A Web Application Security Testing...
Transcript of A Web Application Security Testing...
![Page 1: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/1.jpg)
IronWASPA Web Application Security Testing Platform
Lavakumar Kuppan@lavakumark
Disclaimer:Views expressed in this talk are my own and do not necessarily reflect those of my employer
![Page 2: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/2.jpg)
Problem: Web Security Testing != Efficient
Solution: IronWASP
What to expect from the talk
How?
Why?
Solution?
What is it?How does it
work?
How does it solve the problem?
![Page 3: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/3.jpg)
Bio
Penetration TesterDay job at a large bank, 5+ yrs exp.
Web Security ResearcherNight-time hobby
DeveloperTools and scripts in C#, JS, PHP, Python, Perl…
SpeakerBlackHat, SecurityByte, OWASP Appsec Asia,
ClubHack, NullCon…
![Page 4: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/4.jpg)
Research
Attack and Defense LabsRepository of all Research and Tools
http://www.andlabs.org
HTML5 Security, Browser-side SecurityTopics of interest
#5 on Top 10 Web Hacks of 2010CSRF-protection bypass using HPP and ClickJacking
![Page 5: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/5.jpg)
Tools
IronWASPPresenting in this talk
RavanJavaScript based Distributed
Computing System
JS-RECONHTML5 based JavaScript Network
Recon Tool
ImposterBrowser Phishing Framework
Shell of the FutureXSS Reverse Web Shell
![Page 6: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/6.jpg)
Problems with Web Security Testing
![Page 7: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/7.jpg)
Can only check for few issuesPoor site coverageStruggles with JS complexityNot designed for Security testers so:– Not transparent about working– Not honest about limitations– Not collaborative
Automated Scanning Tools
![Page 8: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/8.jpg)
Time & Effort intensiveNot ScalableNot RepeatableExpensiveGood testers are few in number
Manual Testing
![Page 9: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/9.jpg)
The tester needs a tool that:Knows its limitations and is honest about itTransparent about its functioningCollaborates with the testerCan be altered and molded to suit the needs of the tester
Solution - Empower the Manual Tester
![Page 10: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/10.jpg)
IronWASP
![Page 11: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/11.jpg)
An environment for Web Application Security TestingDesigned for optimum mix of Manual and Automated TestingDesigned for Penetration TestersLet’s you write a custom Security Scanner in a very short timeOpen Source and Open ArchitectureGUI based & does not require installation
What is IronWASP
![Page 12: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/12.jpg)
Built-in Crawler + Scan Manager + ProxyPython/Ruby based plug-ins– Active plug-ins for Scanning– Passive plug-ins for vulnerability detection– Format plug-ins for defining data format– Session plug-ins to customize the scans
Integrated Python/Ruby Scripting Environment with IronWASP APIJavaScript Static Analysis Engine
Key Components
![Page 13: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/13.jpg)
Written in Python/Ruby using the IronWASP APIEasy to modify existing plug-insCan easily add new custom plug-insUI based API doc provided inside the toolSyntax highlighting Script Editor with error checking support built-in
Plug-ins
![Page 14: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/14.jpg)
IronPython Plug-insMaintained by MeLocation: https://github.com/Lavakumar/Iron-PluginsIronRuby Plug-insMaintained by Manish Saindane (Project Contributor)Location: https://github.com/msaindane/Iron-Plugins
Plug-ins
![Page 15: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/15.jpg)
Analyzes all traffic going through the toolCan also modify the trafficIdentifies vulnerabilities passively
Eg: Passwords sent over clear-textHttp-Only /Secure flag missing in cookies
Passive Plug-ins
![Page 16: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/16.jpg)
Performs scans against the target to identify vulnerabilitiesExecuted only when the user explicitly calls themFine-grained scanning support
Eg: Cross-site ScriptingSQL Injection
Active Plug-ins
![Page 17: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/17.jpg)
To deal with various data formats in Request body. Eg:– JSON– XML
Allows scanning even for custom data formats
Format Plug-ins
![Page 18: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/18.jpg)
Consider this Login Request:POST /login.php HTTP/1.1Host: example.orgContent-Length: 21
username:lava|pass:s3cr3t
Request body is in Custom Formatname:value|name:value
Standard scanners don’t know how to scan this
Format Plug-ins
![Page 19: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/19.jpg)
Write a Format Plug-in to convert this format to XML and vice versa
username:lava|pass:s3cr3t
<xml><username>lava</username><pass>s3cr3t</pass>
</xml>
IronWASP can now scan this format using existing Active Plug-ins
Format Plug-ins
![Page 20: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/20.jpg)
This technique can be used to handle any data format:– Java Serialized Objects– AMF– WCF– GWT– Multi-part POST
Format Plug-ins
![Page 21: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/21.jpg)
Every site has slight variations in:– Authentication– Session handling– CSRF protections– Logic-flow
Automated Scanners don’t understand thisTesters understand thisTesters must feed this info in to the Scanner
Session Plug-ins
![Page 22: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/22.jpg)
In IronWASP the tester writes a Session Plug-in for this purposeThis plug-in would determine:– How to login to the site– How to handle CSRF tokens– How to handle session– How to handle multi-step forms
Customizes the Scans for the web site
Session Plug-ins
![Page 23: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/23.jpg)
This is where the magic happensPython/Ruby scripts using IronWASP APIFull access to all the functionality of the toolCan create precise Crawlers and ScannersCan analyze the HTTP logs for Access Control and other checks
Integrated Scripting Engine
![Page 24: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/24.jpg)
Extremely simple and easy to useSome of the Available Classes:– Request– Response– IronSession– Crawler– Scanner– Tools– HTML
IronWASP API
![Page 25: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/25.jpg)
Create a Request, send to server and view response Body:
>>> r = Request(“http://example.org”)>>> res = r.Send()>>> print res.BodyString
Get a Request from the Proxy log with ID 6, send to server and view response code:
>>> r = Request.FromProxyLog(6)>>> res = r.Send()>>> print res.Code
IronWASP API
![Page 26: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/26.jpg)
Repeat a Request 10 times:>>> r = Request(“http://example.org/index.php”)>>> for i in range(10):… r.Send()
Fuzz a certain parameter with increasing integers:
>>> r = Request(“http://example.org/item.php?id=23”)>>> for i in range(10):… r.Query.Set(“id”,i)… r.Send()
IronWASP API
![Page 27: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/27.jpg)
Creating a Scan Job:>>> r = Request.FromProxyLog(12)>>> s = Scanner(r)>>> s.AddCheck(“XSS”)>>> s.AddCheck(“SQLi”)>>> s.ScanAll()
IronWASP API
![Page 28: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/28.jpg)
IronWASP performs Taint Analysis for DOM based XSSIdentifies Sources and Sinks and traces them through the codeCustom Source and Sink objects can be configuredHandles a few JavaScript quirks likea.bbeing presented as a[“b”] orvar x = “b”; a[x]
JavaScript Static Analysis
![Page 29: A Web Application Security Testing Platformsecuritybyte.org/resources/2011/presentations/ironwasp.pdfIronWASP A Web Application Security Testing Platform Lavakumar Kuppan @lavakumark](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ecf036990dd4b70e4303c32/html5/thumbnails/29.jpg)
Q& A