Andrew Freeborn Intro to Web App Testing with Mutillidae BSides Iowa 2015 18 Apr 2015
BSides 2015 Intro to Web App Pen Testing with Mutillidae
Aug 18, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Andrew Freeborn
Intro to Web App Testing with Mutillidae
BSides Iowa 201518 Apr 2015
Things to cover today
❖ What is this Mutillidae?
❖ Tools for the job
❖ Web App Pen Tester techniques
❖ Learning with Mutillidae
❖ Demo
❖ Links and QA
What is this Mutillidae?
❖ Mutillidae is an OWASP project, currently maintained by Jeremy Druin / Twitter: @webpwnized
❖ A Pen Test friendly web application
❖ Focused on OWASP Top Ten lists and testing methodologies
❖ Quick to set up and highly accessible
Tools for the job❖ Relatively newish computer (~4 years or less)
❖ VMWare Player, VirtualBox, Hyper-V, or your host OS
❖ At least 30GB of HD space if installed; 4GB of RAM
❖ Mutillidae!
❖ Optional: Samurai WTF Linux distribution (live CD or can be installed)
❖ OWASP ZAP or Burp Suite if not using Samurai WTF
Web App Pen Tester techniques
❖ Super fun to point tools at things and let it do it’s thing
❖ How do we learn techniques from doing things like that though?
❖ How can I test vulnerabilities that come up where those tools may or may not be available or work?
❖ How can I ensure that a tool works as expected and a repeated test can find the same issues as last time?
Web App Pen Tester techniques 2
❖ OWASP Testing Guide v4
❖ OWASP Top 10 2013
❖ PCI Pen Testing Guidance (March 2015)
❖ PTES
❖ NIST 800-115
Learning with Mutillidae
❖ Step 1: Tools? Check. Techniques and Procedures? Check.
❖ Step 2: We have Samurai WTF up and running on a VM
❖ Step 3: ???
❖ Step 4: PROFIT
Actually learning with Mutillidae
❖ As mentioned earlier, vulnerabilities are broken out by various subjects and categories
❖ Modeled after the OWASP Top 10s along with various extra scenarios
❖ Starts out easy and the difficulty can be increased
❖ Hints and walkthroughs are throughout the site
Demo
❖ XSS
❖ XSS 2
❖ XSS Proxy
Links and QA❖ Mutillidae: www.owasp.org/index.php/OWASP_Mutillidae_2_Project
❖ Samurai WTF: samurai.inguardians.com
❖ OWASP Testing Guide v4: www.owasp.org/index.php/OWASP_Testing_Project
❖ OWASP Top 10 2013: www.owasp.org/index.php/Top_10_2013-Top_10
❖ PCI Pen Testing Guidance: www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf
❖ PTES: www.pentest-standard.org/index.php/Main_Page
❖ NIST SP 800-115: csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
❖ 12 part series on Mutillidae: www.youtube.com/watch?v=rNkR1Joz4eU
❖ [email protected] / @maendarb
Related Documents
