Professional Documents
Culture Documents
Jan 2013
About iViZ
iViZ Cloud based Application Penetration Testing
Zero False Positive Guarantee Business Logic Testing with 100% WASC (Web Application Security Consortium) class coverage
Funded by IDG Ventures 30+ Zero Day Vulnerabilities discovered 10+ Recognitions from Analysts and Industry 300+ Customers Gartner Hype Cycle- DAST and Application Security as a Service
iViZ Security Inc
1
Jan 2013
Jan 2013
Jan 2013
7 Deadly Sins!
Jan 2013
How to fix?
Add server side validations in the work flow
Jan 2013 iViZ Security Inc
5
How to fix?
Create validation process between the application and payment gateway to know the exact amount transferred
Jan 2013 iViZ Security Inc
6
How to fix?
Conduct server side validation. Do not send OTP to browser.
Jan 2013
How to fix?
Re calculate discount if there is any change in the cart
Jan 2013
Impact
How to fix?
Expire the coupon after the first use and not after the session ends
Jan 2013
How to fix?
Create stronger password recovery option Recovery links only over email
Jan 2013 iViZ Security Inc
10
How to fix?
Session Time-Out, Anti-Automation and limit the number of threads from a single IP (DDOS still possible)
Jan 2013 iViZ Security Inc
11
Jan 2013
12
How to detect?
What helps?
Threat Modeling and Attack surface Analysis Break down the key processes into work-flows/flow chart to detect possible manipulations Penetration Testing with Business Logic Testing by Experts Design Review
Jan 2013
13
How to prevent?
Design the application/use case scenarios keeping Business Logic Vulnerability in mind Conduct Security Design Reviews Independent /Third Party Tests (within or outside the company) Comprehensive Pen Test with Business Logic Testing before the Application goes live
Jan 2013
14
Resources
Jan 2013
15
OWASP :
https://www.owasp.org/index.php/Testing_for_business_logic_(OWASPBL-001)
Webscarab:
https://www.owasp.org/index.php/OWASP_WebScarab_Project
Jan 2013
16
Jan 2013
17
Stay safe !
Jan 2013
19
Thank You
bikash@ivizsecurity.com
Blog: http://blog.ivizsecurity.com/ Linkedin:http://www.linkedin.com/pub/bikash-barai/0/7a4/669 Twitter: https://twitter.com/bikashbarai1
Jan 2013
20