Security Testing C# Web Applications

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software

The OWASP Top Ten

• OWASP Top 10 – 2017
• A1 – Injection
•        Injection principles
•        Injection attacks
•        SQL injection
•                SQL injection basics
•                Lab – SQL injection
•                Attack techniques
•                Content-based blind SQL injection
•                Time-based blind SQL injection
•        SQL injection best practices
•                Input validation
•                Parameterized queries
•                Additional considerations
•                Lab – Using prepared statements
•                Case study – Hacking Fortnite accounts
•                Testing for SQL injection
•        Code injection
•                OS command injection
•                        Lab – Command injection
•                        OS command injection best practices
•                        Lab – Command injection best practices
•                        Case study – Command injection via ping
•                        Testing for command injection
•        General protection best practices
• A2 – Broken Authentication
•        Authentication basics
•        Multi-factor authentication
•        Authentication weaknesses – spoofing
•        Spoofing on the Web
•        Testing for weak authentication
•        Case study – PayPal 2FA bypass
•        Password management
•                Inbound password management
•                        Storing account passwords
•                        Password in transit
•                        Lab – Is just hashing passwords enough?
•                        Dictionary attacks and brute forcing
•                        Salting
•                        Adaptive hash functions for password storage
•                        Password policy
•                                NIST authenticator requirements for memorized secrets
•                        Case study – The Ashley Madison data breach
•                                The dictionary attack
•                                The ultimate crack
•                                Exploitation and the lessons learned
•                        Password database migration
•                                (Mis)handling passwords
•                                Testing for password management issues

DAY 2

Security testing

• Security testing vs functional testing
• Manual and automated methods
• Security testing methodology
•        Security testing – goals and methodologies
•        Overview of security testing processes
•        Identifying and rating assets
•                Preparation
•                Identifying assets
•                Identifying the attack surface
•                Assigning security requirements
•                Lab – Identifying and rating assets
•        Threat modeling
•                SDL threat modeling
•                Mapping STRIDE to DFD
•                DFD example
•                Attack trees
•                Attack tree example
•                Lab – Crafting an attack tree
•                Misuse cases
•                Misuse case examples
•                Risk analysis
•                Lab – Risk analysis
•        Security testing approaches
•                Reporting, recommendations, and review

The OWASP Top Ten

• A3 – Sensitive Data Exposure
•        Information exposure
•        Exposure through extracted data and aggregation
•        Case study – Strava data exposure
• A4 – XML External Entities (XXE)
•        DTD and the entities
•        Entity expansion
•        External Entity Attack (XXE)
•                File inclusion with external entities
•                Server-Side Request Forgery with external entities
•                Lab – External entity attack
•                Case study – XXE vulnerability in SAP Store
•                Lab – Prohibiting DTD
• A5 – Broken Access Control
•        Access control basics
•        Failure to restrict URL access
•        Testing for authorization issues
•        Confused deputy
•                Insecure direct object reference (IDOR)
•                Lab – Insecure Direct Object Reference
•                Authorization bypass through user-controlled keys
•                Case study – Authorization bypass on Facebook
•                Lab – Horizontal authorization
•                Testing for confused deputy weaknesses
•        File upload
•                Unrestricted file upload
•                Good practices
•                Lab – Unrestricted file upload
•                Testing for file upload vulnerabilities
• A6 – Security Misconfiguration
•        Configuration principles
•        Configuration management
•        Testing for misconfiguration issues
• A7 – Cross-site Scripting (XSS)
•        Cross-site scripting basics
•        Cross-site scripting types
•                Persistent cross-site scripting
•                Reflected cross-site scripting
•                Client-side (DOM-based) cross-site scripting
•                Case study – XSS in Fortnite accounts
•        XSS protection best practices
•                Protection principles – escaping
•                Lab – XSS fix / stored
•                Lab – XSS fix / reflected
•                Additional protection layers
•                Client-side protection principles
•                Testing for XSS

DAY 3

The OWASP Top Ten

• A8 – Insecure Deserialization
•        Serialization and deserialization challenges
•        Deserializing untrusted streams
•        Deserialization best practices
•        Testing for insecure deserialization
•        Lab – Creating a POP payload
•        Lab – Using the POP payload
• A9 – Using Components with Known Vulnerabilities
•        Using vulnerable components
•        Untrusted functionality import
•        Importing JavaScript
•        Case study – The British Airways data breach
•        Vulnerability management
•                Patch management
•                Vulnerability databases
•                DevOps, the build process and CI / CD
• A10 – Insufficient Logging & Monitoring
•        Logging and monitoring principles
•        Insufficient logging
•        Plaintext passwords at Facebook
•        Logging best practices
• Web application security beyond the Top Ten
•        Client-side security
•        Tabnabbing
•        Lab – Reverse tabnabbing
•        Frame sandboxing
•                Cross-Frame Scripting (XFS) attack
•                Lab – Clickjacking
•                Clickjacking beyond hijacking a click
•                Clickjacking protection best practices
•                Lab – Using CSP to prevent clickjacking

Security testing

• Security testing techniques and tools
•        Code analysis
•                Security aspects of code review
•                Static Application Security Testing (SAST)
•        Dynamic analysis
•                Security testing at runtime
•                Penetration testing
•                Stress testing
•                Dynamic analysis tools
•                        Dynamic Application Security Testing (DAST)
•                        Web vulnerability scanners
•                        SQL injection tools
•                        Proxy servers
•                Fuzzing

Common software security weaknesses

• Input validation
•        Input validation principles
•                Blacklists and whitelists
•                Data validation techniques
•                Lab – Input validation
•                What to validate – the attack surface
•                Where to validate – defense in depth
•                How to validate – validation vs transformations
•                Output sanitization
•                Encoding challenges
•                Lab – Encoding challenges
•                Validation with regex
•        Files and streams
•                Path traversal
•                Path traversal-related examples
•                Additional challenges in Windows
•                Path traversal best practices
•                Testing for path traversal

Wrap up

• Secure coding principles
•        Principles of robust programming by Matt Bishop
•        Secure design principles of Saltzer and Schröder
• And now what?
•        Software security sources and further reading
•        Security testing resources