply their knowledge on real vulnerabilities in an actual live web application. This specially designed environment includes deliberate flaws the participants have to find and diagnose. Participants gain hands-on testing experience with freely available web application security test tools to find and diagnose flaws and learn to identify them in their own projects.
This course is designed for:
  • Software testers
  • Software quality assurance professionals
Upon completion of this course, participants will be able to:
  • Understand and be able to employ the security features involved with using HTTP (e.g., headers, cookies, SSL)
  • Understand the primary tools available for testing web application security, including when and how to apply them effectively. 
  • Verify whether an application handles credentials securely across the range of authentication support functions, including login, change password, forgot password, remember password, logout, re-authentication, and timeouts.
  • Identify and test access control rules for the user interface, business logic, and data layers.
  • Recognize potential input validation issues, particularly injection and cross-site scripting (XSS) problems. Learn how to test for appropriate input validation mechanisms for user input and other sources of input.
  • Understand the dangers of command injection and techniques for testing an application for injection flaws.
  • Understand how to test for proper error (exception) handling and how to verify that appropriate logging is being performed across an application.
  • Understand how to evaluate whether the cryptographic components of an application are sufficient.
  • Verify the use of appropriate auditing/logging capabilities.
  • Understand the variety of denial of service attacks and the techniques that can be employed to detect potential problems.
  • Understand the factors involved in testing the security of a Web Service.
Introduction
Section Overview: This section describes and introduces the course, and instructors. It also provides setup instructions for the course exercises.
  • Training Program Introduction
  • Course Objectives, Approach, and Layout
  • Participants Introduce Themselves
  • Intro to Aspect Security/Instructors
  • Discussion of Applicable Corporate Initiatives
  • Review of Course Agenda
  • Install and Setup Testing Environment
Understanding Web Application Security
Section Overview: This section introduces what web application security is and focuses on how vulnerable software exposes a company’s assets. It compares and contrasts application security with network and host security. It also briefly introduces the concept of risk. Finally, it describes the current state of the application security market along with different forces involved with its evolution.
  • Introduction to What Application Security Involves
  • Differences between Application and Network/Host Security
  • Understanding the Application Security Problem
  • Test Your Hacker IQ
  • Thinking about Risk
  • OWASP
  • Market Forces and Trends
Understanding HTTP and Web Technologies
Section Overview: This section is intended to provide the foundations needed to understand the upcoming application security concepts. It begins by describing the HTTP protocol and how it relates to web applications. It dives into various aspects of the protocol, in detail, to assist in the understanding of the entire communication path from client request, server processing, server response, and browser interpretation. It then discusses how a hacker proxy can be used to modify HTTP requests and where this proxy fits into the big picture. Finally, we begin the first hands-on lesson which is intended to get the participants familiar with the hands-on application and comfortable using a security testing proxy.
  • HTTP Protocol (Requests, Responses, Headers, Cookies, Parameters, Response Codes)
    • Security of GET vs. POST
    • SSL and Certificates
    • Redirect and Forward
  • Introducing a Security Testing Proxy
    • WebScarab Overview
  • Exercises and Labs
    • Hands On Testing Exercise: WebGoat HTTP Basics
    • Hands On Testing Exercise: WebGoat and Proxy
How to Test Authentication
Section Overview: This section introduces common web authentication methods along with their strengths and weaknesses. It discusses best practices for testing authentication and uses hands-on lessons to demonstrate some common authentication mistakes. Through this we discuss different technology specific authentication uses and configurations.
  • Overview
  • Authentication Mechanisms
  • Common Authentication Approaches (LDAP, Database)
  • How to Test Credential Protection
  • How to Test for Weak Credentials
  • How to Test Password Management Functions
  • How to Test for Phishing Susceptibility
  • Exercises and Labs
    • Hands On Testing Exercise: WebGoat – Basic Authentication
    • Hands On Testing Exercise: WebGoat – Authentication Cookies
    • Spot the Bug(s): Flawed Password Change Page
How to Test HTTP Sessions
Section Overview: This section introduces what session management is and how to test it within a web application environment. It discusses common mistakes developers make regarding session management and attacks that stem from these mistakes. The section discusses best practices associated with testing session management and technology specific implementation approaches.
  • Introduction to HTTP Sessions
  • Explanation of Session Lifecycle (login, logout, reauthentication, timeouts)
  • How to Test for Susceptibility to Session Hijacking
  • Exercises and Labs
    • Hands On Testing Exercise: WebGoat – Weak Session Identifier
    • Spot the Bug(s): Logout Flaws
How Test Access Control
Section Overview: This section introduces access control in a web environment and the various complexities associated with implementing strong access protections. Testing techniques for access control at different levels are discussed, including presentation-layer access control, business logic access control, and data-layer access control.
  • Overview
  • Understanding Your Access Control Policy
    • Reverse engineering an Access Control Matrix
  • Testing Presentation Layer Access Control
  • Testing Environment Enforced Access Control
    • Attack Surface
    • Single Role vs. Multi-Role URLs
  • Testing Business Layer Access Control
    • Single Role vs. Multi-Role Business Functions
  • Testing Data Layer Access Control
    • The Object Reference Problem
  • Testing for Other Common Access Control Problems
  • Exercises and Labs
    • Hands On Testing Exercise: WebGoat – Access Control
How to Test for Cross Site Scripting (XSS)
Section Overview: The section introduces a very common web application attack known as Cross Site Scripting (XSS). It explains how and why this attack works and the consequences of such attacks. It covers testing two types of XSS attacks (reflected and stored) and allows the participants to apply what they have learned by executing XSS attacks using hands-on lessons. Throughout the section different technology specific protections, including validation and output encoding, are explored and discussed.
  • Overview of XSS
    • Types of XSS (Stored and Reflected)
    • Tricking the Browser Sandbox
    • Consequences of XSS
  • How to Test for XSS Problems
    • Attack Surface
    • HTTPOnly
    • HTML Entity Encoding
  • Exercises and Labs
    • Hands On Testing Exercise: WebGoat – Stored and Reflected XSS
How to Test Input Validation
Section Overview: The section discusses validating input for other problems beyond XSS. This section introduces and explains input validation threats, demonstrates the attacks, and allows participants to apply what they have learned by using hands-on testing lessons.
  • Positive Validation
  • Hidden Fields
    • Hands On Testing Exercise: WebGoat – Hidden Fields
    • HTML Entity Encoding
    • Canonicalization
  • How to Test Validation of Data from Other Sources
  • Exercises and Labs:
    • Hands On Testing Exercise: WebGoat – Encoding
    • Spot the Bug(s): Input Validation Flaws
    • Hands On Testing Exercise: WebGoat – JavaScript
How to Test Sensitive Data Protection
Section Overview: This section discusses common cryptographic problems associated with web applications. Techniques for validating the strength and implementation of common cryptographic mechanisms are discussed, including encrypting, decrypting, hashing, and the use of SSL. It also discusses testing for other common flaws that can lead to the exposure of sensitive data.
  • Overview
  • Cryptography Introduction
  • How to Verify the Algorithm
  • How to Test for Susceptibility to Replay Attacks
  • How to Verify the Proper Use of SSL
  • Exercises and Labs:
    • Spot the Bug(s): Flawed Use of Cryptography
How to Test for SQL Injection and Database Security
Section Overview: The section provides the material necessary to test whether or not an application uses a database securely. Testing techniques for verifying that an application has not exposed the database to attack are demonstrated.
  • Database Security Introduction
  • How to Test for SQL Injection
  • Verifying that Database Configuration Information Is Protected
  • Verifying Least Privilege
  • Verifying Transactions
  • Testing Database Error Handling
  • Exercises and Labs:
    • Hands On Testing Exercise: WebGoat – SQL Injection
How to Test Error Handling and Logging
Section Overview: This section introduces the importance of proper error handling and security logging mechanisms for security critical events. Testing error handling and logging is critical to verifying the security of an application, yet it is often overlooked.
  • Overview
  • How to Test Error Handling
  • How to Test Logging and Intrusion Detection
  • Exercise and Labs:
    • Spot the Bug(s): Improper Error Handling
    • Hands On Testing Exercise: WebGoat – Fail Open Authentication Pattern
    • Group Exercise: What to Log?
How to Test Availability
Section Overview: Protecting availability is an important security concern for many applications. This section discusses testing techniques for verifying that the application’s availability is protected against denial of service attacks.
  • Overview of Availability
  • Testing Susceptibility to Flooding Attacks (bandwidth, file system)
  • Testing Susceptibility to Account Lockout (accounts, pools)
How to Test Other Security Critical Areas
Section Overview: This section covers a few other areas that are critical to security and provides techniques for testing the security of these areas.
  • Testing for Debug and Test Code
  • Testing with Search Engine (Google) Hacking
  • Testing for Concurrency Vulnerabilities
  • Exercises
    • Hands On Testing Exercise: WebGoat – Clues in HTML
    • Spot the Bug(s): Find the Concurrency Flaws
How to Test Secure XML Use
Section Overview: This section discusses the use of XML for data storage and transmission. XML parsers and generators have been abused with certain types of injection attacks that need to be tested for.
  • XML Overview
  • Testing for Security Risks Associated With XML
    • XML Documents and Data Stores
    • XML-Based Communication
    • XML Threats and Attacks
    • XPath Injection Attack
How to Test Secure Service Use
Section Overview: This section discusses security issues associated with external connections and walks through various best practices for testing them. This section is used as a review of all the techniques covered so far. Participants should realize that all the practices they've learned for testing of a web application should apply to an external connection as well.
  • A Pattern for Using Services Securely
  • Applying the Pattern to Test for Command Injection
  • Examples of How to Access Services Securely
  • How Do Web Services Work?
  • Exercises and Labs:
    • Hands On Testing Exercise: WebGoat – Command Injection
    • Hands On Testing Exercise: WebGoat – E-Mail Exploitation
    • Hands On Testing Exercise: WebGoat – WS SOAP Request
    • Hands On Testing Exercise: WebGoat – WS WSDL Scanning
    • Hands On Testing Exercise: WebGoat – WS SQL Injection
Integrating Security Testing into the SDLC
Section Overview: This section describes the importance of integrating security testing and processes throughout the entire software development lifecycle. It walks though each lifecycle stage and suggests, at a high level, security activities, methodologies and tools that when integrated into the SDLC improve the overall security posture of an organization's software.
  • How to Figure out How Much Security You Need
  • Using Threat Modeling to Drive Security Testing
  • Server Configuration
  • Application Security Testing and Analysis Tools
    • Platform-Specific Security Tools
    • Vulnerability Scanning Tools
    • Penetration Testing Tools
    • Static Analysis Tools
    • Code Review
    • Reporting Tools
  • Exercises and Labs:
    • Group Exercise: Develop a Security Test Plan
References
  • Books
  • OWASP Resources
  • Microsoft Application Security Resources
  • Web Application Security Consortium Guidelines
The Challenge
Section Overview: The challenge section is intended to allow the participants to step back, look at what they have learned throughout the course and apply this knowledge to performing a final hack on the hands-on Challenge lesson. This lesson combines many of the vulnerabilities previously discussed into a single lesson (with multiple stages). This lesson doesn't contain any course hints, as do previous lessons (hints are included in previous lessons to guide the participant through each stage of an attack). The instructor is there to assist participants, but ideally this is the time to allow the participants to use their creativity and the knowledge they have gained from the course to successfully compromise the final lesson.
  • Exercises and Labs:
    • Hands On Testing Exercise: WebGoat – Challenge Stage 1
    • Hands On Testing Exercise: WebGoat – Challenge Stage 2
    • Hands On Testing Exercise: WebGoat – Challenge Stage 3
Send Us a Message
Choose one