Translation: Olga Alifanova
How it all began
Not so long ago, security testing (and its equally scary brother, penetration testing) was a huge, scary bug that was tamed by those who understood it. They were paid very, very well for this. Then life changed and I suddenly found myself stumbling upon things that would have cost my employer dearly if I hadn't caught them.
Suddenly I was learning more about the beginnings of security testing—knowledge I never thought I'd need—and it was exhausting, amazing, and terrifying (about equal parts).
This is how I felt:
As I began to learn more about security testing, I learned that it is not as intimidating and endless as I thought. I started to understand what people were talking about when they mentioned escalation of privileges, servers being compromised, or...
There will be a lot to learn. But it's not that hard to get started, and with some reading and thinking, you might catch a vulnerability (a piece of code that someone with Bad Intentions can use to make the software work in a way it shouldn't) before the software has matured to enough to fall into the hands of expensive security professionals (which means it's cheaper to fix - a nice bonus, Really?) and long before it leaks into the vast expanses of the Wild Wild West... ahem, World Wide Web.
I need to know this, seriously?
Many would say that all testers need to know about web security testing. Know more about this - good idea for everyone who spends time online, but I think there are situations in which you won't need information about web security testing.
You may not need to know about testingWeb- safety if...
- You are part of a large team that includes security experts. This is their area of expertise, and if they do their job well, they work with you and your developers to make sure everything is at the right level of security in their area. They also help you test your software for security issues.
- You test software that is rolled out to users, and then no one cares about it: it does not access your servers and does not deal with confidential information. An offline Sudoku app would be a good example – and if the company doesn’t care whether the a large number of points and/or protects its servers well - an online casual game can also be such an example.
- This is a display website and you do not manage the hosting.
- You don't work on the web at all.
You need to know about testing Web-Safety if...
- Your company's software stores any type of personally identifiable information (this is defined by law, but generally it can be used to find you or your family)
Examples: addresses, mail (usually in combination with other information), government-issued identification (social security number, driver's license, passport)
- Your company's software uses or stores any type of payment information. If you store credit card information, most countries have very strict rules about storing and accessing such data - and very high penalties for failing to protect this data. If you store bank account information, the standards are not as strict, but you still need to keep your eyes open.
- Your company must adhere to the law or procedures regarding data security. Some examples known to me:
Healthcare companies in the US must follow a number of federal laws.
Any publicly traded company in the United States must follow federal laws regarding standards. If a company does not comply with them, it cannot accept credit card payments and is subject to fines and other penalties.
- Your company has privacy requirements for the data it stores.
If you think you need to learn more about web security testing, then perhaps you really need to.
Where to begin
Getting started learning web security testing is quite easy - there are great links and tools out there and it will only cost you your time. You can do a lot using just a browser!
Carefully! Danger ahead!
Before you start doing anything destructive, make sure you are absolutely sure you have permission to do it. Yes, even on a test server - other people can use it for other purposes, your company can monitor the network for suspicious behavior - and in general, a bunch of factors play a role here that you may not have the slightest idea about. Always, Always make sure you have permission to play hacker.
Free tools
All the tools I use are made for Windows, because I work in a Windows environment. Some of them are cross-platform, some are not. They are all fairly easy to use for a newbie testing the security waters looking for bugs.
- Browser Developer Tools. If they are not blocked by your company, then most modern browsers allows you to examine the page code, examine JavaScript, and view network traffic between the browser and the server. You can also edit and run random JavaScript in them, try changing the code, and repeat network requests.
- Postman. Although it is a Chrome extension, Postman also runs as a standalone application. You can use it to send various requests and study the responses (there's a trick here: almost everything in security testing can be done in bulk in various ways. Experiment to find your favorites).
- Fiddler. Telerik Fiddler – on this moment my favorite tool for exploring and manipulating web requests. It's cross-browser, works on multiple OSes, and is easy to get started with security testing.
- IronWASP. One of the minority of free security scanners made for Windows. It's quite easy to work with and usually produces good results.
- And further… There are a lot of tools available. I just started learning about security, and just started sniffing around.
I'm going to focus on Fiddler going forward because I think it's the easiest of the free tools, and the fastest to go from poking around the interface to actually useful results.
Using Fiddler
When I came across this huge, and potentially very expensive vulnerability that I described above, I was just playing with Fiddler. It’s good that I found it right then: if it had ended up on the market, big troubles could have happened.
Settings
I installed Fiddler with default settings. On Windows, you also get a plugin for Internet Explorer that allows you to run directly through IE (and setting it up to monitor only IE traffic is much easier than for other browsers). Depending on what you do, some of these plugins can be very useful: here are my favorites
- SyntaxView/Highlight. Provides syntax highlighting for preparing custom scripts and viewing HTML, Javascript, CSS and XML. Makes fiddling with web code much less painful by highlighting all tags and keywords. I'm a big fan of things that make it easier to focus on what's important, and this is one of them.
- PDF - viewing. Very important if your application builds PDF files on the fly. You can click on the tab and see the PDF rendering. For example, if you're testing a PDF of a bank statement to make sure it's impossible to open another user's statement, this tool is your friend.
The Internet is multifaceted and unsafe. The more opportunities it gives us, the more dangers and risks it conceals. Theft via the Internet has long been a reality.
Thefts happen from a card or electronic wallet. And if this hasn’t happened to you yet, it means you’re either an ace at protecting your information, or lucky, or haven’t been using the global web long enough.
The first ones can handle it themselves, but it’s useful for the second and third ones to know our squeeze useful tips. After all, metal doors do not save you on the Internet. Here, your safety depends on other factors and, most importantly, on your actions in certain situations.
You should not only have an antivirus with a daily updated database, but also protection against spyware. Many people think that by installing one antivirus they can protect information, and this ultimately becomes a fatal mistake.
Don't click on all the links in a row. Especially if they were sent to you by mail or via ICQ. Even if sent by a reliable recipient. Internet surfing is the most popular way to catch a virus, which means giving an attacker a chance to obtain valuable information. Do not download strange, unknown programs, much less install them.
If a strange situation arises when you nevertheless click on an unfamiliar link, disconnect from the Internet. Security programs may issue a warning in this case, or the computer may stop responding. Call a specialist responsible for data security - he will figure out what the problem is.
If you have an electronic wallet installed or any other programs with which you make online payments, it is even more necessary to ensure the security of your computer. In case of incompetence, invite a specialist who will install and configure all the necessary programs and their parameters. After all, we increasingly do not leave our chair to pay for services and make purchases.
When going through the registration procedure, never save your password. Use different passwords every time you register somewhere. Passwords used should be long, preferably with numbers. It is better to change passwords as often as possible, at least once a month. Even if you choose one word and type it in capitals and lowercase letters- this will already be an excellent password option.
Be careful where you enter your password and login. Often, scammers make duplicate websites that are exactly the same as the original - the only difference may be in the domain. But at a quick glance it is difficult to notice, especially for a beginner. Fraudsters use duplicates to steal user logins and passwords. After you enter your data, scammers will automatically recognize them and can use them for their own purposes, but on a real site.
These simple truths are sure to help someone protect themselves online. Except perhaps for experienced users and computer security experts, because they already know everything very well.
Comments and reviews
If you follow the gaming peripherals market, you know that HyperX has been a very strong company for quite some time...
Dell's new all-in-one PCs will receive a special webcam that slides inside the case and becomes...
Many modern users complain that laptops have become too compact and that sometimes they want...
Large manufacturers have been releasing ready-made personal computers onto the market for quite some time, since...
From 16 to 18 August under Nizhny Novgorod The main electronic music festival Alfa Future People 2 took place...
Good afternoon.
Recently, IT security has become a kind of trend, everyone writes about it, everyone talks about it. To what extent is this possible? promising direction? And most importantly, how to join this? Which educational materials(books, courses) will help a beginner “introduce” himself into all this?
Answered by Maxim Lagutin, founder of the website protection service SiteSecure
Mostly companies (medium and large businesses) are now interested in practical information security (hereinafter referred to as IB) and practitioners. Less interesting, but still interesting, are information security managers who are involved in building internal information security processes and monitoring their compliance.
Among the Russian courses, I can recommend ethical hacking courses from the company Pentestit, which are aimed specifically at beginners in this field. Also recently, Alexey Lukatsky, an information security expert and a well-known blogger in this field, posted a list of available courses on the topic of information security.
Among the books, I can recommend “Black Box Testing” by Boris Beizer, “Brute Force Vulnerability Research” by Michael Sutton, Adam Green and Pedram Amini. I also recommend subscribing to SecurityLab articles, Hacker magazine and viewing interesting topics and ask questions on the Antichat forum.
It is worth checking periodically for updates on Owasp, where many points are revealed on the spread of vulnerabilities in software and on the network, and research on Internet security in Russia - ours and Positive Technologies
To ask your question to readers or experts, fill out
Through the Global Network we conduct negotiations, make large purchases and simply entertain ourselves by communicating in in social networks. Compliance 10 simple rules Using the Internet safely will help protect your personal data, the computer itself - and even your wallet.
1. Comprehensive protection system
Mindlessly wandering around the vastness of the World Wide Web often occupies the leisure time of the average office worker. However, by browsing the Internet, you can not only get a lot new information, but also inadvertently pick up a couple of simple viruses and Trojans that can cause a lot of inconvenience.
You must have an antivirus installed on your PC. At the same time, there is a tendency not to limit the protection system to one antivirus program, but to install “ complex systems protection." Usually they include an antivirus, an antispam filter and a couple or three more modules for full protection your computer.
2. Regular software updates
Cyber criminals are constantly improving their hacking methods, and new viruses appear on the Internet literally every day. But protection methods are also regularly expanded. Therefore, do not forget to regularly update your antivirus system, the browsers you use, and your operating system.
3. Complex password
Wanting to make it easier to remember, users often choose one simple password and apply it to email, social media accounts, and e-wallets. This is exactly what you shouldn’t do in the first place. There should be many passwords, complex and different, they should not be the same, in addition, it is advisable to change passwords periodically.
By the way, coming up with a high-quality and secure password is not so easy. Forget about those passwords that immediately come to mind and are easy to remember. Dates of birth, phone numbers and other digital passwords are hacked at a time using brute force methods. A secure password is a minimum of eight characters (the more characters, the more secure the password) and includes upper and lower case letters and numbers. It is more difficult to remember such a password, but the chances of hackers will be minimal.
4. Safe surfing
Conducting sleepless nights on the World Wide Web, do not follow links that raise doubts. Colorful headlines with shocking news are usually of no interest, but by clicking on the link, you are sure to be hooked on a couple more pages with unsafe content.
5. Spam filters in mail
Daily in mail regular user Dozens of letters of various contents may be dumped. In some messages they address you by name and offer to quickly apply for a credit card from some bank, in others they ask you to follow various links or send your email password, since you have been “caught” in sending spam. It is best to delete such letters without even opening them. Also set up an anti-spam filter in your email.
6. Brevity is the key to safety
7. Be aware of fakes
Almost all popular social networks, be it VKontakte or Odnoklassniki, have many fake (counterfeit) “copies”. Fraudsters completely copy the design of such sites, but have a slightly different address. So, the address may differ by just one letter, which you will not pay attention to, and in the end you will lose your current account.
8. Not all files are created equal
Do not download files from unknown sites. Often, an archive with an abstract that is of no interest to anyone may contain a virus, which will not be easy to get rid of. And even if you download files on file hosting services that have been tested for years, remember that malware can be found there too. Therefore, all files received from the Internet (and from removable media) should be checked with an antivirus.
9. Smart shopping
Every year the turnover of online commerce is growing, and the number of virtual stores themselves is increasing. Today, becoming the owner of an online store is not difficult and does not require huge financial investments. However, most owners of small trading platforms do not think about how to protect the personal data of customers. To avoid problems, you should make purchases in fairly large and trusted online stores that require mandatory registration Online.
Also, before paying for purchases, pay attention to the web page address starting with the prefix https, and to the closed padlock icon next to the address bar, which indicates a secure connection.
10. Help dummies
Help your loved ones master the Internet. An hour spent by your grandfather or mother at the computer, who just want to find their classmates or chat on Skype, can result in several Trojans on your PC. Take the time to carefully explain to them what resources they should visit and what messages they should ignore.
Information Security for Dummies
Even 10 years ago, many companies that lost access to their databases simply closed down, as reported in a report from the University of Minnesota, which conducted research in this area. Now, of course, there are many ways to restore information to continue working, however, a leak of confidential information can cause serious losses. At the same time, we are talking not only about companies, but also about ordinary Internet users.
Development information technologies put society on new level development, when many issues can be solved using a personal computer and the Internet: making purchases, booking hotels, and just communicating, not to mention the new opportunities for professional activity. But the simplicity, convenience and speed of handling information are fraught with danger - its availability to third parties.
More recently, the term cybercrime has come into use. Previously, such a word was found only among science fiction writers, but now it has become part of modern reality. We are talking about hackers, or cyberbullies, who steal data to access bank cards, accounts on special resources, etc., hacking personal computers using different viruses and Trojan programs.
How to protect yourself from criminals? The simplest solution is to install an antivirus program. But, unfortunately, even this is not always able to protect against hacking. Another option is to try to study something great amount literature on information security that has been written to date. True, the standards and programs that are presented in them are accessible and understandable for the most part to specialists in this field, while the threat of losing money with bank card hangs over almost every Internet user.
However, not everything is as bad as it seems at first glance. By using common sense and following simple rules for working on the Internet, you can significantly increase the level of protection of your data from external threats. This is like a basic concern for the safety of property by protecting the apartment. You can simply install a door and a Chinese lock, but you can also listen to the recommendations of specialists involved in security activities. And they will definitely advise you to install reliable door locks with non-standard keys and modernize windows so that they are difficult to open from the outside; install video surveillance and alarm systems; and also enter into an agreement with an organization that provides rapid response services to unauthorized entry into the house. And, perhaps, no less important rule, which you will definitely be reminded of, because we often forget about it - do not open the doors strangers and, especially, do not tell anyone where your valuables are.
All these activities, of course, require investment. However, they should be applied comprehensively. Don’t rely on yourself that good locks will protect your home from thieves. Any mechanism will sooner or later be opened. And, if, for example, there is no alarm that sends alarm signal to the security console, then the entire video surveillance system will be absolutely useless.
From theory to practice
Any security system is a system consisting of many lines of defense that are constantly in process and in action. You can’t calm down immediately after installation technical means protection - rules for safe behavior on the network and operation of equipment must be observed regularly. Otherwise, the security system will become unusable, leaving only a harmful illusion of security.
How to take care of information security in practice? Let's look at the basic rules.
Zero rule:Don't trust anyone.
As Andrew Grove, chairman of Intel, said, “Only the paranoid survive.” When entering any confidential information, you must be 200% sure that the person you trust with it actually has the right to dispose of this data. For example, on the bank’s website you may be asked for your passport information to open an account - this standard procedure, but the online store has absolutely no use for this information. You wouldn’t show your passport to the seller from whom you buy potatoes at the market! This time. Secondly, never, to anyone and under any circumstances do not send the password. All security systems are designed in such a way that only one person should know the password. If you are required to send your password by email or tell it over the phone under any, even the most seemingly plausible pretext, then you should know that this is 100% deception.
First rule: Be sure to set up your computer so that you always provide a username and password before starting work.
Most main program for any computer user is the operating system. What it will store should only be known to you, so set a password that must be entered when you turn on the computer. The procedure is simple, but there are many benefits. Each time you enter a combination of characters into a line, you will confirm your right to dispose of all information stored on the computer. Avoid situations where a stranger could get Free access to your desktop and all files. “Lock up” the information so that it doesn’t look like an apartment without doors with a sign “Come in if you want.”
Second rule: Never work under account with administrator rights.
For a computer, all users are divided into two types: administrators and regular users. Administrators- these are those users who can configure the operation of all computer services, install and remove programs, and change the operation of the system. Regular users do not have the right to change or install anything, but they can freely run programs, use the Internet, and do work. Now let’s imagine a situation where a user using an administrator account accesses an attacker’s website. Malicious programs can easily erase data or encrypt it so that criminals can then scam money for data recovery. At the same time, neither the operating system nor antiviruses will save the user from such a misfortune, since everything that the “administrator” does for the computer - and he will think that these are your commands - is the law. Some people think that it is inconvenient to work under the account of a regular user , since from time to time you need to install new programs. But, if you think about it, it’s not every day that you have to install software. The advantages are obvious. Once you access the attackers’ website with the rights of a simple user, you thereby expose the malicious program to a protective barrier that is more difficult for it to overcome. It can no longer quickly disguise itself and becomes vulnerable to antiviruses. Therefore, it makes sense to take away your administrator rights just in case. If the need arises to resort to its functionality, you can always temporarily change your account.
Third rule:Your passwords should be long, complex, and preferably varied. All passwords must be changed regularly.
Passwords- it's huge headache all information security specialists. This is because users do not like long passwords, as they either forget them or are simply too lazy to type them. And it's good when they exist. Everything here is like with an apartment: the easiest way to get into it is to pick up the key to the lock. A similar method works in the computer field. The easiest way to access data is to pick a password. It was only in the first decades of computer development that a password length of 8 characters was sufficient. However, with the development of technology, the method of enumerating all combinations has become easy to calculate such codes. There is such a thing as password strength- an indicator of the time during which an attacker selects a password using brute force methods. It turns out that combinations consisting of only eight numbers or letters can be guessed in less than a second. That's why, using passwords up to 8 characters long, you risk giving access to an attacker for a short time. Although, if you use both numbers and letters in a short password, and even in different registers, then you will need to spend a couple of days trying to find it using brute force. This is no longer bad, but, of course, not enough. You can achieve satisfactory password strength by simply increasing its length, using a combination of not only letters and numbers, but also signs (‘$’,’%’,&’’,’#’). But how to create a long and complex password without immediately forgetting it? Very simple. Use passphrases. For example: "$Green_Cactus01". Such a password is not contained in the dictionary (although there are separate words “green” and “cactus”), so it cannot be cracked by searching through the dictionary. The password turned out to be more than 12 characters long and it will take more than 10-20 attempts to guess it. Even if one billion searches are carried out in one second, it will take ~10 11 seconds, which is more than a thousand years, to crack such a password.
Fourth rule:Use modern paid antiviruses with update mode enabled at least twice a day.
An installed antivirus by itself is useless without the ability to update anti-virus databases. He will look like he is sleeping watchdog. It seems to be there, but it makes no sense. So be sure to ensure that your antivirus program databases are updated regularly.
Fifth rule:Turn on automatic software updates.
Always update your software. Especially it concerns operating system and Internet browser. For example, Microsoft enables auto-update mode by default in its systems. Rest software products need to be configured. What is all this for? Very simple. Modern programs very complex and have a huge number of errors that can affect the security of your data. Manufacturers, releasing updates, gradually eliminate errors through which attackers could get inside your system.
Sixth rule:Do not store passwords on your computer or remember passwords in your Internet browser.
Once a hacker gains access to any part of your computer, once he finds the password file, he won't even have to try to crack the security system. Why would a thief break down a door if there are keys under the doormat? Therefore, keep your passwords on a flash drive in your pocket and always in encrypted form.
Seventh rule:Use encryption systems for critical data.
You should always be prepared for the fact that an attacker can gain physical access to your computer (for example, the banal theft of a laptop). To prevent him from using the information stored in it, firstly, set a user password for entry (see the first rule), and secondly, use a data encryption system. In this case, the hacker will have to tinker with your machine for many, many years.
Eighth rule:Never use the Internet and email to transmit confidential information.
All information is transmitted via the Internet to open form. By colluding with the technical staff of the telecom operator, it is not difficult to gain access to your messages. Therefore, protect yourself by using either secure connections (https), or data encryption systems and electronic digital signature systems.
Ninth rule:Install programs whose purpose or source of origin you know for sure.
Everyone knows the story of the fall of Troy. The most insidious invention of that war - Trojan horse. And although this invention is several thousand years old, this method of conquest has not lost its relevance. But protection against it has long been available: do not install unfamiliar programs either on your own or at the suggestion of third parties. The main risk areas: sites that cause distrust, and there is no absolute confidence in the legality of the resource, scammers on ICQ, spammers. Each of these actors strives to slip in a “unique” viewer, desktop wallpaper and other applications, and along with them code that will turn your computer into an obedient zombie.
Tenth rule:Be sure to follow special instructions on safety. Always use common sense.
Loading...