OWASP Live CD: An open environment for web application security. - PowerPoint PPT Presentation

slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
OWASP Live CD: An open environment for web application security. PowerPoint Presentation
Download Presentation
OWASP Live CD: An open environment for web application security.

play fullscreen
1 / 43
OWASP Live CD: An open environment for web application security.
Download Presentation
Download Presentation

OWASP Live CD: An open environment for web application security.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. OWASP Live CD:An open environment for web application security. Eoin Keary & Rahim Jina eoin.keary@owasp.org rahim.jna@owasp.org

  2. Presentation Overview Who are we? What's the OWASP Live CD about? Tools Plugins Examples How can I get involved?

  3. About us (Rahim & Eoin) Our Varied IT Backgrounds Software Development , Pen Testing, Application Security design & review, Code review, CISSP, CISA, Certified ASS, Contributors to many OWASP projects Member of OWASP Global Board Member of Ireland chapter.

  4. Project History and Goals Started as a Summer of Code 2008 project GOAL: Make application security tools and documentation easily available and easy to use Compliment's OWASP goal to make application security visible Design goals Easy for users to keep updated Easy for project lead to keep updated Easy to produce releases (maybe quarterly) Focused on just application security – not general pen testing

  5. Just to be clear... !=

  6. General goals going forward Showcase great OWASP projects Provide the best, freely distributable application security tools/documents in an easy to use package Ensure that the tools provided are easy to use as possible Continue to document how to use the tools and how the modules were created Align the tools with the OWASP Testing Guide v3 to provide maximum coverage

  7. Navigation • Mount a usb key for saving your work • This is automatic.

  8. EY CU – Our target site!

  9. You could also use……..

  10. Tools

  11. Available Tools Significant tools: Examples:

  12. Foxy Proxy

  13. FireBug: Runtime under the hood.

  14. Special features... Firefox Add-ons there are a few

  15. More on Tools Recon Menu: Scanners Menu:

  16. SQLMap & SQLix

  17. W3af: Web Application Attack Audit Framework

  18. W3af • The framework should work on all platforms supported by Python, particularly, w3af has been tested on Linux, Windows XP, Windows Vista and OpenBSD. • Phases supported: • Discovery: Discovery plugins have only one responsibility, finding new URLs, forms, and other “injection points”. • Audit: Audit plugins take the injection points found by discovery plugins and send specially crafted data to all of them in order to find vulnerabilities. • Exploit/Attack: Used to exploit vulnerabilities found by audit plugins.

  19. W3af: Web Application Attack Audit Framework auditxsrfhtaccessMethodssqlisslCertificatefileUploadmxInjection    genericlocalFileIncludeunSSLxpathosCommandingremoteFileIncludedavssievalbuffOverflowxssxstblindSqliformatStringpreg_replaceglobalRedirectLDAPiphishingVectorfrontpageresponseSplitting grepdotNetEventValidationpathDisclosurecodeDisclosureblankBodymetaTagsmotwprivateIPdirectoryIndexingsvnUsersssnfileUploadstrangeHTTPCodehashFindgetMailshttpAuthDetectwsdlGreper    newlinepasswordProfilingdomXssajaxfindCommentshttpInBodystrangeHeaderslangerrorPages ExploitsqlmaposCommandingShellxssBeeflocalFileReaderrfiProxyremoteFileIncludeShelldavShellevalfileUploadShellsql_webshell collectCookiesstrangeParameters    error500    objectscreditCards    oracle    feeds Also…………. audit, discovery,output ,mangle, bruteforce, evasion

  20. W3af: integration • Virtual daemon: • Virtual daemon, allows you to use metasploitpayloads • Fast Exploit: can use tools to within w3af to perfrom exploit, example SQLMap • Command Shell: Ala metasploit integration.

  21. More on Tools Proxies Menu: Metasploit Menu:

  22. Fuzzing – What is? • Fuzz testing or fuzzing is a software testing technique that provides invalid, unexpected, or random data to the inputs of a program. If the program fails (for example, by crashing or failing built-in code assertions), the defects can be noted. - wikipedia

  23. Vectors Example XSS Fuzz Vectors >"><script>alert("XSS")</script>& "><STYLE>@import"javascript:alert('XSS')";</STYLE> >"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a; alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)> >%22%27><img%20src%3d%22javascript:alert(%27%20XSS%27)%22> '%uff1cscript%uff1ealert('XSS')%uff1c/script%uff1e' '';!--"<XSS>=&{()} <IMG SRC="javascript:alert('XSS');"> <IMG SRC=javascript:alert('XSS')> <IMG SRC=JaVaScRiPt:alert('XSS')> <IMG SRC=JaVaScRiPt:alert(&quot;XSS<WBR>&quot;)> <IMGSRC=&#106;&#97;&#118;&#97;&<WBR>#115;&#99;&#114;&#105;&#112;&<WBR>#116;&#58;&#97; &#108;&#101;&<WBR>#114;&#116;&#40;&#39;&#88;&#83<WBR>;&#83;&#39;&#41> <IMGSRC=&#0000106&#0000097&<WBR>#0000118&#0000097&#0000115&<WBR>#0000099&#0000114&#0000105&<WBR>#0000112&#0000116&#0000058 <WBR>#0000097&#0000108&#0000101&<WBR>#0000114&#0000116&#0000040&<WBR>#0000039&#0000088&#0000083&<WBR>#0000083&#0000039&#0000041> <IMGSRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28 <IMG SRC="jav&#x09;ascript:alert(<WBR>'XSS');"> <IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');“>

  24. Fuzzing with Webscarab

  25. BURP Proxy

  26. Jbrofuzz

  27. Documentation available OWASP Documents Testing Guide v2 & v3 CLASP Top 10 for 2007 (2010 to be included) Top 10 for Java Enterprise Edition AppSec FAQ Books CLASP, Top 10 2007, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review Others WASC Threat Classification, OSTTMM 3.0 & 2.2

  28. Support Modules OWASP Branding Module Subversion client JRE 6 update 6 Python 2.5.2 Ruby 1.8.1 Graphviz tidy GnuTLS wget, host, dig, openssl, grep, whois

  29. Builder vs Breaker Builder is where the ROI is But …..breaking is really fun.Builder tools coming in future releases. (Thanks Top Gear!)

  30. A little bit of code review…

  31. A little bit of code review Code review Metrics

  32. A little bit on code review Transactional Analysis

  33. Crawling Code Risk Based Approach Http Request Strings Requests from external sources are obviously a key area of a security code review. We need to ensure that all HTTP requests received are data validated for composition, max and min length, and if the data falls with the realms of the parameter white-list. Bottom-line is this is a key area to look at and ensure security is enabled. request.accepttypes request.browser request.files request.headers request.httpmethod request.item request.querystring request.form request.cookies HTML Output Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks result from poor response validation. XSS relies on this somewhat. response.write <% = HttpUtility HtmlEncode request.certificate request.rawurl request.servervariables request.url request.urlreferrer request.useragent request.userlanguages request.IsSecureConnection request.TotalBytes request.BinaryRead

  34. A little bit of code review Scope-Context-Surface • Data/Input Validation of data from all untrusted sources. • Authentication • Session Management • Authorization • Cryptography (Data at rest and in transit) • Error Handling /Information Leakage • Logging /Auditing • Secure Code Environment • Browser input • Cookies • Property files • External processes • Data feeds • Service responses • Flat files • Command line parameters • Environment variables

  35. A little bit of code review Defining Risk

  36. Tools Available:

  37. Website Update

  38. OWASP Education Project Natural ties between these projects Already being used for training classes Need to coordinate efforts to make sure critical pieces aren't missing from the OWASP Live CD Training environment could be customized for a particular class thanks to the individual modules Student gets to take the environment home As more modules come online, even more potential for cross pollination Builder tools/docs only expand its reach Kiosk mode?

  39. How can you get involved? Join the mail list Announcements are there – low traffic Download an ISO or VM Complain or praise Suggest improvements Submit a bug to the Google Code site Create deb package of a tool How I create the debs will be documented, command by command and I'll answer questions gladly Suggest missing docs or links Do a screencast of one of the tools being used on the OWASP Live CD

  40. What else is out there? LabRat v2.1 (Previous OWASP Live CD) 404 for ISO link Samurai WTF (Web Testing Framework) Slightly fewer tools overall Unique to Samurai: WebShag & MoinMoin Wiki Ubuntu based live CD, looks really nice No .deb packages for most of the tools Currently development release http://samurai.intelguardians.com/ Login info is samurai / samurai Backtrack – has some web app tools

  41. Learn More OWASP Site:http://www.owasp.org/index.php/Category:OWASP_Live_CD_Projector just look on the OWASP project page (release quality)http://www.owasp.org/index.php/Category:OWASP_Projector Google “OWASP Live CD” Download & Community Site:http://AppSecLive.org

  42. Questions?