Exploring the

Security Testers

Toolkit

Dan Billing – New Voice Media

@thetestdoctor | thetestdoctor.wordpress.com

Objectives for the day Introductions

An introduction to threat modelling and an activity to

generate test ideas

An introduction to the OWASP Top 10

An introduction to some useful tools and how to use them

Explore an application to discover some vulnerabilities

Talk about threats and what they mean in context

Talk about attacks and how they can be used in testing

Practice some attacks

Consolidate and challenge our thinking

Introduction Tester for 13 years, 4 years as a self employed consultant

Worked in the private and public sector in the UK

AOL Time Warner

Capita

Northgate

UK Government

Brightpearl

Now a Test Engineer at New Voice Media

@TheTestDoctor

www.thetestdoctor.wordpress.com

Introductions

About you?

What do you want to get out of

the day?

A Security Testing MnemonicEX – EXPLORE

T – THREATS

E – EXPERIMENT

R – RISKS

M – MONITOR

IN – INTERROGATE

A – ANALYSIS

T – TARGETED

E - EXPEDITED

Image courtesy of Andy

Glover @cartoontester

Gruyere – the cheesy web app

Navigate your browser of choice to:

http://google-gruyere.appspot.com/start

Built by Google

Deliberately vulnerable web application for training

Don’t enter personal data into it!

AltoroMutual – the reliable

banking application Navigate your browser of choice to:

http://altoromutual.com/

Built by IBM (as a marketing tool for AppScan)

Deliberately vulnerable web application for training

Don’t enter personal data into it!

Explore the application

Work in groups

Explore the application 10-15 mins

What can you find out?

User scenarios?

What can you do with the application?

Critical assets?

Features and functionality?

Areas for testing?

Feedback to the group

Tools of the Trade

Browser tools

Built in DOM tools and consoles – available in all modern browsers

Firebug

Monitor errors, resources, traffic and scripts

Add, delete and modify cookies

Plugins e.g. Tamper Data, EditThisCookie

OWASP Mantra

API tools e.g The Postman, Advanced Rest Client

Tools of the Trade Proxy tools

Fiddler

Zed Attack Proxy,

BurpSuite

Intercepting HTTP/HTTPS traffic

Modify requests, headers, cookies and other session data

Craft attacks and other harmful scenarios

Spider

Fuzzers

Port Scanning

CSRF

Tools of the Trade Network monitors

Protocol and packet sniffing e.g. Wireshark

Network mapping e.g Nmap

Source Code Analysers

OWASP 02 Platform

OWASP LAPSE

Fiddler

Download and Install Fiddler

http://www.telerik.com/fiddler

Configure your Browser

Set the Proxy Server to 127.0.0.1

Set the Port to 8080

Configure Fiddler

Install certificate if required

Set the Local Proxy to 127.0.0.1

Set the Port to 8080

You may need to close and restart the browser/Fiddler

Zed Attack Proxy (ZAP) Download and install Zed Attack Proxy

https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

Configure your Browser

Set the Proxy Server to 127.0.0.1

Set the Port to 8181

Configure Zed Attack Proxy

Install certificate if required

Set the Local Proxy to 127.0.0.1

Set the Port to 8181

You may need to close and restart the browser/ZAP

BurpSuite

Download and Install Burpsuite (Free Edition)

http://portswigger.net/burp/download.html

Configure your Browser

Set the Proxy Server to 127.0.0.1

Set the Port to 8080

Configure Burpsuite

Install certificate if required

Set the Local Proxy to 127.0.0.1

Set the Port to 8282

You may need to close and restart the browser/ZAP

Threat Modelling

STRIDE S – SPOOFING

T – TAMPERING

R – REPUDIATION

I – INFORMATION DISCLOSURE

D – DENIAL OF SERVICE

E – ESCALATION OF PRIVILEGE

Spoofing

Threat action aimed to illegally

access and use another user's

credentials, such as username and

password.

Tampering

Threat action aimed to maliciously

change/modify persistent data,

such as persistent data in a

database, and the alteration of

data in transit between two

computers over an open network,

such as the Internet.

Repudiation

Threat action aimed to perform

illegal operations in a system that

lacks the ability to trace the

prohibited operations.

Information Disclosure

Threat action to read a file that

one was not granted access to, or

to read data in transit.

Denial of Service

Threat aimed to deny access to

valid users, such as by making a

web server temporarily unavailable

or unusable.

Escalation of Privilege

Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.

Threat Mind Map

Grab some post-its

Identify threats to your application – Gruyere or

Altoromutual

How might they happen?

What are the risks?

What might be the impact?

Mind-map them as a team on the board

Feedback to the group

OWASP Top 10 2013

1 – Injection

2 – Broken Authentication and Session Management

3 – Cross Site Scripting (XSS)

4 – Insecure Direct Object References

5 – Security Misconfiguration

6 – Sensitive Data Exposure

7 – Missing Function Level Access Control

8 – Cross Site Request Forgery (CSRF)

9 – Using Components with Known Vulnerabilities

10 – Unvalidated Redirects and Forwards

SQL Injection

Exploits of a Mom – www.xkcd.com/327

Cross Site Scripting (XSS)1. Sends URL containing a

hidden script

4. Browser executes script

and sends private data

2. Follows URL containing

script

3. Serves page containing

script

5. Impersonates user at

website

Cross Site Request Forgery (CSRF)

1. Victim browses a

malicious page with

content

2. Script or image

executed in

browser

3. Attacker can

access browser

sessions, modify

config or send

malicious content

Using Scanning Tools

Practice on a training website or on a virtual

machine

Agree with stakeholders

Don’t use against a site you don’t have permission

to test on

Understand risks to assets

Schedule appropriately

Passive Scanning

Explore the website under test

Observe the behaviour of the scanning tool

What information does it provide?

How is the information structured?

Any testing ideas?

What would you test first?

Spidering

Discovers more areas of your application to test

Physically interacts with the application

Use with caution

What information does it provide?

How is the information structured?

Any testing ideas?

Active Scanning

Performs physical attacks against the application

under test

Injection

XSS

Cookie Poisoning

What information does it provide?

How is the information structured?

Any testing ideas?

What do we test next?

Fuzzing

Inputs random, invalid or unexpected data

Might indicate an exception that could cause

crashes, performance issues or memory leaks

What information does it provide?

How is the information structured?

Any testing ideas?

Proxy Chaining

All tools work differently

They all have similar but varied features and

functions

Linking them together will enhance your testing

Comparison of results from different tools

Try modifying the upstream and downstream

proxy settings

Extending your toolset

Can be built into a continuous integration solution

Scripting interfaces e.g. Python, Ruby

API

Reporting

Wrap Up

Is there something we haven’t covered that you

want to talk about?

Has this workshop met your expectations?

Any questions?

Thanks for taking part

Getting in Touch

Twitter @TheTestDoctor

Blog thetestdoctor.wordpress.com

www.newvoicemedia.com