Professional Documents
Culture Documents
Application Penetration Testing: Presentation By: Nancy Cohen
Application Penetration Testing: Presentation By: Nancy Cohen
Application Penetration Testing: Presentation By: Nancy Cohen
Presentation by:
Nancy Cohen
Overview
Parameter tampering
Known vulnerabilities
Brute force
Session hijacking
Information gathering
Creating a Security Testing Project
Threat Models
Test plan
Test cases
Problem reports
Postmortem
*Threat Modeling
1.b. 1.c.
1.a.
Possible Site has an
Site allows a large AND
password exploitable
or unlimited # of
combinations are command
password
small and can be injection (SQL,
guesses
brute forced CGI) vulnerability
AND
1.c.b
1.c.a
User data is placed
User data is not securely
insecurely into a command
validated on server
or shell on the server
*Build a Test Plan
Dependency testing
User interface testing
Design testing
Implementation testing
Dependency Testing
TOCTOU – time-of-check-to-time-of-use
A time gaps exists between when an application
checks security on a particular function or piece of
data and when that privilege is exercised
*The Problem Report
Must include
Reproduction steps
List the steps that another tester/developer must
follow to reproduce the failure
Severity
What is the potential result of the failure
Exploit scenarios
The specific sequence of things an attacker can
do to take advantage of a security flaw and the
consequences of doing so
*Postmortems