Application Security Tools
-
Upload
lalit-kale -
Category
Technology
-
view
552 -
download
4
description
Transcript of Application Security Tools
Application Security-IIISecurity Analysis ToolsLalit Kale
http://lalitkale.wordpress.com
2
Overview
• OWASP Top 10 Threats• Security Analysis Tools Landscape• Attack Simulation Tools
• Defense Assisting Tools• Risk mitigation for Injection Attacks• Risk mitigation for XSS Attacks• Resources
3
OWASP Top 10 Threats
• Injection• Broken Authentication and Session Management• Cross-Site Scripting (XSS)• Insecure Direct Object References• Security Misconfiguration
4
OWASP Top 10 Threats
• Sensitive Data Exposure
• Missing Function Level Access Control (e.g. Failure to Restrict
URL Access)
• Cross-Site Request Forgery (CSRF)
• Using Components with Known Vulnerabilities (e.g. Security
Misconfiguration)
• Invalidated Redirects and Forwards
5
Security Analysis Tools Landscape
6
XSS Me
• XSS-Me is the Firefox add on used to test for reflected Cross-Site
Scripting (XSS). It does not currently test for stored XSS.
• It is only used for run-time application security testing and not
related to static code analysis.
• The tool works by submitting your HTML forms and substituting the
form value with strings that are representative of an XSS attack.
• XSS Filter Evasion Cheat Sheet:
• https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
• Devise your own attack! http://ha.ckers.org/xsscalc.html
7
XSS Me
• Demo Website
http://www.testfire.net• Search for Normal string
http://www.testfire.net/search.aspx?txtSearch=test• Search for XSS induced attack
http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</script>
8
SQL Inject Me
• SQL Inject -Me is the Firefox add on used to test for SQL Injection.
• It is only used for run-time application security testing.
• The tool works by submitting your HTML forms and substituting the
form value with strings that are representative of an SQL Injection
attack.
• Advanced attacks, such as blind SQL injection, may require
additional manual testing (e.g. attempting to bypass
authentication).
9
SQL Inject Me
• Demo Website
http://testfire.net/bank/login.aspx
• UserName/Password: Jsmith/Demo1234, Navigate to following page after login
http://testfire.net/bank/transaction.aspx
• Observe the ‘After’ Field: • Normal Input: 01/01/2013• 01/01/2006 union select
userid,null,username+','+password,null from users--
10
Hackbar
• Hackbar is the Firefox add on used to test for XSS and SQL Injection.
• It is useful while handcrafting attacks or doing penetration testing.
• Features include
• Loading URL
• Slicing URL
• Character encoding
• Executing crafted url request
11
Tamper Data
• Firefox add on used to modify HTTP Request and response
• Trace and time http request/response
• Modify POST parameters
• Add HTTP Headers
• Encode/Decode strings
• Limited ability for testing XSS and SQL Injection
12
Cookie Manager +
• Firefox add on used to view, Modify, create and backup and
restore cookies.
• Features includes
• Ability to filter cookies based on domain
• Option to backup and restore cookies
• Ability to change expire date on expire header of cookie
13
Wappalyzer
• Firefox add-on for revealing internals of websites/web-
applications
• Analyzes DOM and HTTP Response Headers and
identifies libraries and frameworks and components
used for building websites
• Once attacker get more details about internal
components, s/he can use that information for
exploiting known vulnerabilities in those
components/libraries or frameworks or servers
14
FxCop
• Static Code Analysis Tool for applications written in Microsoft .NET Framework
• Has security and security transparency Rules• Determine whether HTML output includes input parameters
• Form fields, • Query strings,• Databases and data access methods• Cookie collection• Session and application variables
15
Fiddler Plugin: Ammonite
• URL: http://ammonite.ryscc.com/
• Paid Web Security Tool
• Detect Critical Vulnerabilities
• Ultimate Control: Manual and Automatic mode for testing
• Fuzz Multiple Request Formats
• Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST
bodies.
• Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query
string, and request body.
• passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors
and verbose error messages.
• Export results as HTML Report
16
Fiddler Plugin: Watcher
• URL: http://websecuritytool.codeplex.com• Free Web Security Tool• Passively monitors traffic for 40+ checks• Can also work offline on SAZ files from Fiddler• Results of various checks can be exported in the form of
html or xml• DEMO
• Live Session• Report
17
AntiXSS Library
• AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.
White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.
Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages.
18
Asafaweb
• Non invasive vulnerability scanner• Individual effort from Security Consultant Troy Hunt• Good for “Already in Production” project• baseline of scans for common ASP.NET configuration
related vulnerabilities.• Also checks for click jacking, Hash Do's patch
• DEMO
19
CAT.NET
• identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
• works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each
Binscope Binary Analyzer
• verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL
• inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used.
CAT.NET & Binscope Binary Analyzer
Note: Only compatible with visual studio 2005 and visual studio 2008
20
W3af.org
• W3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure.
• Open source python based core engine with plug-in architecture
• w3af is a Web Application Attack and Audit Framework.
21
Acunetix
• website analysis and vulnerability detection• Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities• Scan’s password protected areas as well automatically• Comprehensive reports for legal and regulatory compliance• Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector• Detect HTTP Parameter Pollution (HPP) vulnerabilities• Compare scans and find differences with previous scans.• Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms.
22
NetSparker
• The only False-positive-free web application security scanner
• Ajax/JavaScript Support
• Support Basic, Forms, NTLM, Digest, Kerberos Authentication
• Vulnerability Retest
• Also supports manual testing
• Support for well-known compliance specifications reporting like PCI,
OWASP, CAPEC, OWASP etc.
• Custom Reports
23
Resources• OWASP (Open Web Application Security Project):
https://www.owasp.org
• XSS-Me
https://addons.mozilla.org/en-us/firefox/addon/xss-me/
• SQL Inject Me
• Microsoft Security
http://www.microsoft.com/security
http://www.Microsoft.com/sdl
• Wikipedia:
http://en.wikipedia.org/wiki/Threat_model
.
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at
http://creativecommons.org/licenses/by-nc-sa/4.0/
All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation.
Lalit [email protected]
http://lalitkale.wordpress.com