Welcome to Scribd!

Intro To DGIT Security Testing

Uploaded by

0% found this document useful (0 votes)

40 views14 pages

This document discusses security testing of the Telflow application. It defines security as limits, restrictions, and predictability. It analogizes security testing to human trials, testing things like input capacity and restricted access. The objectives are to identify vulnerabilities, verify policy implementations, and patch discoveries. Categories include visible and invisible vulnerabilities. Methods discussed are active scanning, automated requests, and manual checks. Burp Suite is identified as a suitable tool. Current vulnerability discovery rates from different methods testing Telflow 10-0.system are provided. Examples of discovered vulnerabilities from each method are also given.

Original Description:

Original Title

Intro to DGIT Security Testing

Copyright

Available Formats

PPTX, PDF, TXT or read online from Scribd

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Report this Document

Copyright:

Available Formats

Download as PPTX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pptx, pdf, or txt

0% found this document useful (0 votes)

40 views14 pages

Intro To DGIT Security Testing

Uploaded by

OKTA NURIKA

Copyright:

Available Formats

Download as PPTX, PDF, TXT or read online from Scribd

Flag for inappropriate content

Download as pptx, pdf, or txt

Jump to Page

You are on page 1of 14

Search inside document

Intro to DGIT Security Testing

The Applicable Definition

Security <- -> Limit, Restriction, Predictability

Limit: Quantifiable boundary e.g. Max no. of input length,

max no. of users per minute, etc

Restriction: Non-quantifiable boundary e.g. Restrict users’

access to particular features of Telflow, restrict network access
from outside VPN, etc

Predictability: Expected behaviours/responses e.g. Getting

the appropriate response webpage, correct login, correct
denial of login request
Security Testing The Analogy

Security Testing = Human Trials?

On Web App On Human
Test the amount of input the web app can Test the amount of food a human can
handle take
Restrict a normal user to full features of Restrict a human to colonize other
Telflow regions
Requesting a webpage Asking somebody a question
Enter malformed input Feed poisonous food
Enter Fuzzing a.k.a. Messing Around

All of which lead us to

Enter Disco
ve
restricted hidd r
ed sections en
ce t URL
Ex limi s
the

Fuzzing
Modify the
Tamper the cookie
parameter

e x tra
Ente
r ppe nd d
malf A loa
orme pay
inp u d Insert code
t to execute
Objectives of Security Testing

1. Identify the input capacity of Telflow

2. Identify the vulnerabilities that generate unsafe responses from Telflow

3. Verify the correctness of policy implementations

4. Patch the discovered vulnerabilities

Categories of Vulnerabilities

Visible Invisible
Feasible fuzzing via portal’s input fields Feasible fuzzing via URL
Feasible fuzzing via request packet
manipulation
Vulnerabilities to Hunt

 Hunting down vulnerabilities a specified by Open Web

Application Security Project (OWASP) and Web
Application Security Consortium (WASC)

 Details: Refer to ‘Security Testing’ hierarchy on Confluence

Methods of Testing/Discovery

 Active Scan: Auto-fuzzing of URLs for multiple vulnerabilities

 Automated Request Transmission: Auto-sending of fuzzed requests

to test a specific vulnerability, specially suitable for vulnerabilities that
take too much time to finish e.g. Brute force of login

 Manual Check list: Manually executing the procedures of fuzzing or

policy reviews, suitable for unautomateable vulnerability testings e.g.
Policy reviews, analysis of sequencing patterns, decoding patterns, etc
Suitable Tools

 Selection based on accuracy benchmark by Web Application

Vulnerability Scanner Evaluation Project (WAVSEP)

 Concerns: Usability, accuracy, completeness of fuzzing

features

 The winner: Burp Suite, after practical comparisons against

other WAVSEP top performers (ZAP, IronWASP, Arachni, &
Vega)

 Honorable mention: ZAP, but lacking sequencing, decoding,

and assumed not providing ‘Force SSL’ feature
Current State of Telflow 10-0.system

 Vulnerability Discovery Rate from Active Scan: 45.45%

 Vulnerability Discovery Rate from Automated Request

Transmissions: 50%

 Vulnerability Discovery Rate from Manual Check Lists: 35%

 Note:
 The percentage reflects the no. of discovered vulnerabilities
out of the total no. of tested vulnerabilities
 Good news: the discovered vulnerabilities are mitigable
Current State of Telflow 10-0.system

 Vulnerability Discovered from Active Scan e.g. Cross-site

Scripting (Reflected)
Current State of Telflow 10-0.system

 Vulnerability Discovered from Automated Request

Transmissions e.g. Session Fixation, Web Tampering
Current State of Telflow 10-0.system

 Vulnerability Discovered from Manual Check Lists e.g.

Insufficient Session Expiration
Thank you!

Question?

Report For Foophones: by Utkarsh Munra
Document37 pages
Report For Foophones: by Utkarsh Munra
suraj fb
No ratings yet
Secure Code Review Report Sample
Document10 pages
Secure Code Review Report Sample
Amit Srimal
100% (1)
Respuestas English Plus 3
Document18 pages
Respuestas English Plus 3
Paqui Manrique
50% (20)
Telco Signalling Security Assessment
Document12 pages
Telco Signalling Security Assessment
Thái Duy Hòa
No ratings yet
List of Practicals
Document6 pages
List of Practicals
shankarcr
50% (2)
IT-IAS02: Information Assurance and Security 2
Document46 pages
IT-IAS02: Information Assurance and Security 2
Don Tiburcio
100% (1)
Penetration Testing
Document4 pages
Penetration Testing
grayman05
No ratings yet
GamaSec Example Report
Document42 pages
GamaSec Example Report
Mefistogr
No ratings yet
Checklist Đánh Giá Bảo Mật - v1
Document18 pages
Checklist Đánh Giá Bảo Mật - v1
phamducnhon
No ratings yet
Cyberdin-Example Report
Document19 pages
Cyberdin-Example Report
Miloš Urbiš
No ratings yet
GamaSec Example Report
Document42 pages
GamaSec Example Report
Bbb
No ratings yet
CC FirewallsApplicationProxyGatewayARC
Document3 pages
CC FirewallsApplicationProxyGatewayARC
shahedctg
No ratings yet
Sample Report
Document11 pages
Sample Report
qzombexzombe114
No ratings yet
SANGFOR NGAF V8.0.47 Associate 2022 05 Content Security
Document48 pages
SANGFOR NGAF V8.0.47 Associate 2022 05 Content Security
Amie Nursyal
No ratings yet
Cracking The Lens: Targeting HTTP's Hidden Attack Surface: Outline
Document17 pages
Cracking The Lens: Targeting HTTP's Hidden Attack Surface: Outline
ooo
No ratings yet
FW - 7
Document73 pages
FW - 7
eti
No ratings yet
Testing Application Identification Features of Firewalls
Document28 pages
Testing Application Identification Features of Firewalls
sumittty
No ratings yet
Secure Coding Practices For: White Paper
Document15 pages
Secure Coding Practices For: White Paper
erica jayasundera
No ratings yet
Hack2Secure Web Application Security Testing Workshop Reference Guide
Document9 pages
Hack2Secure Web Application Security Testing Workshop Reference Guide
Javved
No ratings yet
Demystifying Penetration Testing
Document35 pages
Demystifying Penetration Testing
Anderson Moreira
No ratings yet
Usenixsec 05
Document36 pages
Usenixsec 05
mohamedsamirnassar1993
No ratings yet
CH09 CompSec3e
Document36 pages
CH09 CompSec3e
Anonymous rsGzBBiqk
No ratings yet
Security Testing Lab: 360 Logica Software Testing Services
Document20 pages
Security Testing Lab: 360 Logica Software Testing Services
Girish Rajendra
No ratings yet
ECSA Dump 3
Document22 pages
ECSA Dump 3
John Trevally
No ratings yet
Hack2Secure Web Application Security Testing Workshop LiveOnline
Document5 pages
Hack2Secure Web Application Security Testing Workshop LiveOnline
Anonymous Rp4du2
No ratings yet
20 - Web Application Security Testing Using Burp Suite (Compatibility Mode) PDF
Document35 pages
20 - Web Application Security Testing Using Burp Suite (Compatibility Mode) PDF
sams
No ratings yet
Web Penetration Testing with Kali Linux - Second Edition
From Everand
Web Penetration Testing with Kali Linux - Second Edition
Ansari Juned Ahmed
No ratings yet
Security Testing Report: Snakerr
Document37 pages
Security Testing Report: Snakerr
wewola
No ratings yet
OWASPv4 Checklist (AutoRecovered)
Document30 pages
OWASPv4 Checklist (AutoRecovered)
Milbatta Sannata
No ratings yet
OWASP: Testing Guide v4 Checklist: Information Gathering Test Name
Document26 pages
OWASP: Testing Guide v4 Checklist: Information Gathering Test Name
asasa
No ratings yet
WINSEM2022-23 CSE3502 ETH VL2022230503077 Reference Material I 18-01-2023 Lect 8
Document32 pages
WINSEM2022-23 CSE3502 ETH VL2022230503077 Reference Material I 18-01-2023 Lect 8
Jaijeevaalshree N
No ratings yet
BlackHat USA 2010 Dabirsiaghi JavaSnoop WP
Document9 pages
BlackHat USA 2010 Dabirsiaghi JavaSnoop WP
krishnaraoveera1294
No ratings yet
Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (8 Week)
Document37 pages
Advanced Computer Networks & Computer and Network Security: Prof. Dr. Hasan Hüseyin BALIK (8 Week)
mustafa albayati
No ratings yet
Security Control Assessment Yes/No
Document11 pages
Security Control Assessment Yes/No
sashi
No ratings yet
OWASPv4 Checklist
Document27 pages
OWASPv4 Checklist
ester456u1
0% (1)
An Overview of Network Penetration Testing: Cite This Paper
Document7 pages
An Overview of Network Penetration Testing: Cite This Paper
Did you know THAT
No ratings yet
9 Week
Document37 pages
9 Week
Abdulaziz Tutor
No ratings yet
Ethical Hacking and Cyber Security - Day Wise Course Content
Document3 pages
Ethical Hacking and Cyber Security - Day Wise Course Content
Achyut Awasthi
No ratings yet
Vulnerabilities and Attacks: Msc. Vuong Thi Nhung Faculty of Information Technology Hanoi University
Document50 pages
Vulnerabilities and Attacks: Msc. Vuong Thi Nhung Faculty of Information Technology Hanoi University
rooney ngô
No ratings yet
NCC Group WhatsAppLLC OPAQUE Report 2021-12-10 v1.3
Document32 pages
NCC Group WhatsAppLLC OPAQUE Report 2021-12-10 v1.3
Deepanshu Sood
No ratings yet
17 Web Application Firewall
Document25 pages
17 Web Application Firewall
Gi ji
No ratings yet
Executive Summary: Table of Contents
Document6 pages
Executive Summary: Table of Contents
haritripathi52552gmail.com
No ratings yet
Vuln Scan
Document12 pages
Vuln Scan
Brijendra Pratap Singh
No ratings yet
Application Level DDoS
Document1 page
Application Level DDoS
themansu
No ratings yet
17514-2019-Winter-Model-Answer-Paper (Msbte Study Resources)
Document29 pages
17514-2019-Winter-Model-Answer-Paper (Msbte Study Resources)
aryasurve1210
No ratings yet
DAST Vulnerability Scan of Webgoat Joseph Wagner CSOL 560 Professor Moore University of San Diego
Document17 pages
DAST Vulnerability Scan of Webgoat Joseph Wagner CSOL 560 Professor Moore University of San Diego
api-600998672
No ratings yet
Firewall Audit Check List
Document7 pages
Firewall Audit Check List
Isaiah
No ratings yet
FIREWALL
Document26 pages
FIREWALL
manish 2003
No ratings yet
Network Security Arch
Document36 pages
Network Security Arch
Sankit Singh
No ratings yet
OWASPv4 Checklist
Document29 pages
OWASPv4 Checklist
testinghacker
No ratings yet
Ceklist OWASP
Document27 pages
Ceklist OWASP
Archi Travle
No ratings yet
CEH Module 17: Web Application Vulnerabilities
Document28 pages
CEH Module 17: Web Application Vulnerabilities
Ahmad Mahmoud
No ratings yet
System Testing Checklist
Document7 pages
System Testing Checklist
Smart
No ratings yet
Static Detection of Cross-Site Scripting Vulnerabilities
Document10 pages
Static Detection of Cross-Site Scripting Vulnerabilities
Leo Lopez
No ratings yet
Detailed Scan Report
Document23 pages
Detailed Scan Report
Anas Yogie
No ratings yet
Info Security Quiz 2
Document4 pages
Info Security Quiz 2
asmal.saarah
No ratings yet
MobileApp Checklist 2017
Document21 pages
MobileApp Checklist 2017
Trico Andreas
No ratings yet
Websrvices Testing Issta04
Document11 pages
Websrvices Testing Issta04
Uday Kumar
No ratings yet
Advance Penetration Testing Kali Linux Training
Document4 pages
Advance Penetration Testing Kali Linux Training
Reccio
0% (1)
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
From Everand
SSL VPN : Understanding, evaluating and planning secure, web-based remote access
Joseph Steinberg
No ratings yet
Mastering Metasploit
From Everand
Mastering Metasploit
Nipun Jaswal
No ratings yet
A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities
From Everand
A Complete Guide to Burp Suite: Learn to Detect Application Vulnerabilities
Sagar Rahalkar
No ratings yet
Advanced Penetration Testing for Highly-Secured Environments - Second Edition
From Everand
Advanced Penetration Testing for Highly-Secured Environments - Second Edition
Kevin Cardwell
No ratings yet
AI-100 ExamPrep
Document46 pages
AI-100 ExamPrep
OKTA NURIKA
No ratings yet
UTrace Contact Tracing App Communication Pack
Document8 pages
UTrace Contact Tracing App Communication Pack
OKTA NURIKA
No ratings yet
Week 12 Data Link CPT Exercise
Document2 pages
Week 12 Data Link CPT Exercise
OKTA NURIKA
No ratings yet
Industrial Revolution
Document5 pages
Industrial Revolution
OKTA NURIKA
No ratings yet
XtraReport 1
Document1 page
XtraReport 1
OKTA NURIKA
No ratings yet
Defining Own Classes
Document14 pages
Defining Own Classes
OKTA NURIKA
No ratings yet
Ai 4 All
Document31 pages
Ai 4 All
OKTA NURIKA
No ratings yet
IoT Cloud Architecture.8759193.Powerpoint
Document10 pages
IoT Cloud Architecture.8759193.Powerpoint
OKTA NURIKA
No ratings yet
公开征集Topic SRGR
Document2 pages
公开征集Topic SRGR
OKTA NURIKA
No ratings yet
S3P4 Gyu Myoung Lee
Document16 pages
S3P4 Gyu Myoung Lee
OKTA NURIKA
No ratings yet
Kerio Control Hardware Appliances Datasheet
Document4 pages
Kerio Control Hardware Appliances Datasheet
alan beugre
No ratings yet
Entrepreneurshipintrapreneurshipultrapreneurshipcyberpreneurshipandcorporatesocialentrepreneurship 100211061201 Phpapp01
Document21 pages
Entrepreneurshipintrapreneurshipultrapreneurshipcyberpreneurshipandcorporatesocialentrepreneurship 100211061201 Phpapp01
Roshan Vaswani
No ratings yet
How To Use SharePoint Term Set Glossary App
Document25 pages
How To Use SharePoint Term Set Glossary App
PrasanthCrajan
No ratings yet
Networked Wireless Meter Reading
Document20 pages
Networked Wireless Meter Reading
Chinchu Sasi
No ratings yet
Conceptual Review of Social in Uencer Marketing On Purchase Intention Dynamics in Fashion Retail Industry
Document25 pages
Conceptual Review of Social in Uencer Marketing On Purchase Intention Dynamics in Fashion Retail Industry
mary_21rose
No ratings yet
Damco Shipper - Training For Vendors
Document62 pages
Damco Shipper - Training For Vendors
Harmendar S Kothari
No ratings yet
Aubrey Mcleod Resume
Document3 pages
Aubrey Mcleod Resume
api-494287486
No ratings yet
Textnow - Sun, 29 May 2022 11-06-39 GMT - Log
Document40 pages
Textnow - Sun, 29 May 2022 11-06-39 GMT - Log
kandice
No ratings yet
Get These Must-Have Administrator Tools
Document4 pages
Get These Must-Have Administrator Tools
salesforce.com
100% (2)
High Level Data Link Control (HDLC)
Document3 pages
High Level Data Link Control (HDLC)
ksureshkaliyan
No ratings yet
Tags Description - Meaning - Definition
Document23 pages
Tags Description - Meaning - Definition
Arun Mohanaraj
No ratings yet
Incidentrequest Closed Monthly Oct
Document325 pages
Incidentrequest Closed Monthly Oct
أحمد أبوعرفه
No ratings yet
Marketing in China
Document16 pages
Marketing in China
Osly
100% (1)
Why Is ATM Technology Obsolete
Document7 pages
Why Is ATM Technology Obsolete
netsanet
No ratings yet
Modern Wireless Attacks PDF
Document50 pages
Modern Wireless Attacks PDF
behlole aqil
No ratings yet
Brand Equity Kevin Lane Keller
Document136 pages
Brand Equity Kevin Lane Keller
sanjayagals
No ratings yet
Netbiter Ws100 Installation Guide
Document2 pages
Netbiter Ws100 Installation Guide
Juan José Tovar Pérez
No ratings yet
Exim Exercises
Document11 pages
Exim Exercises
Lomayani Laizer
No ratings yet
E - Commerce CH.1
Document11 pages
E - Commerce CH.1
PIYUSH CHANDRIKAPURE
No ratings yet
Sekolah Menengah Kebangsaan Laki-Laki Methodist Kuala Lumpur
Document4 pages
Sekolah Menengah Kebangsaan Laki-Laki Methodist Kuala Lumpur
kriiz
No ratings yet
How To Get 88% Open Rates and 56% CTRs Using Facebook Messenger
Document30 pages
How To Get 88% Open Rates and 56% CTRs Using Facebook Messenger
The Smart Botss
No ratings yet
How Cell Phones Work
Document12 pages
How Cell Phones Work
avinash_knit
No ratings yet
IP Office R10 To R11 Upgrade Job Aid: v9 / October 5
Document11 pages
IP Office R10 To R11 Upgrade Job Aid: v9 / October 5
syedhameed uddin
No ratings yet
Performance Tweaks and Tools For Linux
Document113 pages
Performance Tweaks and Tools For Linux
ice799
100% (2)
80gvp Us
Document340 pages
80gvp Us
alvaro_espino
No ratings yet
Students' Attitude Towards The Uses of Internet
Document9 pages
Students' Attitude Towards The Uses of Internet
johnnypdf
No ratings yet
Australian Communications and Media Authority Annual Report
Document318 pages
Australian Communications and Media Authority Annual Report
abossone
No ratings yet