owasp plan - strawman€¦ · ppt file · web view · 2011-12-11owasp wapiti v2.0.0-beta. paros...
TRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASPDublin 2010
http://www.owasp.org
OWASP Live CD: An open environment for web application security.
Eoin Keary & Rahim Jina
[email protected]@owasp.org
OWASP Dublin 2010
Presentation Overview
Who are we?What's the OWASP Live CD about?
Tools Plugins Examples
How can I get involved?
OWASP Dublin 2010
About us (Rahim & Eoin)
Our Varied IT BackgroundsSoftware Development , Pen Testing,
Application Security design & review, Code review, CISSP, CISA, Certified ASS,
Contributors to many OWASP projectsMember of OWASP Global BoardMember of Ireland chapter.
OWASP Dublin 2010
Project History and Goals
Started as a Summer of Code 2008 projectGOAL: Make application security tools and
documentation easily available and easy to useCompliment's OWASP goal to make application
security visibleDesign goals
Easy for users to keep updatedEasy for project lead to keep updatedEasy to produce releases (maybe quarterly)Focused on just application security – not
general pen testing
OWASP Dublin 2010
General goals going forwardShowcase great OWASP projectsProvide the best, freely distributable
application security tools/documents in an easy to use package
Ensure that the tools provided are easy to use as possible
Continue to document how to use the tools and how the modules were created
Align the tools with the OWASP Testing Guide v3 to provide maximum coverage
OWASP Dublin 2010
Available Tools
Significant tools: Examples:OWASP WebScarab v20090122
OWASP WebGoat v5.2
OWASP CAL9000 v2.0
OWASP JBroFuzz v1.2
OWASP DirBuster v0.12
OWASP SQLiX v1.0
OWASP WSFuzzer v1.9.4
OWASP Wapiti v2.0.0-beta
Paros Proxy v3.2.13
nmap & Zenmap v 4.76
Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 +
25 addons Burp Suite v1.2 Grendel Scan v1.0
Metasploit v3.2 (svn)
w3af + GUI svn 1.0-rc1
Netcats – original + GNU Nikto v2.03 Firece Domain
Scanner v1.0.3
Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy
v1.4.8-4Rat Proxy v1.53-beta
OWASP Dublin 2010
W3af
The framework should work on all platforms supported by Python, particularly, w3af has been tested on Linux, Windows XP, Windows Vista and OpenBSD.
Phases supported:Discovery: Discovery plugins have only one responsibility, finding new URLs,
forms, and other “injection points”.
Audit: Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities.
Exploit/Attack: Used to exploit vulnerabilities found by audit plugins.
OWASP Dublin 2010
W3af: Web Application Attack Audit Framework
audit xsrf htaccessMethods sqli sslCertificate fileUpload mxInjection generic localFileInclude unSSL xpath osCommanding remoteFileInclude dav ssi eval buffOverflow xss xst blindSqli formatString preg_replace globalRedirect LDAPi phishingVector frontpage responseSplitting
grep dotNetEventValidation pathDisclosure codeDisclosure blankBody metaTags motw privateIP directoryIndexing svnUsers ssn fileUpload strangeHTTPCode hashFind getMails httpAuthDetect wsdlGreper newline passwordProfiling domXss ajax findComments httpInBody strangeHeaders lang errorPages
collectCookies strangeParameters error500 objects creditCards oracle feeds
Exploit sqlmap osCommandingShell xssBeef localFileReader rfiProxy remoteFileIncludeShell davShell eval fileUploadShell sql_webshell
Also………….
audit, discovery,output ,mangle, bruteforce, evasion
OWASP Dublin 2010
W3af: integration
Virtual daemon:Virtual daemon, allows you to use metasploit
payloads
Fast Exploit: can use tools to within w3af to perfrom exploit, example SQLMap
Command Shell: Ala metasploit integration.
OWASP Dublin 2010
Fuzzing – What is?
Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. - wikipedia
OWASP Dublin 2010
Vectors
>"><script>alert("XSS")</script>&
"><STYLE>@import"javascript:alert('XSS')";</STYLE>
>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;
alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>
'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'
'';!--"<XSS>=&{()}
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert('XSS')>
<IMG SRC=JaVaScRiPt:alert("XSS<WBR>")>
<IMGSRC=java&<WBR>#115;crip&<WBR>#116;:a
le&<WBR>#114;t('XS<WBR>;S')>
<IMGSRC=ja&<WBR>#0000118as&<WBR>#0000099ri&<WBR>#0000112t:
<WBR>#0000097le&<WBR>#0000114t(&<WBR>#0000039XS&<WBR>#0000083')>
<IMGSRC=javas&<WBR>#x63ript:&<WBR>#x61lert(
<IMG SRC="jav	ascript:alert(<WBR>'XSS');">
<IMG SRC="jav
ascript:alert(<WBR>'XSS');“>
Example XSS Fuzz Vectors
OWASP Dublin 2010
Documentation available
OWASP DocumentsTesting Guide v2 & v3CLASPTop 10 for 2007 (2010 to be included)Top 10 for Java Enterprise EditionAppSec FAQBooks
CLASP, Top 10 2007, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review
OthersWASC Threat Classification, OSTTMM 3.0 & 2.2
OWASP Dublin 2010
Support Modules
OWASP Branding ModuleSubversion client JRE 6 update 6Python 2.5.2Ruby 1.8.1Graphviz tidyGnuTLSwget, host, dig, openssl, grep, whois
OWASP Dublin 2010
Builder vs Breaker
Builder is where the ROI is
But …..breaking is really fun.
Builder tools coming in future releases. (Thanks Top Gear!)
OWASP Dublin 2010
Crawling Code
Risk Based Approach
HTTP REQUEST STRINGS
Requests from external sources are obviously a key area of a security code review.
We need to ensure that all HTTP requests received are data validated for composition, max and min length, and if the data falls with the realms of the parameter white-list.
Bottom-line is this is a key area to look at and ensure security is enabled.
request.accepttypesrequest.browserrequest.filesrequest.headersrequest.httpmethodrequest.itemrequest.querystringrequest.form request.cookies
request.certificaterequest.rawurlrequest.servervariablesrequest.urlrequest.urlreferrerrequest.useragentrequest.userlanguagesrequest.IsSecureConnectionrequest.TotalBytesrequest.BinaryRead
HTML OUTPUT
Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat.
response.write<% =HttpUtilityHtmlEncode
OWASP Dublin 2010
• Data/Input Validation of data from all untrusted sources.
• Authentication • Session Management • Authorization • Cryptography (Data at rest and in transit) • Error Handling /Information Leakage • Logging /Auditing • Secure Code Environment
A little bit of code review
Attack Surface
Scope
Business
Context
Browser input Cookies Property files External processes Data feeds Service responses Flat files Command line parameters Environment variables
Scope-Context-Surface
OWASP Dublin 2010
Tools Available:
• RATS (C/C++)• Code Crawler (.Net/Java)• LAPSE (Java)• CAT.NET (.NET. VS Plugin)
Free Tools
• AppScan DE (formally ounce)
• Fortify 360• Klockworkz• …..Many more
Commercial Tools
OWASP Dublin 2010
OWASP Education ProjectNatural ties between these projects
Already being used for training classesNeed to coordinate efforts to make sure critical
pieces aren't missing from the OWASP Live CDTraining environment could be customized for a
particular class thanks to the individual modules Student gets to take the environment home
As more modules come online, even more potential for cross pollination
Builder tools/docs only expand its reachKiosk mode?
OWASP Dublin 2010
How can you get involved?
Join the mail list Announcements are there – low traffic
Download an ISO or VM Complain or praise Suggest improvements Submit a bug to the Google Code site
Create deb package of a tool How I create the debs will be documented, command
by command and I'll answer questions gladlySuggest missing docs or linksDo a screencast of one of the tools being used
on the OWASP Live CD
OWASP Dublin 2010
What else is out there?
LabRat v2.1 (Previous OWASP Live CD)404 for ISO link
Samurai WTF (Web Testing Framework)Slightly fewer tools overall
Unique to Samurai: WebShag & MoinMoin WikiUbuntu based live CD, looks really niceNo .deb packages for most of the toolsCurrently development releasehttp://samurai.intelguardians.com/
Login info is samurai / samuraiBacktrack – has some web app tools
OWASP Dublin 2010
Learn MoreOWASP Site:
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality)http://www.owasp.org/index.php/Category:OWASP_Project
or Google “OWASP Live CD”
Download & Community Site:http://AppSecLive.org