CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Similar documents
Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Certified Secure Web Application Engineer

Web Application Penetration Testing

java -jar Xmx2048mb /Applications/burpsuite_pro_v1.5.jar

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CSWAE Certified Secure Web Application Engineer

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Introduction to Ethical Hacking

Copyright

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Solutions Business Manager Web Application Security Assessment

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Expanding Human Interactions for In-Depth Testing of Web Applications

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Web Application Vulnerabilities: OWASP Top 10 Revisited

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Symlink attacks. Do not assume that symlinks are trustworthy: Example 1

dotdefender User Guide Applicure Web Application Firewall

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

NEST Kali Linux Tutorial: Burp Suite

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

WEB APPLICATION SCANNERS. Evaluating Past the Base Case

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

EasyCrypt passes an independent security audit

Web Application Threats and Remediation. Terry Labach, IST Security Team

Penetration Testing. James Walden Northern Kentucky University

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Hacking Our Way to Better Security: Lessons from a Web Application Penetration Test. Tyler Rasmussen Mercer Engineer Research Center

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

McAfee Certified Assessment Specialist Network

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

RiskSense Attack Surface Validation for Web Applications

PracticeDump. Free Practice Dumps - Unlimited Free Access of practice exam

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Human vs Artificial intelligence Battle of Trust

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

ECCouncil Certified Ethical Hacker. Download Full Version :

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

Web Application Security. Philippe Bogaerts

Curso: Ethical Hacking and Countermeasures

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

N different strategies to automate OWASP ZAP

Bank Infrastructure - Video - 1

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

OWASP Romania Chapter

PRACTICAL WEB DEFENSE VERSION 1

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

WEB APPLICATION PENETRATION TESTING VERSION 2

CS 410/510: Web Security X1: Labs Setup WFP1, WFP2, and Kali VMs on Google Cloud

Ranking Vulnerability for Web Application based on Severity Ratings Analysis

IEEE Sec Dev Conference

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Secure Programming and! Common Errors! PART II"

1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)

How to perform the DDoS Testing of Web Applications

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Automated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation

Penetration Testing with Kali Linux

HP 2012 Cyber Security Risk Report Overview

Web server reconnaissance

Application security : going quicker

Security Testing White Paper

Injectable Exploits. New Tools for Pwning Web Apps and Browsers

WEB SECURITY: XSS & CSRF

Ethical Hacking and Prevention

A Samurai-WTF intro to the Zed Attack Proxy

Static analysis of PHP applications

Web Application Attacks

WAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Finding Vulnerabilities in Web Applications

An analysis of security in a web application development process

Being Mean To Your Code: Integrating Security Tools into Your DevOps Pipeline

SECURE CODING ESSENTIALS

Introduction to Cyber Security Week 3: Web Security. Ming Chow

C1: Define Security Requirements

CRAXweb: Web Testing and Attacks through QEMU in S2E. Shih-Kun Huang National Chiao Tung University Hsinchu, Taiwan

John Coggeshall Copyright 2006, Zend Technologies Inc.

Hacking by Numbers OWASP. The OWASP Foundation

WAPTv2 at a glance: Self-paced, online, flexible access interactive slides and 5+ hours of video material. Downloadable material

Your Turn to Hack the OWASP Top 10!

Web Attacks CMSC 414. September 25 & 27, 2017

dotdefender v5.18 User Guide

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Chrome Extension Security Architecture

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CS 161 Computer Security

Compliance with OWASP ASVS L1:

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Transcription:

CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of Pennsylvania 1

OWASP ZAP zed attack proxy Security vulnerabilities in web applications while developing and testing applications Open source tool, GUI Helps in manual and automated testing Should be used with only own web applications or the applications you have permission to test Comparison with Burp : similar tool BURP is a hard core tool, should have very good knowledge in security matters ZAP has got some neat features, covers most of the bases and it is easier to use

Basic Functionalities Intercepting proxy server Web Crawling Active Attacks Fuzzer 3

Penetration testing When developing web applications, it is important that it is secure in every phase Attacks performed by embedding malicious strings : Query strings Form Fields Cookies HTTP Headers command execution cross-site scripting (XSS) SQL injection buffer overflow attacks. 4

User Interface Active attack, Request and Response headers Tools : Active scan, Local proxy, Spider 5

Intercepting Proxy Server Configure browser to allow Proxy (select hostname and port from application) 6

Active Attacks Web application running on Apache Tomcat : form accepts inputs and displays it. Attacks the application : All possible pages it gets directed to Displays alerts 7

Alert Information Common Weakness Enumeration (CWE) WASC ID Threat Classification ID 8

Some Alerts X-Frame Options Header Not Set Possible attack : Clickjacking, also known as a "UI redress attack", is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Solution: X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW-FROM https://example.com/ 9

Some Alerts X-Frame-Options set here : SAME ORIGIN (in a response from Oracle application) 10

Some Alerts Web Browser XSS Protection is not enabled Possible attack : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Solution: Set X-XSS-Protection HTTP response header to '1'. 11

Some Alerts X-Content-Type-Options Header Missing: Header set X-Content-Type- Options "nosniff Possible Attack: MIME Sniffing is a technique allowing the browser to dynamically guess the content type of downloaded files. If there is a mismatch between the content type of the server and the one defined by the magic bytes, then it uses its own content type guess. Solution: X-Content-Type-Options header to 'nosniff' for all web pages. 12

Some Common active Attacks : SQL injection is a code injection technique, used to attack datadriven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker) Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. http://192.168.1.133/mutillidae/?page=%2fetc%2fpasswd basically fetches you /etc/passwd on linux, the contents of the Linux password file 13

CRAWLING Given the seed URL, the application crawls to different pages in the application Can specify depth to crawl 14

FUZZ Fuzz testing or Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. 15

Thank you! Questions? 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback