how to break web application security · acunetix web vulnerability scanner 2 9. compuware...
TRANSCRIPT
![Page 1: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/1.jpg)
Copyright © 2004 - The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License.
The OWASP Foundation
OWASP
http://www.owasp.org
How to Break Web Application Security
Erwin Geirnaert
Director European Operations
Security Innovation
+32478289466
![Page 2: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/2.jpg)
OWASP 2
Agenda
<Security Test Checklist<Threat Modeling<Tools<Some examples
![Page 3: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/3.jpg)
OWASP 3
Security Test Checklist
qYou need an EXPERIENCED TESTERqCreate a threat model and a test planqWeb application testing <> penetration testingqDo not rely ONLY on automated web application
security scannersqSource code of the web application HELPSqHave a Security Tester Toolbox qLog everything
![Page 4: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/4.jpg)
OWASP 4
“You cannot test a system until you understand the threats”
Threat modeling is the design activity to discover the threats that your application is susceptible to.
Threat modeling yields both threats and vulnerabilities and provides ways to perform security testing in order to prioritize the security fixes needed.
Threat ModelingThreat modeling
![Page 5: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/5.jpg)
OWASP 5
Threats are possible attacks. Vulnerabilities are security related software errors:
< A threat is what an attacker might try to do to an asset or through an entry point
< A vulnerability is a specific security exploit due to an unmitigated threat path
Threat modeling - Definitions
![Page 6: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/6.jpg)
OWASP 6
Threats can be classified using the STRIDE classification:§ Spoofing – lying about identity§ Tampering – Destroying data§ Repudiation – Cleaning the steps of an attack/Denying a
transaction§ Information Disclosure – Stealing valuable private data§ Denial of Service – Stopping an application from providing
its basic functionality§ Escalation of Privileges – Executing code with stolen high
privileges
< Whenever discovering threats the analyst will always think about STRIDE elements
Threat modeling - STRIDE
![Page 7: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/7.jpg)
OWASP 7
Some threats for Web Video Recoding System
• Attacker tampers with central video storage• Attacker sends malicious input to overrun the video recording client• Attacker deletes temporary recordings• Attacker remotely executes code in Video web service box
Threat modeling – Example of threats
![Page 8: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/8.jpg)
OWASP 8
DREAD:§ Damage potential – what’s the extent of the damage if this
vulnerability was to be exploited§ Reproducibility – how well can the finder reproduce the
issue§ Exploitability – difficulty of taking advantage of the flaw for
malicious purpose§ Affected users – how many or what type of users are
affected by the flaw§ Discoverability – how fast can it be publicly be discovered
< DREAD is used to analyze the risk of discovered vulnerabilities
Threat modeling - DREAD
![Page 9: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/9.jpg)
OWASP 9
ÜParameter Tampering
ÜCookie Tampering
ÜCross-site Scripting
ÜSQL Injection
ÜScript Injection
ÜCommand Injection
ÜEncoding Attacks
ÜBuffer Overflows
ÜFormat-string attacks
ÜHarvesting User IDs
ÜBrute-forcing Accounts
ÜPath Truncation Attacks
ÜHidden Path Discovery
ÜApplication Directory and File Mapping
ÜForceful Browsing
ÜSource Code Disclosure
ÜWeb server vulnerability exploitation
Attack vectors for web applications
![Page 10: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/10.jpg)
OWASP 10
Security Tester Toolbox
<Tools are just a way of manipulating web applications
<They are no silver bullet, a lot of false positives can be the result of automated scan
<They can be really expensive<They can be useful<You need to learn how to use them and what
the limitations are<Internet Explorer can do the job and for free J
![Page 11: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/11.jpg)
OWASP 11
Tools in the past
<4 years ago, a limited list of free tools:4Achilles: local proxy4@Stake WebProxy: local proxy& fuzzer, in Java J4WebSleuth: plugin for IE, raw requests4Whisker: vulnerability scanner4Nikto: vulnerability scanner4Nessus: didn’t include web vulnerabilities yet
4But they did the job, only it required more time....
![Page 12: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/12.jpg)
OWASP 12
Commercial Fault Injection Test Tools
1. SPI Dynamics WebInspect2. Sanctum now Watchfire AppScan3. Kavado Scando4. AppSecInc AppDetective for Web Apps5. Cenzic Hailstorm6. Security Innovation Holodeck7. NT Objectives NTOSpider8. Acunetix Web Vulnerability Scanner 29. Compuware DevPartner Fault Simulator10. Fortify Pen Testing Team Tool11. @stake Web Proxy 2.012. Burp Intruder13. Sandsprite Web Sleuth14. MaxPatrol 715. Syhunt Sandcat Scanner & Miner16. TrustSecurityConsulting HTTPExplorer17. Ecyware BlueGreen Inspector18. NGS Typhon19. Parasoft WebKing (more QA-type tool)
![Page 13: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/13.jpg)
OWASP 13
Open Source or Freeware Fault Injection Test Tools
1. WebScarab (HTTPush, Exodus)2. Paros Proxy3. Burp Spider4. Burp Proxy5. SPIKE Proxy6. SPIKE7. Achilles Proxy8. Odysseus Proxy9. Webstretch Proxy10. Absinthe 1.1 (formerly SQLSqueal)11. NGS SQL Injection Inference Tool (BH Europe 2005)12. Internet Explorer HTMLBar Plugin13. Firefox LiveHTTPHeaders and Developer Tools14. Sensepost Wikto (Google cached fault-finding)15. Foundstone Sitedigger (Google cached fault-finding)
![Page 14: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/14.jpg)
OWASP 14
OWASP - WebScarab
<Java based: download stand-alone JAR and runtime
<HTTP Proxy<Client-certificates <Session analysis<Raw request<Spider<Custum plugins: BeanShell
![Page 15: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/15.jpg)
OWASP 15
OWASP – WebScarab - Interceptor
![Page 16: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/16.jpg)
OWASP 16
OWASP – WebScarab – Raw Request
![Page 17: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/17.jpg)
OWASP 17
OWASP – WebScarab - Spider
![Page 18: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/18.jpg)
OWASP 18
OWASP – WebScarab – SessionID Analysis
![Page 19: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/19.jpg)
OWASP 19
OWASP – WebScarab – SessionID Analysis
![Page 20: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/20.jpg)
OWASP 20
OWASP – WebScarab – Transcoder
![Page 21: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/21.jpg)
OWASP 21
Some examples
<Parameter tampering<Cross-site-scripting<Hidden fields<SQL Injection<Error messages<Google J
![Page 22: How to Break Web Application Security · Acunetix Web Vulnerability Scanner 2 9. Compuware DevPartner Fault Simulator 10. Fortify Pen Testing Team Tool 11. @stake Web Proxy 2.0 12](https://reader034.vdocument.in/reader034/viewer/2022042302/5ecd0f5f2b8a7e25b34f8a52/html5/thumbnails/22.jpg)
OWASP 22
That’s it…
<Any Questions?
Thank you!