OWASP WTE: Testing your way

The OWASP Foundationhttp://www.owasp.org

OWASP WTE:Testing your way.

Matt TesauroOWASP Foundation Board Member, WTE Project Lead

[email protected] President, Services for Praetorian

[email protected] Wickett

[email protected]

Agile Austin 2011

2

Who's this Matt guy anyway?

Broad IT backgroundDeveloper, DBA, Sys Admin, Pen Tester, Application Security professional, CISSP, CEH, RHCE, Linux+

Long history with Linux and Open SourceContributor to many projectsLeader of OWASP Live CD / WTE

OWASP Foundation Board Member

VP, Services for Praetorian

OWASP WTE: A History

4

At all started that summer...

5

•Current Release•OWASP WTE Feb 2011

•Previous Releases•OWASP WTE Beta Jan 2010•AppSecEU May 2009•AustinTerrier Feb 2009•Portugal Release Dec 2008•SoC Release Sept 2008•Beta1 and Beta2 releases during the SoC

Note: Not all of these had ISO, VirtualBox and Vmware versions

6

Other fun facts

~5,094 GB of bandwidth since launch (Jul 2008)

Most downloads in 1 month = 81,607 (Mar 2009)

Overall downloads: 330,081 (as of 2009-10-05)

7

There's a new kid in town

OWASP WTE

Web Testing Environment

8

The project has grown to more than just a Live CD

VMWare installs/appliancesVirtualBox installsUSB InstallsTraining Environment....

Add in the transition to Ubuntu and the possibilities are endless (plus the 26,000+ packages in the Ubuntu repos)

9

GOAL

Make application security tools and documentation easily available and easy to use

Compliment's OWASP goal to make application security visible

Design goalsEasy for users to keep updatedEasy for project lead to keep updatedEasy to produce releases (more on this later)Focused on just application security – not general pen testing

What's on WTE

13

26 “Significant” Tools Available

WapitiWeb Goat

CAL9000

JBroFuzz

DirBuster

WebSlayer

WSFuzzerWeb Scarab

OWASP Tools:

a tool for performing all types of security testing on web apps and web services

an online training environment for hands-on learning about app sec

a collection of web app sec testing tools especially encoding/decoding

a web application fuzzer for requests being made over HTTP and/or HTTPS.

a fuzzer with HTTP based SOAP services as its main target

audits the security of web apps by performing "black-box" scans

a multi threaded Java app to brute force directory and file names

A tool designed for brute-forcing web applications such as resource discovery, GET and POST fuzzing, etc

JBroFuzza web application fuzzer for requests being made over HTTP and/or HTTPS.

EnDeAn amazing collection of encoding and decoding tools as well as many other utilities

ZAP ProxyA fork of the popular but moribund Paros Proxy

14

Zenmap

Paros

nmap

Wireshark

Firefox

Burp Suite

Grendel Scan

Nikto

sqlmap

SQL Brute

w3af

netcat

Httprint

Spike Proxy

Rat Proxy

Fierce Domain Scanner

Metasploit

tcpdump

Maltego CE

Other Proxies: Scanners:

Duh:

SQL-i: Others:

Why is it different?

19

OWASP DocumentsTesting Guide v2 & v3CLASP and OpenSammTop 10 for 2010Top 10 for Java Enterprise EditionAppSec FAQBooks – tried to get all of themCLASP, Top 10 2010, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review

OthersWASC Threat Classification, OSTTMM 3.0 & 2.2

What is next?

27

Among the new ides for WTE are

Live CDs & Live DVDs

Virtual installs/appliances

A package repositoryCan add 1+ tool to any Debian based Linux# apt-get install owasp-wte-*

Custom remixes of any of the above

Targeted installs

WebGoat Developer Version

Wubi

USB and Kiosk version

28

Builder is where the ROI is

But darn it, breaking is really fun.

Builder tools coming in future releases.

(Thanks Top Gear!)

Builder vs Breaker

29

Goals going forward

Showcase great OWASP projects

Provide the best, freely distributable application security tools/documents in an easy to use package

Ensure that tools provided are easy to use as possible

30

Goals going forward

Continue to document how to use the tools and how the modules were created

Align the tools with the OWASP Testing Guide v3 to provide maximum coverage

Add more developer and QA focused tools

31

How can you get involved?Join the mail listAnnouncements are there – low traffic

Post on the AppSecLive.org forumsDownload an ISO or VMComplain or praise, suggest improvementsSubmit a bug to the Google Code site

Create deb package of a toolHow I create the debs will be documented, command by command and I'll answer questions gladly

Suggest missing docs or linksDo a screencast of one of the tools being used on the OWASP WTE

32

Learn More...

OWASP Site http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project or just look on the OWASP project page (release quality)

http://www.owasp.org/index.php/Category:OWASP_Project

or Google “OWASP Live CD”

Download & Community Site

http://AppSecLive.org

Previously: http://mtesauro.com/livecd/

Getting Agile with WTE

34

Two Keys to Agile Testing

Targeted Testing

Automation

35

Targeted Testing

Match security testing to sprints– Sprint story features vs Security testing categories

OWASP Testing Guide v3 outlines– 9 categories, 66 controls– 349 pages

36

Targeted Testing

Costs of targeting testing– Someone to “diff” features vs controls– Someone to test the relevant areas

Benefits– Only testing relevant areas– Testing scope/time is reduced

37

Targeted Testing

Security Sprints + Common Controls– Set aside a sprint or two– Focus on security stories

Create a common/shared security library– OWASP's ESAPI– Both an API reference and implementations

38

Targeted Testing

Security Sprints + Common Controls– Set aside a sprint or two– Focus on security stories

Create a common/shared security library– OWASP's ESAPI– Both an API reference and implementations

39

Targeted Testing

Costs of security sprint + controls– 1+ sprints to implement controls– Rigorous initial testing of the controls

Benefits– With common controls, testing is now ensuring controls are used, not their implementation– Testing scope/time is reduced– Testing may be automate-able

40

Automation

Two primary types of security testing

– Dynamic – testing running code

– Static – testing source code

41

Automating Dynamic Testing

Dynamic testing tools– Crawl an application• Get a list of URLs/pages

– Inject potential attacks, gauge responseCrawling pitfalls– AJAX / RIA– Flash / Flex

Crawling work-around– Use a local proxy

42

Quick step back...

Local Proxy

Server

If you run a local proxy server on the same machine as your browser, you can intercept and modify all HTTP and HTTPS traffic

43

Automating Dynamic Testing

Leverage existing “browser drivers” to also drive security tools– Automates generating a list of URLs for tools– Examples • Selenium (free FF add-on)• QTP (commercial)

Record application “click through”– Replay “click through” for security tools– May already have functional tests to re-use

44

Automating Zap

Setup Zap as your browser's proxyUse “click through” to explore the appOptions– Passive only tests– Active Scanning

Costs– Upfront creation of “click through”– Time to run “click through” and active scan

45

Automating w3afOption #1

Select pre-existing policy file– WebSpider discovery plugin

Let w3af crawl and scanCosts– Upfront time to create scanning policy

Pitfalls– Crawling issues, app coverage

46

Automating w3afOption #2

Setup w3af the browsers local proxySelect pre-existing policy file– SpiderMan discovery plugin

Use a “click through” to provide URLsCosts– Upfront time to create scanning policy– Upfront time to create “click through”– Updates to the “click through” for new app areas

47

General Warning about Dynamic Testing

Need to have a browse-able application at end of Sprint.

If app is rapidly adding new areas (pages), “click through” will need to be maintained to ensure coverage.

Some dynamic scans can take a long time

– 8+ hours for w3af with many plugins enabled

• Tweak plugin selection

• May have to be an end of sprint activity

48

Automating Static Testing

Few good free tools in this space– FindBugs, PMD, etc– Look at code quality tools also

Commercial tools– Source vs binary analysis– Local vs SAAS– IDE integration

49


Tie static tools to specific events– Source code check-in– Nightly build processes– Continuous Integration

Watch out for– Long run time (parallel execution)– Manageable output

50


Most commercial tools have (or will sell you) a “Mothership”– Allows for centralized reporting, trending, etc.

Integration with bug tracking systems– Spotty across vendors / projects

Reporting is weak in free tools, varies in commercial tools

A bit about OWASP

52

OWASP

The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.

53

OWASP Meritocracy

54

Security Vulnerabilities

Change ControlSource Code MgmtStrategy & MetricsPolicy & ComplianceEducation & TrainingThreat AssessmentSecurity RequirementsSecure ArchitectureDesign ReviewCode ReviewRemediationHardening...

55

A Look at OWASP Projects

56

Projects to look into

Secure Coding Practices – Quick Reference Guide

Securing the Core JEE Patterns

OWASP Phoenix Tools list

OWASP AppSensor

OWASP Top 10

Cheat Sheets

OWASP ESAPI

WebGoat

Zap Proxy

OWASP Testing Guide

57

What have I missed?

Help me walk a mile in your shoes...

What is WTE missing?

Where are your pain points?

Where is OWASP missing the mark?

58

Why do I do this?

59

Questions?

OWASP WTE: Testing your way

Documents

Transcript of OWASP WTE: Testing your way