Clear AppSec Visibility with AppSpider and ThreadFix

© 2017 Denim Group – All Rights Reserved

Clear AppSec Visibility with

AppSpider and ThreadFix

March 9th, 2017

Dan CornellCTO, Denim Group

Dan KuykendallSenior Director, Application Security Products


Agenda

• State of Application Security

• Rapid7 AppSpider Overview

• ThreadFix Overview

• ThreadFix / AppSpider Integration


State of Application Security

• Rapidly evolving

• Changing web application architectures

and approaches

• Various techniques used to find

vulnerabilities

• Need to fix what gets found


AppSpider Overview


“You cannot attack

what you cannot see”

Possible layers of an App

Classic HTML & JavaScript Client - Standard

AJAX, SPA’s & Mobile apps

Client – Discovery challenges,

Complex client code plus API

challenges

Web Services / REST API’s Services – Various data formats

OAuth & other API AuthServices – Challenging authentication

schemes

Our Introduction to Web Apps

HTTP Standard Format

INPUTS IN SIMPLE ‘NAME=VALUE’ PAIRS

Same for POST requests

GET /search.php?item=Shirt&color=Blue HTTP/1.1

Accept: text/html, application/xhtml+xml, */*

Referer: http://www.webscantest.com/crosstraining/

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)

Host: www.webscantest.com

Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h

POST /search.php HTTP/1.1







item=Shirt&color=Blue

Our Introduction to App Sec---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12

-------------------------[ NT Web Technology Vulnerabilities

--------[ rain.forest.puppy / [WT] <[email protected]>

----[ ODBC and MS SQL server 6.5

Ok, topic change again. Since we've hit on web service and database stuff,

let's roll with it. Onto ODBC and MS SQL server 6.5.

I worked with a fellow WT'er on this problem. He did the good thing and told

Microsoft, and their answer was, well, hilarious. According to them,

what you're about to read is not a problem, so don't worry about doing

anything to stop it.

- WHAT'S THE PROBLEM? MS SQL server allows batch commands.

- WHAT'S THAT MEAN? I can do something like:

SELECT * FROM table WHERE x=1 SELECT * FROM table

WHERE y=5

Exactly like that, and it'll work. It will return two record sets, with each

set containing the results of the individual SELECT.

- WHAT'S THAT REALLY MEAN? People can possibly piggyback SQL

commands into your statements. Let's say you have:

SELECT * FROM table WHERE x=%%criteria from webpage

user%%

Fun with SQL Injection

Invalid User

Error 1064: You have an error in your SQL syntax near ‘” at line 1 of

SELECT * FROM tAccounts WHERE username=admin’ AND password=“abc123”

http://myspace.com/login.php?username=admin’&password=abd123

Fun with SQL Injection

http://myspace.com/login.php?username=admin’&password=abc123

Welcome Admin

Create User | View Users | View Logs

http://myspace.com/login.php?username=admin’#&password=abd123

SELECT * from tAccounts WHERE username=‘admin’ #

Layer 1: Discovery

No longer just HTML

Request

Response

Request

Response

JavaScript becomes Asynchronous

HTMLRich client (HTML, Javascript, AJAX)

& Web services (JSON, SOAP, etc.)

Applications getting more difficultThen Now

Crawling AJAX Apps

SPA Frameworks

A rose by any other name

• Web Services

• RESTful API’s

• Web API’s

• or simply API’s

HTTP Standard Format

GET /search.php?item=Shirt&color=Blue HTTP/1.1







POST /search.php HTTP/1.1







item=Shirt&color=Blue

Custom URL handlers

XML format

JSON: JavaScript Object

Notation

GWT: Google Web Toolkit

AMF: Old school Adobe/Flash

Actionscript Messaging Format

Many others: SOAP, XML-RPC

& many custom formats

GET /rest/search/item/Shirt/color/Blue

POST /rest/

<search><item>Shirt</item><color>Blue</color></

search>

POST /json/

{“search”: {“item”: Shirt ; “color”: Blue} }

POST /amf/amf.php

□□□□□□□□null□□□□/3□□□<

□□□□□□□Oflex.messaging.messages.RemotingMessage

source□operation□search□item□color

□□□□Shirt□ Blue□□□

DSId□IBA98D1B7-SE1C-6007-6D98-

2CEF173C5AF□SEndpoint□my-amf□□IOB63`

POST /GWT/

Search|Shirt|Blue|

AJAX & REST API Formats

{"products":[{"shirt":{"text":“NTO","colors":["blue","red",

"yellow","green"],"sizes":["small","medium","large","xlarge

"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black"

,"red"],"sizes":["kids","adult"],"price":"24.99"}}]}

{ "products" : [

{ "shirt" : {

"colors" : [

"blue",

"red",

"yellow",

"green"

],

"price" : "19.99",

"sizes" : [

"small",

"medium",

"large",

"xlarge"

],

"text" : “NTO"

} },

{ "hat" : {

"colors" : [

"black",

"red"

],

"price" : "24.99",

"sizes" : [

"kids",

"adult"

],

"text" : “NTO"

}

}

]

}

JSON supports

nested data

just like XML

As one line

Nicely formatted

Swing and a Miss

Landing the blow

Discovery - RESTful API’s

Don’t forget Mobile!

REST WEB SERVICE


Web Service

Authentication

Web Service Authentication Methods

• Classic solutions

• HTTP Auth (Basic/NTLM/Digest)

• Custom HTTP Header

• Session Cookie

• Popular standardized solutions

• OAuth support

• Supports most installations with simple configuration settings

• Custom signing code

• User driven/macro solutions


Attacks Continue to

Evolve

Attack Types and Importance Evolve


Changing

Development ModelsThe Software Development Lifecycle

(SDLC)

SDLC Types

• Waterfall – Classic development

• Agile – Release early & often

Waterfall

Agile


Continuous

Integration

Continuous Integration


“A bug is a bug is a

bug”

Issue/Bug Tracking


DevOps

DevOps


ThreadFix Overview

• Create a consolidated view of your

applications and vulnerabilities

• Prioritize application risk decisions

based on data

• Translate vulnerabilities to developers

in the tools they are already using


ThreadFix Overview


Create a consolidated view of

your applications and

vulnerabilities


Application Portfolio Tracking


Vulnerability Import


Vulnerability Consolidation


Prioritize application risk

decisions based on data


Vulnerability Prioritization


Prioritization with Hotspot


Reporting and Metrics


Translate vulnerabilities to

developers in the tools they

are already using


Defect Tracker Integration


ThreadFix and AppSpider


Hybrid Analysis Mapping

• Correlate DAST and SAST scan results

• Funding provided by US Department of Homeland Security Science and Technology Directorate


ThreadFix ScanAgent

• Schedule and run Rapid7 AppSpider

scans

• Coordinate with other testing activities


ThreadFix

www.threadfix.it

Rapid7 AppSpider

www.rapid7.com/products/appspider

Questions and Contact

http://www.threadfix.it/

https://www.rapid7.com/products/appspider/