BSides 2015 Intro to Web App Pen Testing with Mutillidae
Transcript of BSides 2015 Intro to Web App Pen Testing with Mutillidae
Things to cover today
❖ What is this Mutillidae?
❖ Tools for the job
❖ Web App Pen Tester techniques
❖ Learning with Mutillidae
❖ Demo
❖ Links and QA
What is this Mutillidae?
❖ Mutillidae is an OWASP project, currently maintained by Jeremy Druin / Twitter: @webpwnized
❖ A Pen Test friendly web application
❖ Focused on OWASP Top Ten lists and testing methodologies
❖ Quick to set up and highly accessible
Tools for the job❖ Relatively newish computer (~4 years or less)
❖ VMWare Player, VirtualBox, Hyper-V, or your host OS
❖ At least 30GB of HD space if installed; 4GB of RAM
❖ Mutillidae!
❖ Optional: Samurai WTF Linux distribution (live CD or can be installed)
❖ OWASP ZAP or Burp Suite if not using Samurai WTF
Web App Pen Tester techniques
❖ Super fun to point tools at things and let it do it’s thing
❖ How do we learn techniques from doing things like that though?
❖ How can I test vulnerabilities that come up where those tools may or may not be available or work?
❖ How can I ensure that a tool works as expected and a repeated test can find the same issues as last time?
Web App Pen Tester techniques 2
❖ OWASP Testing Guide v4
❖ OWASP Top 10 2013
❖ PCI Pen Testing Guidance (March 2015)
❖ PTES
❖ NIST 800-115
Learning with Mutillidae
❖ Step 1: Tools? Check. Techniques and Procedures? Check.
❖ Step 2: We have Samurai WTF up and running on a VM
❖ Step 3: ???
❖ Step 4: PROFIT
Actually learning with Mutillidae
❖ As mentioned earlier, vulnerabilities are broken out by various subjects and categories
❖ Modeled after the OWASP Top 10s along with various extra scenarios
❖ Starts out easy and the difficulty can be increased
❖ Hints and walkthroughs are throughout the site
Links and QA❖ Mutillidae: www.owasp.org/index.php/OWASP_Mutillidae_2_Project
❖ Samurai WTF: samurai.inguardians.com
❖ OWASP Testing Guide v4: www.owasp.org/index.php/OWASP_Testing_Project
❖ OWASP Top 10 2013: www.owasp.org/index.php/Top_10_2013-Top_10
❖ PCI Pen Testing Guidance: www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
❖ PTES: www.pentest-standard.org/index.php/Main_Page
❖ NIST SP 800-115: csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
❖ 12 part series on Mutillidae: www.youtube.com/watch?v=rNkR1Joz4eU
❖ [email protected] / @maendarb