John-Reynders-Web-Security-Testing
Download
Report
Transcript John-Reynders-Web-Security-Testing
Web Vulnerability
Assessments
NEWDUG
January, 2015
Agenda
• About
• Web Vulnerability Assessments
– Types
– SOW
– Steps
• Tools
• Demos
• Goals
– Demonstrate Web VA, show techniques Pen-testers and Hackers
use to find vulnerabilities in your sites
– Provide some techniques and tools to help secure your code
2
John Reynders
• Consultant with OpenSky Corp.
• Seven years experience in Web Security:
–
–
–
–
–
Program Development
Dynamic Testing
Static Analysis
Coding Standards
Web Application Firewalls
• Eight years of general Information Security experience
3
OpenSky - An Award Winning Company
Everything starts with our people. Our success comes from their expertise and dedication
to always “doing the right thing” for our clients.
Our people
•
•
Expert resources: CRN Tech Elite 250 (2013)
Quality work environment: Top Workplace (2011, 2012, 2013)
Our people create top tier solutions
•
GRC Solution Award with client Shire Pharmaceuticals: OCEG (2013)
Our people and our solutions create lasting relationships and new partners
•
Multiple growth awards: Inc 500 (2012), CRN (2011, 2012), Marcum Tech Top 40 (2011,
2012)
4
Complete Solutions for Major Enterprises
IT Risk Management &
Security Services
Datacenter & Cloud
Infrastructure Services
Data Center and Cloud
Integration
Network Infrastructure
Virtualization
Storage and Computing
Infrastructure Applications
End-User Computing
Plan, Design &
Migrate
Secure
Assessment and Advisory
Application Secure Coding
Vulnerability Assessment
and Penetration Testing
Security Program and
Framework
Technology
Implementation and
Engineering
Mobile Device and
Virtualization Security
Manage
Technical Business Consulting
IT Transformation and Strategy
Technical Project Management
IT Supplier & Sourcing Management
IT Expense Management
GRC Services
GRC Strategy
GRC Maturity Assessment
GRC Configuration and Custom
Development
5
Web Vulnerability Assessments
• Conducted against a contract with specific terms, most often
called the Statement of Work (SOW)
• Specify in the SOW:
– System to be tested (URL)
• Production or Non-Prod?
– Type and level of testing
• Level of Automated and Manual testing
• “Safe” Tests only?
– Hours for testing
• Nights only?
– Whitelist IP addresses in WAF, IPS?
– Special Concerns?
– The more information the better the assessment
6
Web Vulnerability Assessments
• Types of Application Security Testing:
– Dynamic Analysis Security Testing (DAST) “Black Box”
• Tests actual web site for vulnerabilities
• Simulates what a real attacker would do
– Static Analysis Security Testing (SAST) “White Box”
• Tests code for vulnerabilities
• A real attacker would likely not have access to the code, this method is
a different approach to identifying potential security flaws.
– Hybrid “Glass Box”
• Dynamic test against instrumented web server
– Manual testing can occur in each type
• Talk covers Dynamic Testing
– Some tools perform static analysis of JavaScript
7
“Typical” Web Assessment Steps
• Recon
– Site components and architecture
– Open ports?
• Hack the server
•
•
•
•
Manually crawl site with an Intercepting Proxy
Automated Scan of site
Results verification – False positives removal
Manual testing
– Things tools don’t do well
• Business Logic
• Privilege Escalation etc.
• Reporting
8
Recon
• Visit site
• Site information
– Netcraft, Shodan etc.
• Google Dorks
– Files, passwords, WSDL, Admin logons etc.
• Port Scan
– Nmap, Nessus, Qualys
– May perform an infrastrucuture vulnerability scan
• Missing patches, configuration issues etc.
• Check security configuration
9
Configuration Checkers
• Microsoft Web Application Configuration Analyzer
– Needs Admin on Server, Checks SQL Server too
– http://www.microsoft.com/enca/download/details.aspx?id=573
• Check Your Headers
– http://cyh.herokuapp.com/cyh
• SSL Labs
– https://www.ssllabs.com/ssltest/index.html
• ASAFAWEB
– https://asafaweb.com/
10
Crawl Site with Intercepting Proxies
• Burp*
– http://portswigger.net/
• Fiddler
– http://www.telerik.com/fiddler
• Zed Attack Proxy (ZAP)
– https://code.google.com/p/zaproxy/wiki/Downloads
* - Free and Professional versions
11
Intercepting Proxy
• Intercepting Proxy Man-in-the-Middles all traffic
• Hackers and Testers can see all data transmitted
• Hidden Fields => NOT a security feature
12
Burp
13
Burp – Analyze Request & Response
14
Scan Site – Dynamic Scanners
• Acunetix
– http://www.acunetix.com/
• AppScan
– http://www-03.ibm.com/software/products/en/appscan
• WebInspect
– http://www8.hp.com/us/en/software-solutions/webinspectdynamic-analysis-dast/
• Burp & ZAP have scanning modules
15
AppScan
16
DEMO
17
Resources
OWASP - http://www.owasp.org/
– Cheat Sheets
• https://www.owasp.org/index.php/Cheat_Sheets
– Testing Guide
• https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_
of_Contents
WASC - http://www.webappsec.org/
– Not updated recently but some good content
The Web Application Hacker's Handbook
–
http://www.amazon.com/The-Web-Application-HackersHandbook/dp/1118026470
18
Contact Information
Email: [email protected]
Web Site: http://www.openskycorp.com/
19