© 2017 Denim Group – All Rights Reserved Clear AppSec Visibility with AppSpider and ThreadFix March 9 th , 2017 Dan Cornell CTO, Denim Group Dan Kuykendall Senior Director, Application Security Products
© 2017 Denim Group – All Rights Reserved
Clear AppSec Visibility with
AppSpider and ThreadFix
March 9th, 2017
Dan CornellCTO, Denim Group
Dan KuykendallSenior Director, Application Security Products
© 2017 Denim Group – All Rights Reserved
Agenda
• State of Application Security
• Rapid7 AppSpider Overview
• ThreadFix Overview
• ThreadFix / AppSpider Integration
© 2017 Denim Group – All Rights Reserved
State of Application Security
• Rapidly evolving
• Changing web application architectures
and approaches
• Various techniques used to find
vulnerabilities
• Need to fix what gets found
Possible layers of an App
Classic HTML & JavaScript Client - Standard
AJAX, SPA’s & Mobile apps
Client – Discovery challenges,
Complex client code plus API
challenges
Web Services / REST API’s Services – Various data formats
OAuth & other API AuthServices – Challenging authentication
schemes
HTTP Standard Format
INPUTS IN SIMPLE ‘NAME=VALUE’ PAIRS
Same for POST requests
GET /search.php?item=Shirt&color=Blue HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h
POST /search.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h
item=Shirt&color=Blue
Our Introduction to App Sec---[ Phrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12
-------------------------[ NT Web Technology Vulnerabilities
--------[ rain.forest.puppy / [WT] <[email protected]>
----[ ODBC and MS SQL server 6.5
Ok, topic change again. Since we've hit on web service and database stuff,
let's roll with it. Onto ODBC and MS SQL server 6.5.
I worked with a fellow WT'er on this problem. He did the good thing and told
Microsoft, and their answer was, well, hilarious. According to them,
what you're about to read is not a problem, so don't worry about doing
anything to stop it.
- WHAT'S THE PROBLEM? MS SQL server allows batch commands.
- WHAT'S THAT MEAN? I can do something like:
SELECT * FROM table WHERE x=1 SELECT * FROM table
WHERE y=5
Exactly like that, and it'll work. It will return two record sets, with each
set containing the results of the individual SELECT.
- WHAT'S THAT REALLY MEAN? People can possibly piggyback SQL
commands into your statements. Let's say you have:
SELECT * FROM table WHERE x=%%criteria from webpage
user%%
Fun with SQL Injection
Invalid User
Error 1064: You have an error in your SQL syntax near ‘” at line 1 of
SELECT * FROM tAccounts WHERE username=admin’ AND password=“abc123”
http://myspace.com/login.php?username=admin’&password=abd123
Fun with SQL Injection
http://myspace.com/login.php?username=admin’&password=abc123
Welcome Admin
Create User | View Users | View Logs
http://myspace.com/login.php?username=admin’#&password=abd123
SELECT * from tAccounts WHERE username=‘admin’ #
HTMLRich client (HTML, Javascript, AJAX)
& Web services (JSON, SOAP, etc.)
Applications getting more difficultThen Now
HTTP Standard Format
GET /search.php?item=Shirt&color=Blue HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h
POST /search.php HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://www.webscantest.com/crosstraining/
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: www.webscantest.com
Cookie: SESSIONIS=aslkjhalasdhh2979jhfac78h
item=Shirt&color=Blue
Custom URL handlers
XML format
JSON: JavaScript Object
Notation
GWT: Google Web Toolkit
AMF: Old school Adobe/Flash
Actionscript Messaging Format
Many others: SOAP, XML-RPC
& many custom formats
GET /rest/search/item/Shirt/color/Blue
POST /rest/
<search><item>Shirt</item><color>Blue</color></
search>
POST /json/
{“search”: {“item”: Shirt ; “color”: Blue} }
POST /amf/amf.php
□□□□□□□□null□□□□/3□□□<
□□□□□□□Oflex.messaging.messages.RemotingMessage
source□operation□search□item□color
□□□□Shirt□ Blue□□□
DSId□IBA98D1B7-SE1C-6007-6D98-
2CEF173C5AF□SEndpoint□my-amf□□IOB63`
POST /GWT/
Search|Shirt|Blue|
AJAX & REST API Formats
{"products":[{"shirt":{"text":“NTO","colors":["blue","red",
"yellow","green"],"sizes":["small","medium","large","xlarge
"],"price":"19.99"}},{"hat":{"text":“NTO","colors":["black"
,"red"],"sizes":["kids","adult"],"price":"24.99"}}]}
{ "products" : [
{ "shirt" : {
"colors" : [
"blue",
"red",
"yellow",
"green"
],
"price" : "19.99",
"sizes" : [
"small",
"medium",
"large",
"xlarge"
],
"text" : “NTO"
} },
{ "hat" : {
"colors" : [
"black",
"red"
],
"price" : "24.99",
"sizes" : [
"kids",
"adult"
],
"text" : “NTO"
}
}
]
}
JSON supports
nested data
just like XML
As one line
Nicely formatted
Web Service Authentication Methods
• Classic solutions
• HTTP Auth (Basic/NTLM/Digest)
• Custom HTTP Header
• Session Cookie
• Popular standardized solutions
• OAuth support
• Supports most installations with simple configuration settings
• Custom signing code
• User driven/macro solutions
© 2017 Denim Group – All Rights Reserved
Changing
Development ModelsThe Software Development Lifecycle
(SDLC)
© 2017 Denim Group – All Rights Reserved
ThreadFix Overview
• Create a consolidated view of your
applications and vulnerabilities
• Prioritize application risk decisions
based on data
• Translate vulnerabilities to developers
in the tools they are already using
© 2017 Denim Group – All Rights Reserved
Create a consolidated view of
your applications and
vulnerabilities
© 2017 Denim Group – All Rights Reserved
Translate vulnerabilities to
developers in the tools they
are already using
© 2017 Denim Group – All Rights Reserved
Hybrid Analysis Mapping
• Correlate DAST and SAST scan results
• Funding provided by US Department of Homeland Security Science and Technology Directorate
© 2017 Denim Group – All Rights Reserved
ThreadFix ScanAgent
• Schedule and run Rapid7 AppSpider
scans
• Coordinate with other testing activities
© 2017 Denim Group – All Rights Reserved
ThreadFix
www.threadfix.it
Rapid7 AppSpider
www.rapid7.com/products/appspider
Questions and Contact