strategic security, inc. © application security is easy right?
TRANSCRIPT
![Page 1: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/1.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
Application Security is Easy Right?
![Page 2: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/2.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
Trying to learn App Sec
• I came up the old fashioned way:• Help Desk• PC Tech• Systems Administrator• Network Administrator
• Moved into IT Security• Intrusion Analyst• Penetration Tester
• The way nature intended….
![Page 3: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/3.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
Pentesting Starting Moving Away From The Network
• Pentesting started shifting away from the network….• Network and Systems• Web App• Mobile App• Cloud• Mashups• Source Code
• Easy right?
• Houston….
![Page 4: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/4.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
I Felt Lost In The App Sec
![Page 5: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/5.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
I DON’T KNOW HOW TO PROGRAM
• A lot of computer scientists will be familiar with programming concepts such as:• Turing’s Primitives• Programming Logic• Data Structures and Algorithms• Object Oriented Programming
• If you are like me then none of this stuff makes any sense to you
• I don’t understand any of this stuff, and don’t plan on trying
• I’m regular working stiff – so that means that I like:• Alcohol• Sports• Barbequing
![Page 6: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/6.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
OWASP Confused Me More
• OWASP Testing Guide• https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
![Page 7: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/7.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
I Needed Something Simple I Could Do
• A process to follow
• A methodology to use
• It has to be simple
![Page 8: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/8.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
3 Simple Questions
1. Is it talking to a DB?• Is there parameter passing – if yes…• Insert a single quote
2. Can I or someone else see what I type?• Is there a forum, blog, guestbook, contact us page, feedback form, instant messenger/chat – if
yes...• Insert <script>alert(‘xss’)</script>
3. Does it reference a file?• Is it talking about a file on the local file system – if yes…• Insert ../../../../../../etc/passwd, ../../../../../../etc/passwd%00• ../../../../../../windows/win.ini, ../../../../../../windows/win.ini%00
![Page 9: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/9.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
Let’s drive
Everything I’m doing today can be found at:• http://pastebin.com/ka5PvLp8
I use pastebin to allow you to follow me and just copy/paste the commands I type
So you can just just open up Firefox and follow along
![Page 10: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/10.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
What About Tools
Once you have a methodology then you can start with simple firefox addons: ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/
Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/
FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
Firebughttps://addons.mozilla.org/en-US/firefox/addon/firebug/
A good list of web app testing add ons for Firefox:https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
![Page 11: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/11.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
What About Free/Low Cost Tools
Once you are comfortable with the firefox addons, then I think you can move on to the proxies: Burp Suite https://portswigger.net/burp/download.html
Zap https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Fiddler http://www.telerik.com/fiddler
Charles Proxyhttp://www.charlesproxy.com/
![Page 12: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/12.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
What About Commercial Tools
Once you are comfortable with the firefox addons, then I think you can move on to the proxies: IBM AppScan http://www-03.ibm.com/software/products/en/appscan
HP WebInspect http://www8.hp.com/us/en/software-solutions/webinspect-dynamic-analysis-dast/
Acunetix https://www.acunetix.com/vulnerability-scanner/
Comparison of the scannershttp://sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
![Page 13: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/13.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
I built one (shameless plug)
Web Scanner Pro (YES IT IS FREE and cheap): http://strategicsec.com/products/webscannerpro/
You don’t need to be a Web App expert to use the product
You don’t need to be a programmer to understand the reports
You don’t need to be a compliance expert to demonstrate your due diligence
![Page 14: Strategic Security, Inc. © Application Security is Easy Right?](https://reader035.vdocument.in/reader035/viewer/2022081511/5697bfa71a28abf838c98c26/html5/thumbnails/14.jpg)
Strategic Security, Inc. © http://www.strategicsec.com/
Contact Me....
Toll Free: 1-844-458-1008
Email: [email protected]
Twitter: http://twitter.com/j0emccray
LinkedIn: http://www.linkedin.com/in/joemccray