Getting Ready. I have copies on flash drives Uncompress the VM. Mandiant Corporation. All rights reserved.

Similar documents
OWASP Broken Web Application Project. When Bad Web Apps are Good

ZAP Innovations. OWASP Zed Attack Proxy. Simon Bennetts. OWASP AppSec EU Hamburg The OWASP Foundation

OWASP Romania Chapter

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web Application Penetration Testing

N different strategies to automate OWASP ZAP

Testing from the Cloud: Is the sky falling?

OWASP ROI: OWASP Austin Chapter. The OWASP Foundation Optimize Security Spending using OWASP

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Certified Secure Web Application Engineer

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Introduction to OWASP WebGoat and OWTF. by Pawel Rzepa

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

A Samurai-WTF intro to the Zed Attack Proxy

CSWAE Certified Secure Web Application Engineer

Testing from the Cloud: Is the sky falling?

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

V Conference on Application Security and Modern Technologies

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Aguascalientes Local Chapter. Kickoff

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

Monitoring Attack Surface and Integrating Security into DevOps Pipelines

Welcome to OWASP Bay Area Application Security Summit July 23rd, OWASP July 23 rd, The OWASP Foundation

Andrew van der Stock OWASP Foundation

Welcome to the OWASP TOP 10

Preparing for the Cross Site Request Forgery Defense

Where we are.. Where we are going!

Web Application Security. Kitisak Jirawannakool Electronics Government Agency (Public Organization)

Hacking by Numbers OWASP. The OWASP Foundation

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Open Web Application Security Project

Automated Security Scanning in Payment Industry

Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation

Solutions Business Manager Web Application Security Assessment

CTF Workshop. Crim Synopsys, Inc. 1

How to hack and secure your Java web applications

Notes From The field

Multi-Post XSRF Web App Exploitation, total pwnage

Driving OWASP ZAP with Selenium

Feb 28, :01-02:30 Welcome note & Introduction to OWASP : Somen Das, OWASP BBSR Chapter Lead

OWASP CISO Survey Report 2015 Tactical Insights for Managers

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Presentation Overview

Under the hood testing - Code Reviews - - Harshvardhan Parmar

Introduction to Ethical Hacking

Moving Targets: Assessing the Security of Mobile Devices. March 3 rd, 2016 Kevin Johnson, CEO Secure Ideas

Human vs Artificial intelligence Battle of Trust

Introductions. Jack Katie

Secure Web Application Development: Hands-on Teaching Modules

Your Turn to Hack the OWASP Top 10!

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Web Application Vulnerabilities: OWASP Top 10 Revisited

Securing ArcGIS Services

Tobias Gondrom (OWASP Member)

Sichere Software vom Java-Entwickler

Applications Security

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

How were the Credit Card Numbers Published on the Web? February 19, 2004

Exploiting and Defending: Common Web Application Vulnerabilities

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Improving Security in the Application Development Life-cycle

AppSensor. The OWASP Foundation. OWASP Training Dublin. Colin Watson colin.watson(at)owasp.org. 11 th March

IEEE Sec Dev Conference

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Open Source SAST and DAST Tools for WebApp Pen Testing

Penetration Testing. James Walden Northern Kentucky University

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Tale of a mobile application ruining the security of global solution because of a broken API design. SIGS Geneva 21/09/2016 Jérémy MATOS

TestBraindump. Latest test braindump, braindump actual test

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Harbor Registry. VMware VMware Inc. All rights reserved.

Development*Process*for*Secure* So2ware

Fortify Software Security Content 2017 Update 4 December 15, 2017

Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline

Lessons Learned from a Web Application Penetration Tester. David Caissy ISSA Los Angeles July 2017

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

OWASP InfoSec Romania 2013

Metasploit. Installation Guide Release 4.4

Saving Time and Costs with Virtual Patching and Legacy Application Modernizing

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Modern Web Application Development. Sam Hogarth

Security Best Practices. For DNN Websites

A Model-Driven Penetration Test Framework for Web Applications

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Bypassing Web Application Firewalls

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

BLACK HAT USA 2013 ADD A CLASS REQUEST FORM INSTRUCTIONS

Fintech District. The First Testing Cyber Security Platform. In collaboration with CISCO. Cloud or On Premise Platform

COMP9321 Web Application Engineering

Application Security at DevOps Speed and Portfolio Scale. Jeff Contrast Security

Security DevOps. Automation von Security-Checks in der Build-Kette. Christian

Protect your apps and your customers against application layer attacks

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

A D V I S O R Y S E R V I C E S. Web Application Assessment

Index. Mike O Leary 2015 M. O Leary, Cyber Operations, DOI /

Transcription:

Getting Ready In order to get the most from this session, please download / install: OWASP ZAP, which requires a Java runtime A virtualization package, such as the free VirtualBox, free VMware Player, or commercial VMware Workstation The OWASP BWA VM I have copies on flash drives Uncompress the VM

Chuck Willis OWASP Technical Director Broken Web chuck.willis@mandiant.com Applications (BWA) VM and Zed Attack Proxy (ZAP) PRESENTED BY: Chuck Willis chuck.willis@mandiant.com @chuckatsf

Agenda Introductions Zed Attack Proxy Bonus Content! Broken Web Applications VM OWASP BWA

Introduction Chuck Willis Technical Director @ Mandiant Application Security, Source Code Analysis, Penetration Testing, Forensics, Incident Response, R&D Leader of OWASP Broken Web Apps Project (Very) occasional visitor to Unallocated Space Twitter: @chuckatsf chuck.willis@mandiant.com OWASP BWA OWASP BWA

We are Mandiant What are we? Threat detection, response and containment experts Software, professional & managed services, and education Application and network security evaluations Where are we? Washington New York Los Angeles Redwood City San Francisco Albuquerque Ann Arbor Dublin, Ireland 5

What is OWASP? The Open Web Application Security Project 501c3 not-for-profit worldwide charitable organization with chapters around the globe. Focused on improving the security of application software Visibility into security Informed decisions about real risk Free to participate, free to use Personal and corporate supporters OWASP BWA OWASP BWA More info and lots of free materials at www.owasp.org

What is OWASP? OWASP Top Ten Web Application Security Risks OWASP Guides Development Guide Testing Guide Code Review Guide Application Security Verification Standard Open Software Assurance Maturity Model Enterprise Security API OWASP BWA More info and lots of free materials at www.owasp.org

OWASP Zed Attack Proxy (ZAP) 8

OWASP Zed Attack Proxy Project The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. OWASP BWA ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. https://www.owasp.org/index.php/owasp_zed_attack_proxy_project

The Zed Attack Proxy Released September 2010 Ease of use a priority Comprehensive help pages Free, Open source Cross platform A fork of the well regarded Paros Proxy Involvement actively encouraged Adopted by OWASP October 2010 10

ZAP Principles Free, Open source Cross platform Easy to use Easy to install Internationalized Fully documented Involvement actively encouraged Reuse well regarded components 11

The Main Features All the essentials for web application testing Intercepting Proxy Active and Passive Scanners Spider Report Generation Brute Force (using OWASP DirBuster code) Fuzzing (using OWASP JBroFuzz code) 12

The Additional Features Auto tagging Port scanner Smart card support Session comparison Invoke external apps BeanShell integration API + Headless mode Dynamic SSL Certificates Anti CSRF token handling 13

Let s try out ZAP! 14

OWASP Vicnum Project OWASP Vicnum Project http://vicnum.ciphertechs.com/ OWASP BWA

HTTPS ZAP has it s own CA cert that can be installed in your browser to avoid warning messages Try going to an HTTPS site, like https://www.google.com/ OWASP BWA

Bonus: OWASP Vulnerable Web Applications Directory Project 17

OWASP Vulnerable Web Applications Directory comprehensive and well maintained registry of all known vulnerable web applications currently available Available at: https://www.owasp.org/index.php?title=owasp_vulnerable _Web_Applications_Directory_Project OWASP BWA

OWASP Broken Web Application (BWA) Project 19

OWASP Broken Web Apps VM Free, Linux-based Virtual Machine Contains a variety of web applications Some intentionally broken Some old versions of open source applications Pre-configured and ready to use / test All applications are open source Allows for source code analysis Allows users to modify the source to fix vulnerabilities More info and free download at www.owaspbwa.org

OWASP Broken Web Apps VM Training Applications OWASP WebGoat (Java) OWASP WebGoat.NET (ASP.NET/C#) OWASP ESAPI Java SwingSet Interactive (Java) OWASP Mutillidae II (PHP) OWASP RailsGoat (Ruby on Rails) OWASP Bricks (PHP) Damn Vulnerable Web Application (PHP) Ghost (PHP) Magical Code Injection Rainbow (PHP) More info and free download at www.owaspbwa.org

OWASP Broken Web Apps VM Realistic, Intentionally Vulnerable Applications: OWASP Vicnum (PHP/Perl) OWASP 1-Liner (Java/JavaScript) Google Gruyere (Python) Hackxor (Java JSP) WackoPicko (PHP) BodgeIt (Java JSP) Cyclone Transfers (Ruby on Rails) Peruggia (PHP) More info and free download at www.owaspbwa.org

OWASP Broken Web Apps VM Old Versions of Real Applications WordPress 2.0.0 (PHP, released December 31, 2005) mygallery plugin version 1.2 Spreadsheet for WordPress plugin version 0.6 OrangeHRM version 2.4.2 (PHP, released May 7, 2009) GetBoo version 1.04 (PHP, released April 7, 2008) gtd-php version 0.7 (PHP, released September 30, 2006) Yazd version 1.0 (Java, released February 20, 2002) WebCalendar version 1.03 (PHP, released April 11, 2006) TikiWiki version 1.9.5 (PHP, released September 5, 2006) Gallery2 version 2.1 (PHP, released March 23, 2006) Joomla version 1.5.15 (PHP, released November 4, 2009) AWStats version 6.4 (Perl, released February 25, 2005) More info and free download at www.owaspbwa.org

OWASP Broken Web Apps VM Applications for Testing Tools OWASP ZAP-WAVE (Java JSP) WAVSEP (Java JSP) WIVET (Java JSP) More info and free download at www.owaspbwa.org

OWASP Broken Web Apps VM Demonstration Pages / Small Applications OWASP CSRFGuard Test Application (Java) Mandiant Struts Forms (Java/Struts) Simple ASP.NET Forms (ASP.NET/C#) Simple Form with DOM Cross Site Scripting (HTML/JavaScript) OWASP Demonstration Applications OWASP AppSensor Demo Application (Java) More info and free download at www.owaspbwa.org

VM Features Samba shares for editing and viewing Source code Configuration files Log files Scripts for recompiling applications ModSecurity installed OWASP Core Rule Set can be enabled More info and free download at www.owaspbwa.org

More Information and Getting Involved More information on the project can be found at http://www.owaspbwa.org/ Join our Google Group: owaspbwa Follow us on Twitter @owaspbwa Submit bugs and security issues to the trackers More info and free download at www.owaspbwa.org

Chuck Willis OWASP Technical Director Broken Web chuck.willis@mandiant.com Applications (BWA) VM and Zed Attack Proxy (ZAP) PRESENTED BY: Chuck Willis chuck.willis@mandiant.com @chuckatsf

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback