Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

The OWASP Foundation

OWASPDublin 2010

http://www.owasp.org

OWASP Live CD: An open environment for web application security.

Eoin Keary & Rahim Jina

eoin.keary@owasp.orgrahim.jna@owasp.org

OWASP Dublin 2010

Presentation Overview

Who are we?What's the OWASP Live CD about?

Tools Plugins Examples

How can I get involved?

OWASP Dublin 2010

About us (Rahim & Eoin)

Our Varied IT BackgroundsSoftware Development , Pen Testing,

Application Security design & review, Code review, CISSP, CISA, Certified ASS,

Contributors to many OWASP projectsMember of OWASP Global BoardMember of Ireland chapter.

OWASP Dublin 2010

Project History and Goals

Started as a Summer of Code 2008 projectGOAL: Make application security tools and

documentation easily available and easy to useCompliment's OWASP goal to make application

security visibleDesign goals

Easy for users to keep updatedEasy for project lead to keep updatedEasy to produce releases (maybe quarterly)Focused on just application security – not

general pen testing

OWASP Dublin 2010

Just to be clear...

!=

OWASP Dublin 2010

General goals going forwardShowcase great OWASP projectsProvide the best, freely distributable

application security tools/documents in an easy to use package

Ensure that the tools provided are easy to use as possible

Continue to document how to use the tools and how the modules were created

Align the tools with the OWASP Testing Guide v3 to provide maximum coverage

OWASP Dublin 2010

Navigation

Mount a usb key for saving your workThis is automatic.

OWASP Dublin 2010

EY CU – Our target site!

OWASP Dublin 2010

You could also use……..

OWASP Dublin 2010

Tools

OWASP Dublin 2010

Available Tools

Significant tools: Examples:OWASP WebScarab v20090122

OWASP WebGoat v5.2

OWASP CAL9000 v2.0

OWASP JBroFuzz v1.2

OWASP DirBuster v0.12

OWASP SQLiX v1.0

OWASP WSFuzzer v1.9.4

OWASP Wapiti v2.0.0-beta

Paros Proxy v3.2.13

nmap & Zenmap v 4.76

Wireshark v1.0.5 tcpdump v4.0.0 Firefox 3.06 +

25 addons Burp Suite v1.2 Grendel Scan v1.0

Metasploit v3.2 (svn)

w3af + GUI svn 1.0-rc1

Netcats – original + GNU Nikto v2.03 Firece Domain

Scanner v1.0.3

Maltego CE v2-210 Httprint v301 SQLBrute v1.0 Spike Proxy

v1.4.8-4Rat Proxy v1.53-beta

OWASP Dublin 2010

Foxy Proxy

OWASP Dublin 2010

FireBug: Runtime under the hood.

OWASP Dublin 2010

Special features...

Firefox Add-ons there are a few

OWASP Dublin 2010

More on Tools

Scanners Menu:

Recon Menu:

OWASP Dublin 2010

SQLMap & SQLix

OWASP Dublin 2010

W3af: Web Application Attack Audit Framework

OWASP Dublin 2010

W3af

The framework should work on all platforms supported by Python, particularly, w3af has been tested on Linux, Windows XP, Windows Vista and OpenBSD.

Phases supported:Discovery: Discovery plugins have only one responsibility, finding new URLs,

forms, and other “injection points”.

Audit: Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities.

Exploit/Attack: Used to exploit vulnerabilities found by audit plugins.

OWASP Dublin 2010

W3af: Web Application Attack Audit Framework

audit    xsrf    htaccessMethods    sqli    sslCertificate    fileUpload    mxInjection    generic    localFileInclude    unSSL    xpath    osCommanding    remoteFileInclude    dav    ssi    eval    buffOverflow    xss    xst    blindSqli    formatString    preg_replace    globalRedirect    LDAPi    phishingVector    frontpage    responseSplitting

grep    dotNetEventValidation    pathDisclosure    codeDisclosure    blankBody    metaTags    motw    privateIP    directoryIndexing    svnUsers    ssn    fileUpload    strangeHTTPCode    hashFind    getMails    httpAuthDetect    wsdlGreper    newline    passwordProfiling    domXss    ajax    findComments    httpInBody    strangeHeaders    lang    errorPages 

   collectCookies    strangeParameters    error500    objects    creditCards    oracle    feeds

Exploit    sqlmap    osCommandingShell    xssBeef    localFileReader    rfiProxy    remoteFileIncludeShell    davShell    eval    fileUploadShell    sql_webshell

Also………….

audit, discovery,output ,mangle, bruteforce, evasion

OWASP Dublin 2010

W3af: integration

Virtual daemon:Virtual daemon, allows you to use metasploit

payloads

Fast Exploit: can use tools to within w3af to perfrom exploit, example SQLMap

Command Shell: Ala metasploit integration.

OWASP Dublin 2010

More on Tools

Proxies Menu:

Metasploit Menu:

OWASP Dublin 2010

Fuzzing – What is?

Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. - wikipedia

OWASP Dublin 2010

Vectors

>"><script>alert("XSS")</script>&

"><STYLE>@import"javascript:alert('XSS')";</STYLE>

>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;

alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>

>%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22>

'%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e'

'';!--"<XSS>=&{()}

<IMG SRC="javascript:alert('XSS');">

<IMG SRC=javascript:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert('XSS')>

<IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)>

<IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97;

&#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41>

<IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058

<WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041>

<IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28

<IMG SRC="jav&#x09;ascript:alert(<WBR>'XSS');">

<IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');“>

Example XSS Fuzz Vectors

OWASP Dublin 2010

Fuzzing with Webscarab

OWASP Dublin 2010

BURP Proxy

OWASP Dublin 2010

Jbrofuzz

OWASP Dublin 2010

Documentation available

OWASP DocumentsTesting Guide v2 & v3CLASPTop 10 for 2007 (2010 to be included)Top 10 for Java Enterprise EditionAppSec FAQBooks

CLASP, Top 10 2007, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review

OthersWASC Threat Classification, OSTTMM 3.0 & 2.2

OWASP Dublin 2010

Support Modules

OWASP Branding ModuleSubversion client JRE 6 update 6Python 2.5.2Ruby 1.8.1Graphviz tidyGnuTLSwget, host, dig, openssl, grep, whois

OWASP Dublin 2010

Builder vs Breaker

Builder is where the ROI is

But …..breaking is really fun.

Builder tools coming in future releases. (Thanks Top Gear!)

OWASP Dublin 2010

A little bit of code review…

OWASP Dublin 2010

A little bit of code review

Code review Metrics

OWASP Dublin 2010

A little bit on code review

Transactional Analysis

OWASP Dublin 2010

Crawling Code

Risk Based Approach

HTTP REQUEST STRINGS

Requests from external sources are obviously a key area of a security code review.

We need to ensure that all HTTP requests received are data validated for composition, max and min length, and if the data falls with the realms of the parameter white-list.

Bottom-line is this is a key area to look at and ensure security is enabled.

request.accepttypesrequest.browserrequest.filesrequest.headersrequest.httpmethodrequest.itemrequest.querystringrequest.form request.cookies

request.certificaterequest.rawurlrequest.servervariablesrequest.urlrequest.urlreferrerrequest.useragentrequest.userlanguagesrequest.IsSecureConnectionrequest.TotalBytesrequest.BinaryRead

HTML OUTPUT

Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat.

response.write<% =HttpUtilityHtmlEncode

OWASP Dublin 2010

• Data/Input Validation of data from all untrusted sources.

• Authentication • Session Management • Authorization • Cryptography (Data at rest and in transit) • Error Handling /Information Leakage • Logging /Auditing • Secure Code Environment

A little bit of code review

Attack Surface

Scope

Business

Context

Browser input Cookies Property files External processes Data feeds Service responses Flat files Command line parameters Environment variables

Scope-Context-Surface

OWASP Dublin 2010

A little bit of code review

Defining Risk

OWASP Dublin 2010

Tools Available:

• RATS (C/C++)• Code Crawler (.Net/Java)• LAPSE (Java)• CAT.NET (.NET. VS Plugin)

Free Tools

• AppScan DE (formally ounce)

• Fortify 360• Klockworkz• …..Many more

Commercial Tools

OWASP Dublin 2010

Website Update

OWASP Dublin 2010

OWASP Education ProjectNatural ties between these projects

Already being used for training classesNeed to coordinate efforts to make sure critical

pieces aren't missing from the OWASP Live CDTraining environment could be customized for a

particular class thanks to the individual modules Student gets to take the environment home

As more modules come online, even more potential for cross pollination

Builder tools/docs only expand its reachKiosk mode?

OWASP Dublin 2010

How can you get involved?

Join the mail list Announcements are there – low traffic

Download an ISO or VM Complain or praise Suggest improvements Submit a bug to the Google Code site

Create deb package of a tool How I create the debs will be documented, command

by command and I'll answer questions gladlySuggest missing docs or linksDo a screencast of one of the tools being used

on the OWASP Live CD

OWASP Dublin 2010

What else is out there?

LabRat v2.1 (Previous OWASP Live CD)404 for ISO link

Samurai WTF (Web Testing Framework)Slightly fewer tools overall

Unique to Samurai: WebShag & MoinMoin WikiUbuntu based live CD, looks really niceNo .deb packages for most of the toolsCurrently development releasehttp://samurai.intelguardians.com/

Login info is samurai / samuraiBacktrack – has some web app tools

OWASP Dublin 2010

Learn MoreOWASP Site:

http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality)http://www.owasp.org/index.php/Category:OWASP_Project

or Google “OWASP Live CD”

Download & Community Site:http://AppSecLive.org

OWASP Dublin 2010

Questions?