Daniel billing exploring the security testers toolbox
-
Upload
romania-testing -
Category
Documents
-
view
772 -
download
0
description
Transcript of Daniel billing exploring the security testers toolbox
Exploring the
Security Testers
Toolkit
Dan Billing – New Voice Media
@thetestdoctor | thetestdoctor.wordpress.com
Objectives for the day Introductions
An introduction to threat modelling and an activity to
generate test ideas
An introduction to the OWASP Top 10
An introduction to some useful tools and how to use them
Explore an application to discover some vulnerabilities
Talk about threats and what they mean in context
Talk about attacks and how they can be used in testing
Practice some attacks
Consolidate and challenge our thinking
Introduction Tester for 13 years, 4 years as a self employed consultant
Worked in the private and public sector in the UK
AOL Time Warner
Capita
Northgate
UK Government
Brightpearl
Now a Test Engineer at New Voice Media
@TheTestDoctor
www.thetestdoctor.wordpress.com
Introductions
About you?
What do you want to get out of
the day?
A Security Testing MnemonicEX – EXPLORE
T – THREATS
E – EXPERIMENT
R – RISKS
M – MONITOR
IN – INTERROGATE
A – ANALYSIS
T – TARGETED
E - EXPEDITED
Image courtesy of Andy
Glover @cartoontester
Gruyere – the cheesy web app
Navigate your browser of choice to:
http://google-gruyere.appspot.com/start
Built by Google
Deliberately vulnerable web application for training
Don’t enter personal data into it!
AltoroMutual – the reliable
banking application Navigate your browser of choice to:
http://altoromutual.com/
Built by IBM (as a marketing tool for AppScan)
Deliberately vulnerable web application for training
Don’t enter personal data into it!
Explore the application
Work in groups
Explore the application 10-15 mins
What can you find out?
User scenarios?
What can you do with the application?
Critical assets?
Features and functionality?
Areas for testing?
Feedback to the group
Tools of the Trade
Browser tools
Built in DOM tools and consoles – available in all modern browsers
Firebug
Monitor errors, resources, traffic and scripts
Add, delete and modify cookies
Plugins e.g. Tamper Data, EditThisCookie
OWASP Mantra
API tools e.g The Postman, Advanced Rest Client
Tools of the Trade Proxy tools
Fiddler
Zed Attack Proxy,
BurpSuite
Intercepting HTTP/HTTPS traffic
Modify requests, headers, cookies and other session data
Craft attacks and other harmful scenarios
Spider
Fuzzers
Port Scanning
CSRF
Tools of the Trade Network monitors
Protocol and packet sniffing e.g. Wireshark
Network mapping e.g Nmap
Source Code Analysers
OWASP 02 Platform
OWASP LAPSE
Fiddler
Download and Install Fiddler
http://www.telerik.com/fiddler
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8080
Configure Fiddler
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8080
You may need to close and restart the browser/Fiddler
Zed Attack Proxy (ZAP) Download and install Zed Attack Proxy
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8181
Configure Zed Attack Proxy
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8181
You may need to close and restart the browser/ZAP
BurpSuite
Download and Install Burpsuite (Free Edition)
http://portswigger.net/burp/download.html
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8080
Configure Burpsuite
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8282
You may need to close and restart the browser/ZAP
Threat Modelling
STRIDE S – SPOOFING
T – TAMPERING
R – REPUDIATION
I – INFORMATION DISCLOSURE
D – DENIAL OF SERVICE
E – ESCALATION OF PRIVILEGE
Spoofing
Threat action aimed to illegally
access and use another user's
credentials, such as username and
password.
Tampering
Threat action aimed to maliciously
change/modify persistent data,
such as persistent data in a
database, and the alteration of
data in transit between two
computers over an open network,
such as the Internet.
Repudiation
Threat action aimed to perform
illegal operations in a system that
lacks the ability to trace the
prohibited operations.
Information Disclosure
Threat action to read a file that
one was not granted access to, or
to read data in transit.
Denial of Service
Threat aimed to deny access to
valid users, such as by making a
web server temporarily unavailable
or unusable.
Escalation of Privilege
Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.
Threat Mind Map
Grab some post-its
Identify threats to your application – Gruyere or
Altoromutual
How might they happen?
What are the risks?
What might be the impact?
Mind-map them as a team on the board
Feedback to the group
OWASP Top 10 2013
1 – Injection
2 – Broken Authentication and Session Management
3 – Cross Site Scripting (XSS)
4 – Insecure Direct Object References
5 – Security Misconfiguration
6 – Sensitive Data Exposure
7 – Missing Function Level Access Control
8 – Cross Site Request Forgery (CSRF)
9 – Using Components with Known Vulnerabilities
10 – Unvalidated Redirects and Forwards
SQL Injection
Exploits of a Mom – www.xkcd.com/327
Cross Site Scripting (XSS)1. Sends URL containing a
hidden script
4. Browser executes script
and sends private data
2. Follows URL containing
script
3. Serves page containing
script
5. Impersonates user at
website
Cross Site Request Forgery (CSRF)
1. Victim browses a
malicious page with
content
2. Script or image
executed in
browser
3. Attacker can
access browser
sessions, modify
config or send
malicious content
Using Scanning Tools
Practice on a training website or on a virtual
machine
Agree with stakeholders
Don’t use against a site you don’t have permission
to test on
Understand risks to assets
Schedule appropriately
Passive Scanning
Explore the website under test
Observe the behaviour of the scanning tool
What information does it provide?
How is the information structured?
Any testing ideas?
What would you test first?
Spidering
Discovers more areas of your application to test
Physically interacts with the application
Use with caution
What information does it provide?
How is the information structured?
Any testing ideas?
Active Scanning
Performs physical attacks against the application
under test
Injection
XSS
Cookie Poisoning
What information does it provide?
How is the information structured?
Any testing ideas?
What do we test next?
Fuzzing
Inputs random, invalid or unexpected data
Might indicate an exception that could cause
crashes, performance issues or memory leaks
What information does it provide?
How is the information structured?
Any testing ideas?
Proxy Chaining
All tools work differently
They all have similar but varied features and
functions
Linking them together will enhance your testing
Comparison of results from different tools
Try modifying the upstream and downstream
proxy settings
Extending your toolset
Can be built into a continuous integration solution
Scripting interfaces e.g. Python, Ruby
API
Reporting
Wrap Up
Is there something we haven’t covered that you
want to talk about?
Has this workshop met your expectations?
Any questions?
Thanks for taking part
Getting in Touch
Twitter @TheTestDoctor
Blog thetestdoctor.wordpress.com
www.newvoicemedia.com