• No results found

Using Free Tools To Test Web Application Security

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Using Free Tools To Test Web Application Security"

Copied!
47
0
0

Loading.... (view fulltext now)

Download now ( 47 Page )

Full text

(1)

Using Free Tools To Test Web Application Security

(2)

•  Matt Neely, CISSP, CTGA, GCIH, and GCWN – Manager of the Profiling Team at SecureState

–  Areas of expertise: wireless, penetration testing, physical security, security convergence, and

incident response

–  Over 10 years of security experience

•  Outside of work:

–  Co-host of the Security Justice podcast

(3)

SecureState Overview

A Management Consulting Firm Specializing in Information Security

•  Founded in September 2001

•  Payment Card Industry (PCI) Certified •  Qualified Security Assessor (QSA)

•  Approved Scanning Vendor (ASV) •  Qualified Payment Application

Security Company

•  Largest dedicated security company in the Great Lakes Region

•  Number of Employees: 47

(4)

The Company We Keep

The Company We Keep

Key Industries: Retail, Financial Services, Healthcare, Critical Infrastructure, Professional

(5)

SecureState Overview

Audit and Compliance

• PCI (Payment Card Industry) • ISO 27001/SAS 70

• SOX, GLBA, HIPAA, TG-3, NERC/CIP etc.

• INFOSEC (Information System Security Risk Assessment)

Profiling and Attack

•  Web Application Security (WAS)

•  Attack and Penetration Services (internal, external, client, physical, wireless) •  Wireless Audits

•  Training

Risk Management

•  Security Program Manager (SPM) •  StateScan

•  SecureTime

•  Architecture Reviews

Business Preservation Services

•  Data Forensics/Incident Response •  Business Impact Analysis

Advisory Services

•  CISO Advisement •  Risk Management •  Special Projects

(6)

•  Insecure web applications are the most common

way attackers penetrate companies from the Internet and gain access to sensitive information

•  As companies harden their perimeter attackers are moving to attacking web applications

•  Vulnerabilities in web applications are the fastest growing type of vulnerability

Importance of Assessing

Web Applications

(7)

•  Two options to meeting requirement 6.6

•  Option 1: Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:

–  At least annually –  After any changes

–  By an organization that specializes in application security

•  Assessments may be performed by a qualified internal resource or a qualified third party

–  So all vulnerabilities are corrected

–  So the application is re-evaluated after the corrections

•  Option 2: Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.

PCI DSS 1.2

(8)

•  Black Box

–  Scanning a site with an automated tool

–  Automated tools are prone to false positives and will not find flaws in business logic

•  Grey Box

–  Manually testing a site for vulnerability

•  80% manual •  20% automated

–  Assessor should review use case documentation to understand the business logic of the site and tailor attacks to the specific site

–  Quality of the test relies on the experience of the tester

•  White Box

–  Source code review –  Very thorough

–  Very resource intensive

(9)
(10)

A1 – Injection

A2 – Cross-Site Scripting (XSS)

A3 – Broken Authentication and Session Management A4 – Insecure Direct Object References

A5 – Cross-Site Request Forgery (CSRF) A6 – Security Misconfiguration

A7 – Insecure Cryptographic Storage A8 – Failure to Restrict URL Access

A9 – Insufficient Transport Layer Protection A10 – Unvalidated Redirects and Forwards

(11)

•  Grendel Scan •  Nikto

•  Paros •  Skipfish •  W3AF

(12)

•  Acunetix •  Burp-Pro

•  Cenzic Hailstorm •  HP WebInspect

•  IBM Rational AppScan

(13)

•  Burp •  Paros

•  WebScarab

(14)

•  Newest versions of Firefox and IE implement client side controls to block certain attacks such as cross-site scripting

•  Complicates testing and leads to validation problems •  Disable controls if possible or test with an older

browser

•  Do not use older browsers or browser with

security features disabled for general web surfing

Warning: Testing with the Newest

Versions of IE and Firefox

(15)

•  Set up the scanner

•  Crawl and spider the site •  Run scan

•  Validate results

(16)
(17)

•  Connect to the wireless network

–  SSID: SecureState –  Password: gobrowns

(18)

•  Browse to: http://192.168.1.102/paros/

•  Download the version of Paros for your OS •  Run installer

(19)
(20)
(21)
(22)
(23)
(24)
(25)
(26)

•  Tools  Options  Local Proxy

–  Note address and port

•  Note: Default may need to be changed in using multiple proxies

Setting Up Paros as a Proxy:

(27)

Setting Up Paros as a Proxy:

(28)

Setting Up Paros as a Proxy:

(29)

Setting Up Paros as a Proxy:

(30)

Setting Up Paros as a Proxy:

(31)

Setting Up Paros as a Proxy:

(32)

Setting Up Paros as a Proxy:

(33)
(34)

Intercepting and

Manipulating Data

(35)

•  Spidering is an automated process in which Paros follows links on a page to generate a site map

–  By default Paros ignores links to external sites

•  Paros uses the site map to determine which pages will be tested

•  Very important to also manually crawl the site to ensure every page is mapped and scanned

–  Automated spiders often miss links in JavaScript

(36)

Using Paros to

(37)

Scanning for

Vulnerabilities

(38)

Reviewing the

Results

(39)

•  Even the best scanner will produce false positives •  Very important to manually validate all scan results

(40)

•  Cross-Site Scripting (XSS)

–  Occurs when attacker sends malicious link, code, email to victim

–  Allows for execution of JavaScript in victim’s browser context –  Allows for cross-site communications

•  Cause

–  No input validation of headers, cookies, query strings, form fields (visible or hidden)

•  Possible Outcomes

–  Session Hijacking –  Site Defacement

–  Phishing through URL redirection –  Worms

(41)
(42)

•  SwitchProxy •  NoScript •  Firebug •  Hackbar •  SQL Inject ME •  XSS ME

•  User Agent Switcher

•  Web Developer Toolbar

(43)

•  DirBuster •  JBroFuzz •  SwfScan

(44)

•  Web Hackers Handbook •  OWASP:

–  Numerous free projects, programs, and educational resources

–  OWASP Podcast

–  http://www.owasp.org

•  Practice web applications:

–  OWASP Broken Web Applications Project

–  Collection of practice web applications in a single virtual machine

–  http://code.google.com/p/owaspbwa/

(45)

Thank you for your time!

Matthew Neely [email protected] @matthewneely

A

Q

&

(46)

•  Injection Flaws

–  SQL Injection is the most common injection flaw

–  Occurs when user-supplied data is sent to interpreter as part of a command or query

–  Attacker tricks interpreter into executing unintended commands via specially crafted input

•  Cause

–  User input is not properly sanitized

•  Possible Outcomes

–  Create, Read, Update, and/or Delete Data –  Command Execution

–  Full Host Compromise

(47)

References

Download now ( PDF - 47 Page - 6.88 MB )

Related documents

Gateway Health SM Non-Formulary Prior Authorization Criteria Intravenous Immune Globulin (IVIG)

 Coverage is provided for Primary Immunodeficiency in patients whom severe impairment of antibody capacity is present in the following conditions: Congenital

Aiits 2016 Advanced Questions Paper

(A) The solubility of n – alcohol in water decreases with an increase in molecular weight (B) The solubility of n – alcohol in water increases with an increase in molecule

Bisexuality and Motherhood: An Investigation of Psychological Distress, Parenting Efficacy, and Self Esteem Through Identity Theory

Indeed the centrality of parenting and bisexual identities, level of sexual identity salience, and experiences of parenting self-efficacy or guilt, bisexual self-esteem or shame,

ABOUT COMODO. Year Established: 1998 Ownership: Private Employees: over 700

Because Comodo is PCI Security Council Approved Scanning Vendor (ASV), our HackerGuardian PCI Control Center range provides everything a merchant needs to become compliant with

VSC - Vodacom Satellite Connect

As indicated in the table the entry level VSC50 service, is provided with a 1GB Internet bundle with a maximum download speed of 512kbps and an upload speed of 128kbps with the

INVERTER WITH MULTIPLE MPP TRACKERS: REQUIREMENTS AND STATE OF THE ART SOLUTIONS

Additionally, for both MPP Trackers an extended MPP voltage range with decreasing DC power capability is required to get more flexibility in system configuration and a

Relationships Between Claim Structure and the Competitiveness of a Patent

The total number of independent claims (k) and the maximum number of independent claims within a single claim category (l) at the time of filing patent applications of winning

WHAT TO BRING - TROOP GEAR LIST

This year unit leaders must be prepared to show proof of this insurance (a copy of the unit’s insurance policy) to our camp representative at the boat terminal. If a unit does