Upload
the-software-house
View
85
Download
5
Embed Size (px)
Citation preview
Web Application TestingQuick guide to testing and references
C|EHDevOps
I hate PCIRuby on Rails Developer
Pretend to know other things…I like turtles…
No I will not hack into your wifes email.
James Ruffer
Developers?Ruby?PHP?
Python?Java?
Android?Cobol?
Fortran?Is .NET still around?
PenTesters?
Who are you?
Who is attacking you?
● Kiddy scripters● Dumbasses● Angry Hacker● Professional Hacker● Team of Hackers
Who should you protect yourself against?
● Kiddy Scripters● Dumbasses
How and Why?
HOW?
Know the most common hacking tools:
https://www.concise-courses.com/hacking-tools/top-ten/
BackTrack now known as https://www.kali.org/
http://www.metasploit.com/
Resources to stay up to date on
OWASPData Loss DBVerizon Report
Hack this siteRoot this box
www.owasp.orgwww.datalossdb.orgwww.verizonenterprise.com/DBIR/
www.hackthissite.org/pages/index/index.php
Please for the love of God...force some password rules like uppercase with number
and special char...expire 90 days.
Simple Two Factor solutionsGoogle Two Factor
Password Rules
Copy / Paste will save time BUT...
Using other plugins or others code to save time is commonly done BUT have you actually looked at the code? Tested the code?
Open Source code is the worst for exploits. OAuth plugin https://github.com/intridea/omniauth
How old is the github project?
Intro to burp suite for app testing
Burp Suite is a great way to test MANY things but information gathering is first step.
DevOps can help
ModSecNaxsi
TinFoil
NetSparker
https://www.modsecurity.org/https://code.google.com/p/naxsi/wiki/LearningModehttps://www.tinfoilsecurity.com/
www.netsparker.com/web-vulnerability-scanner/vulnerabilities/
Have a shared pentesting box with team. Read logs and update often.
Comment in Git push after tests.
Dedicated testing Box