The bare minimum that you should know about web application security testing in 2016
•Descargar como PPTX, PDF•
3 recomendaciones•967 vistas
Recomendados
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Destacado
Destacado (14)
Similar a The bare minimum that you should know about web application security testing in 2016
Similar a The bare minimum that you should know about web application security testing in 2016 (20)
Último
Último (20)
The bare minimum that you should know about web application security testing in 2016
- 1. The bare minimum you should know about web application security testing in 2016 Ken De Souza KWSQA, April 2016 V. 1.0
- 10. This topic is HUGE Doing this from my experiences...
- 11. Common terminology Learn something about the threats Demos of tools Explain the risks to stake holders Where to go next
- 12. Small companies don’t have $$$ to spend on all the latest tools, like BurpSuite, etc. There are excellent tools. The tools don’t replace thinking.
- 13. "security, just like disaster recovery, is a lifestyle, not a checklist" This is not a black and white problem Source: https://news.ycombinator.com/item?id=11323849
- 16. This is a practical / experience talk. These are the tools I use on a daily(ish) basis when I'm testing software. Your mileage may vary.
- 17. The Tools STRIDE (identification) DREAD (classification) OWASP Top 10 (attack vectors) Wireshark / tcpdump (network analysis) OWASP ZAP (application analysis) MS Threat Modeling (communication)
- 18. STRIDE Spoofing Tampering Repudiation Information Disclosure DoS Elevation of Privilege Source:
- 19. Source:c https://www.owasp.org/index.php/Application_Threat_Modeling Type Security Control Spoofing Authentication Tampering Integrity Repudiation Non-Repudiation Information disclosure Confidentiality Denial of service Availability Elevation of privilege Authorization
- 20. DREAD Damage Reproducibility Exploitability Affected users Discoverability Source: https://msdn.microsoft.com/en-us/library/aa302419.aspx
- 21. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Developer point of view…. DREAD Parameter Ratin g Rationale Damage Potential 5 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 2 Easily exploitable by automated tools found on the Internet. Affected Users 1 Affects critical administrative users Discoverability 1 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 3.8
- 22. Source: https://msdn.microsoft.com/en-us/magazine/ee336031.aspx Tester point of view… DREAD Parameter Ratin g Rationale Damage Potential 10 An attacker could read and alter data in the product database. Reproducibility 10 Can reproduce every time. Exploitability 10 Easily exploitable by automated tools found on the Internet. Affected Users 10 Affects critical administrative users Discoverability 10 Affected page “admin.aspx” easily guessed by an attacker. Overall Rating 10
- 23. STRIDE / DREAD Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 24. OWASP Top 10 Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 25. OWASP TOP 10 A1: Injection http://example.com/app/accountVi ew?id=' A2: Broken Authentication and Session Management http://example.com/sale/saleitem s?sessionid=268544541&dest=Hawai i A3: Cross Site Scripting (XSS) <script>alert('test');</script> A4: Insecure Direct Object References http://example.com/app/accountIn fo?acct=notmyacct A5: Security Misconfiguration Default admin account enabled; directories shown on site; Stack traces shown to users; Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
- 26. OWASP TOP 10 A6: Sensitive Data Exposure SSL not being used Heartbleed Bad programming (Obamacare) A7: Missing Function Level Access Control Access areas where you shouldn’t be able to access A8: Cross-Site Request Forgery <img src="http://example.com/app/tran sferFunds?amount=1500&destinatio nAccount=attackersAcct#" width="0" height="0" /> A9: Using Components with known vulnerability Not patching your 3rd party sh*t A10: Unvalidated redirects and forwards http://www.example.com/redirect. jsp?url=evil.com Source: https://www.owasp.org/index.php/Top_10_2013-Top_10
- 27. Vulnerability Tool A1: Injection SQLMap or ZAP A2: Broken Authentication and Session Management ZAP A3: Cross Site Scripting (XSS) ZAP A4: Insecure Direct Object References ZAP A5: Security Misconfiguration OpenVAS A6: Sensitive Data Exposure Your brain… A7: Missing Function Level Access Control OpenVAS A8: Cross-Site Request Forgery ZAP A9: Using Components with known vulnerability OpenVAS A10: Unvalidated redirects and forwards ZAP
- 28. Demos: Setup Virtualbox running “OWASP Broken Web Apps” This VM has LOTS of broken web applications that are designed to learn from.
- 29. What is Wireshark Network packet / protocol analysis tool Allows users to capture network traffic from any interface, like Ethernet, Wifi, Bluetooth, USB, etc
- 31. Why use Wireshark? It is a great tool to debug your environment Help to examine potential security problems
- 32. Wireshark: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 33. Wireshark Demo
- 34. TCPDump: Look at red/yellow lines between systems Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 35. Why use tcpdump? Use this when you can’t use Wireshark Great for servers
- 36. Example tcpdump -lnni eth0 -w dump -s 65535 host web01 and port 80
- 37. TCPDump Demo
- 38. What is OWASP ZAP? Find security vulnerabilities in your web applications Can be used both manually and in an automated manner
- 39. Why use ZAP? Can be used to find many of the top 10 exploits Can be quick integrated into you manual or automated workflow Can be used in active or passive mode
- 44. OWASP ZAP Demo
- 45. What is SQLMap? SQL injection tool Takes a lot of the exploits available and automates them
- 47. SQLMap Demo
- 48. Threat Modeling - What is it? A way to analyze and communicate security related problems This is a much larger topic than we have time for … but I’ll give you the basics
- 49. Threat Modeling - Why do this? To explain to management To explain to customers To explain to developers, architects, etc. With the tools I just showed you, you now have the basics to be able to build a model
- 50. Threat Modeling: Communicating it… Source: https://owasptop10.googlecode.com/files/OWASP%20Top%2010%20-%202013.pdf.
- 51. Threat Modeling Step 1: Enumerate – Product functionality – Technologies used – Processes – Listening ports – Process to port mappings – Users processes that running – 3rd party applications / installations
- 52. Threat Modeling Step 2: Data flow with boundaries Source: http://geekswithblogs.net/hroggero/archive/2014/12/18/microsoft-azure-and-threat- modeling-you-apps.aspx
- 53. MS Threat Risk Modeling Tool Demo
- 54. Threat Modeling
- 55. Threat Modeling Can be done at various stages of the SDLC Source: http://www.slideshare.net/starbuck3000/threat-modeling-web-application-a-case-study
- 56. Other really good tools nmap netstat nslookup ps browser dev tools
- 57. All these tools, help to answer the question Is your application secure?
- 58. Where to go next?
- 59. Full disclosure
- 60. Read!
- 63. Bug bounties
- 64. To conclude…
- 65. Be aware and prepare yourself for the worst. Coming up with a plan is important Understanding vectors is important
- 66. Thanks!
- 68. References • Preventing CSRF with the same-site cookie attribute: http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with- samesite-cookie-attribute/ • Security Ninjas: An Open Source Application Security Training Program: http://www.slideshare.net/OpenDNS/security- ninjas-opensource • Threat modeling web application: a case study: http://www.slideshare.net/starbuck3000/threat-modeling-web-application- a-case-study • Chapter 3 Threat Modeling: https://msdn.microsoft.com/en-us/library/aa302419.aspx • Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities: http://www.slideshare.net/anantshri/understanding-the-known-owasp-a9-using-components-with-known-vulnerabilities • Real World Application Threat Modelling By Example: http://www.slideshare.net/NCC_Group/real-world-application-threat- modelling-by-example • The BodgeIt Store Part 1: http://resources.infosecinstitute.com/the-bodgeit-store-part-1-2/
Notas del editor
- Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control. Controlling vehicle features of Nissan LEAFs across the globe via vulnerable APIs
- Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.
- Short URLs Considered Harmful for Cloud Services Scan revealed over 270000 publicly accessible OneDrive documents A similar scan of 100,000,000 random 7-character bit.ly tokens yielded - URLs to 1,000,000 publicly accessible OneDrive documents. Much of which contained private information Around 7% of the OneDrive folders discovered in this fashion allow writing. This means that anyone who randomly scans bit.ly URLs will find thousands of unlocked OneDrive folders and can modify existing files in them or upload arbitrary content, potentially including malware. Microsoft’s virus scanning for OneDrive accounts is trivial to evade (for example, it fails to discover even the test EICAR virus if the attacker goes to the trouble of compressing it). Furthermore, OneDrive “synchronizes” account contents across the user’s OneDrive clients. Therefore, the injected malware will be automatically downloaded to all of the user’s machines and devices running OneDrive.
- Before September 2015, short goo.gl/maps URLs used 5-character tokens. Our sample random scan of these URLs yielded 23,965,718 live links, of which 10% were for maps with driving directions.
- Not talking about Secure coding Infrastructure SDLC I’m trying to keep this talk as some one who has been through a few ‘audits Customer initiated typically Note: we always passed because… Security is like disaster recovery, it’s a life style… not something you need to do when you need to do it.
- Show in the next slide that all it took was to inspect some JSON from a mobile app and he was able to take control.
- This isn’t just a talk
- Identification tool,
- Spoofing: illegally access and use another user's credentials, such as username and password. Tampering: maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet. Repudiation: illegal operations in a system that lacks the ability to trace the prohibited operations. Information disclosure: read a file that one was not granted access to, or to read data in transit. Denial of service: Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable. Elevation of privilege: Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.
- https://msdn.microsoft.com/en-us/library/aa302419.aspx Classification tool
- https://msdn.microsoft.com/en-us/library/aa302419.aspx Classification tool
- https://msdn.microsoft.com/en-us/library/aa302419.aspx Classification tool
- Open Web Application Security Project
- Open Web Application Security Project
- The second example I gave, that goes into A4 The first example at the beginning of the talk fell directly into A2, A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A2: Application’s timeouts aren’t set properly… someone closes a browser and the session isn’t invalided. A3: input isn’t sanitized, thus allowing execution of code.
- The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A8 - The application allows a user to submit a state changing request that does not include anything secret. For example: So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: A9: Rather simple one: https://www.owasp.org/index.php/OWASP_Dependency_Check A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.
- The first example at the beginning of the talk fell directly into A6 and A7. Could have been caught, if someone had thought about it. (the LEAF car) A8 - The application allows a user to submit a state changing request that does not include anything secret. For example: So, the attacker constructs a request that will transfer money from the victim’s account to the attacker’s account, and then embeds this attack in an image request or iframe stored on various sites under the attacker’s control: A9: Rather simple one: https://www.owasp.org/index.php/OWASP_Dependency_Check A10: The application has a page called “redirect.jsp” which takes a single parameter named “url”. The attacker crafts a malicious URL that redirects users to a malicious site that performs phishing and installs malware.
- Basically, if you’re doing an audit of your system, you can see all the information that coming/going from it, record it and search on it.
- Open Web Application Security Project
- Intro into wireshark QUESTION: who uses wiresshark? Dev tools on your browser? Provide my example: I am working a networking company… it important to find out what data is being transferred from various devices in the netwoek, so I’m looking at much than just 80 and 443 Every packet is captured Hit a web site The idea, you can see everything on the wire. If you’re https, you’ll need the key (and depending on your company, you might get it for testing purposes) No proxy required This is a great tool for not just the dev tools portion, but if you doing a threat analysis, you can also find out information about what is incoming/outgoing using this (and TCPDump) Search around in there using http, tcp, Explain what I use it for SHOW: How to capture packets Display filters Follow the stream/conversation Access to all the protocols
- Open Web Application Security Project
- Lots of stuff is still insecure. SNMP, 3rd Party tools. Getting right to the wire and finding out is sometimes the best way to tackle this. SHOW: - limit requests and captures -
- Active/Passive meaning?
- Active/Passive meaning?
- Open Web Application Security Project
- Active/Passive meaning?
- Open Web Application Security Project
- The ability to communicate the threat. This is one way to get buy in (where there might not be buy in)
- The ability to communicate the threat. Now that you have data to show there are vul'n... you need to be able to articulate that to a wider audience. Maybe management, maybe a customer. This tool will help you do that and provide guidance on how to fix issues. This is one way to get buy in (where there might not be buy in)
- Open Web Application Security Project
- Product functionality? - What does it do? Does a human interact with it? Is there a web interface? REST interface? Is it a SaaS? On prem? Will people upload/submit data to the system? Technologies used: Linux? Java? Postgres? Spring? Scala? Do you have your security patches applied? Processes? - What running on these boxes? Who’s running them? What ports do they have open? Can anyone access them?
- Using tools like OWASP ZAP, Wireshark, etc, you can build yourself a plan These tools can help you articulate the risk
- Get a plan together and get your manager to sign off on it.
- Get a plan together and get your manager to sign off on it.
- Talk about my example: Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas Submitted to imgur
- Talk about my example: Decided to pick a vector (A?? With imgur), since I saw some behavirou on my mobile device Proxed the traffic and looked it via wireshark, got the get command, change the id and was able to get into private areas Submitted to imgur
- Get a plan together and get your manager to sign off on it.
- Get a plan together and get your manager to sign off on it.
- Some questions for you: In your environment, do you usually test for security related items? Is this part of your every day activities?