Notes From The field

Similar documents
OWASP Romania Chapter

Developing Secure Applications with OWASP OWASP. The OWASP Foundation Martin Knobloch

Welcome to OWASP Bay Area Application Security Summit July 23rd, OWASP July 23 rd, The OWASP Foundation

How to hack and secure your Java web applications

Web Application Penetration Testing

Certified Secure Web Application Engineer

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CSWAE Certified Secure Web Application Engineer

Web Application Attacks

A D V I S O R Y S E R V I C E S. Web Application Assessment

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

GOING WHERE NO WAFS HAVE GONE BEFORE

Application Security for the Masses. OWASP Greek Chapter Meeting 16/3/2011. The OWASP Foundation

RiskSense Attack Surface Validation for Web Applications

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Security Course. WebGoat Lab sessions

Human vs Artificial intelligence Battle of Trust

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Copyright

C1: Define Security Requirements

OWASP Broken Web Application Project. When Bad Web Apps are Good

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

Penetration Testing. James Walden Northern Kentucky University

Web Application Security GVSAGE Theater

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Bank Infrastructure - Video - 1

OWASP ROI: OWASP Austin Chapter. The OWASP Foundation Optimize Security Spending using OWASP

Application. Security. on line training. Academy. by Appsec Labs

WebGoat& WebScarab. What is computer security for $1000 Alex?

SECURITY TESTING. Towards a safer web world

MBFuzzer - MITM Fuzzing for Mobile Applications

INNOV-09 How to Keep Hackers Out of your Web Application

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Application security : going quicker

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CIS 4360 Secure Computer Systems XSS

Presentation Overview

UNIT 28 WEBSITE PRODUCTION

Introduction to OWASP WebGoat and OWTF. by Pawel Rzepa

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

A Model-Driven Penetration Test Framework for Web Applications

Application Security Approach

Test Harness for Web Application Attacks

Security Communications and Awareness

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Copyright

Finding Vulnerabilities in Web Applications

Overview of Web Application Security and Setup

2310C VB - Developing Web Applications Using Microsoft Visual Studio 2008 Course Number: 2310C Course Length: 5 Days

Lessons Learned from a Web Application Penetration Tester. David Caissy ISSA Los Angeles July 2017

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

OWASP ESAPI SwingSet. OWASP 26 April Fabio Cerullo Ireland Chapter Leader Global Education Committee

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web Security. Thierry Sans

Combating Common Web App Authentication Threats

Portcullis Computer Security.

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Checklist for Testing of Web Application

Integrigy Consulting Overview

Application vulnerabilities and defences

Vulnerabilities in online banking applications

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

N different strategies to automate OWASP ZAP

Security Communications and Awareness

Open Web Application Security Project (OWASP)

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Sichere Software vom Java-Entwickler

Progress Exchange June, Phoenix, AZ, USA 1

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Your Turn to Hack the OWASP Top 10!

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Web Applications Penetration Testing

Andrew van der Stock OWASP Foundation

WebGoat Lab session overview

Introduction to Ethical Hacking

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

HP 2012 Cyber Security Risk Report Overview

Testing from the Cloud: Is the sky falling?

Securing SharePoint TASSCC TEC 2009 Web 2.0 Conference

Automating the Top 20 CIS Critical Security Controls

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Base64 The Security Killer

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

Transcription:

Notes From The field tools and usage experiences Jarkko Holappa Antti Laulajainen Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Tools project http://www.owasp.org/index.php/category:_tools_project The Tools Project's goal is to provide unbiased, practical information and guidance about application security tools. Tools are to help: Protect Applications Find Vulnerabilities in Applications Test Other Application Security Tools Educate People on Application Security Topics Categories of tools: Web Application Firewalls (WAFs) Application Vulnerability Scanning Tools Application Penetration Testing Tools Source Code Analysis Tools Test and Educational Applications Application Security Analysis Support Tools 2

Tools from.net Project AntiSamy Project CAL9000 Project DirBuster Project Encoding Project Flash Security Project Insecure Web App Project Interceptor Project JBroFuzz LAPSE Project Live CD Project Orizon Project Pantera Web Assessment Studio Project SQLiX Project Sprajax Project Validation Project WSFuzzer Project WebGoat Project WebScarab Project 3

: CAL9000 CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 is written in Javascript Features e.g. XSS Attacks Character Encoder/Decoder Http Requests - Manually craft and send HTTP requests to servers. String Generator - Create character strings of almost any length. Testing Tips - Collection of testing ideas for assessments. Testing Checklist - Track the progress of your testing efforts and record your findings. AutoAttack Editor - Create/edit/save/delete the AutoAttack Lists that are used to drive the automated multiplerequest capabilities on the HTTP Requests page. Store/Restore - Temporarily hold and retrieve textarea and text field contents. 4

CAL9000 Demo 5

: WebScarab WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab. 6

7

8

WebScarab - example 9

WebScarab - example 10

WebScarab - example 11

WebScarab - example 12

: WebGoat WebGoat is a deliberately insecure J2EE web application It is designed to teach web application security lessons. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. Lessons include e.g.: Cross Site Scripting Access Control Thread Safety Hidden Form Field Manipulation Parameter Manipulation Weak Session Cookies Blind SQL Injection Numeric SQL Injection String SQL Injection Web Services Fail Open Authentication Dangers of HTML Comments 13

: Sprajax Open source black box security scanner used to assess the security of AJAX-enabled (Asynchronous JavaScript and XML) applications. The goal of the Sprajax project is to create a useful tool for assessing the security of AJAX-enabled web application. 14

: Insecure Web App Web application that includes common web application vulnerabilities. Targeted for automated and manual penetration testing, source code analysis, vulnerability assessments and threat modeling. The goals of this tool: Demonstrate how dangerous application vulnerabilities can be. Close the gap between the theory of web application security and the actual code that we design and build. Learn how these vulnerabilities can be fixed. 15

LiveCD Project: LabRat Beta Version 2.1 is focused on providing all of tools and documents on a bootable CD. At this point the tools and documents are on the CD but they are not all configured. 16

General notes about testing Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

Testing: Automated vs. Manual Manual testing: a human being attacks a web application using his experience, knowledge and tools Automated testing: a human being uses an automated vulnerability scanner to attack a web application Many tools generate extensive reports but results need to be verified Testing can be automated, analysis never 18

Functional versus Technical Issues Different vulnerabilities, different kind of testing: Technical Vulnerabilities Data Handling Dealing with Strong Typing, Encoding, and Validation of Data that the application handles Can be tested fairly effectively by automated tools Functional or Logical Vulnerabilities Deals with issues allowed by design, but not foreseen by the designers as a risk Issues in human-eye visible forms: Comments revealing information, inconsistent business logic, etc. 19

What are they good for? Automated Saves time and resources. In-built knowledge about vulnerabilities and threats against various technologies. Quite good reporting features Tools provide reliable, repeatable tests that produce accurate quantifiable information about software defects with security implications. 20

Click & Scan and send report to customer? Many tools generate extensive reports but results need to be verified Testing can be automated, analysis never Tools are not short-cut to success, there is still need for security awareness and good insight to software development issues to be able to use these tools efficiently. A Fool with a Tool is still a Fool Testers must be aware of limitations of tools There are issues that cannot be automated reliably: - business logic flaws - workflow bypasses - human eye visible errors. 21

Next step: Restaurant Kaisla, Vilhonkatu 4, 00100 Helsinki 22

Thank You! Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License. The Foundation http://www.owasp.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback