The OWASP Foundation http://www.owasp.org OWASP WTE: Testing your way. Matt Tesauro OWASP Foundation Board Member, WTE Project Lead [email protected]Vice President, Services for Praetorian [email protected]James Wickett [email protected]Agile Austin 2011
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The OWASP Foundationhttp://www.owasp.org
OWASP WTE:Testing your way.
Matt TesauroOWASP Foundation Board Member, WTE Project Lead
Long history with Linux and Open SourceContributor to many projectsLeader of OWASP Live CD / WTE
OWASP Foundation Board Member
VP, Services for Praetorian
OWASP WTE: A History
4
At all started that summer...
5
•Current Release•OWASP WTE Feb 2011
•Previous Releases•OWASP WTE Beta Jan 2010•AppSecEU May 2009•AustinTerrier Feb 2009•Portugal Release Dec 2008•SoC Release Sept 2008•Beta1 and Beta2 releases during the SoC
Note: Not all of these had ISO, VirtualBox and Vmware versions
Add in the transition to Ubuntu and the possibilities are endless (plus the 26,000+ packages in the Ubuntu repos)
9
GOAL
Make application security tools and documentation easily available and easy to use
Compliment's OWASP goal to make application security visible
Design goalsEasy for users to keep updatedEasy for project lead to keep updatedEasy to produce releases (more on this later)Focused on just application security – not general pen testing
What's on WTE
11
12
13
26 “Significant” Tools Available
WapitiWeb Goat
CAL9000
JBroFuzz
DirBuster
WebSlayer
WSFuzzerWeb Scarab
OWASP Tools:
a tool for performing all types of security testing on web apps and web services
an online training environment for hands-on learning about app sec
a collection of web app sec testing tools especially encoding/decoding
a web application fuzzer for requests being made over HTTP and/or HTTPS.
a fuzzer with HTTP based SOAP services as its main target
audits the security of web apps by performing "black-box" scans
a multi threaded Java app to brute force directory and file names
A tool designed for brute-forcing web applications such as resource discovery, GET and POST fuzzing, etc
JBroFuzza web application fuzzer for requests being made over HTTP and/or HTTPS.
EnDeAn amazing collection of encoding and decoding tools as well as many other utilities
ZAP ProxyA fork of the popular but moribund Paros Proxy
14
Zenmap
Paros
nmap
Wireshark
Firefox
Burp Suite
Grendel Scan
Nikto
sqlmap
SQL Brute
w3af
netcat
Httprint
Spike Proxy
Rat Proxy
Fierce Domain Scanner
Metasploit
tcpdump
Maltego CE
Other Proxies: Scanners:
Duh:
SQL-i: Others:
Why is it different?
16
17
18
19
OWASP DocumentsTesting Guide v2 & v3CLASP and OpenSammTop 10 for 2010Top 10 for Java Enterprise EditionAppSec FAQBooks – tried to get all of themCLASP, Top 10 2010, Top 10 + Testing + Legal, WebGoat and Web Scarab, Guide 2.0, Code Review
Costs of targeting testing– Someone to “diff” features vs controls– Someone to test the relevant areas
Benefits– Only testing relevant areas– Testing scope/time is reduced
37
Targeted Testing
Security Sprints + Common Controls– Set aside a sprint or two– Focus on security stories
Create a common/shared security library– OWASP's ESAPI– Both an API reference and implementations
38
Targeted Testing
Security Sprints + Common Controls– Set aside a sprint or two– Focus on security stories
Create a common/shared security library– OWASP's ESAPI– Both an API reference and implementations
39
Targeted Testing
Costs of security sprint + controls– 1+ sprints to implement controls– Rigorous initial testing of the controls
Benefits– With common controls, testing is now ensuring controls are used, not their implementation– Testing scope/time is reduced– Testing may be automate-able
40
Automation
Two primary types of security testing
– Dynamic – testing running code
– Static – testing source code
41
Automating Dynamic Testing
Dynamic testing tools– Crawl an application• Get a list of URLs/pages
If you run a local proxy server on the same machine as your browser, you can intercept and modify all HTTP and HTTPS traffic
43
Automating Dynamic Testing
Leverage existing “browser drivers” to also drive security tools– Automates generating a list of URLs for tools– Examples • Selenium (free FF add-on)• QTP (commercial)
Record application “click through”– Replay “click through” for security tools– May already have functional tests to re-use
44
Automating Zap
Setup Zap as your browser's proxyUse “click through” to explore the appOptions– Passive only tests– Active Scanning
Costs– Upfront creation of “click through”– Time to run “click through” and active scan
Let w3af crawl and scanCosts– Upfront time to create scanning policy
Pitfalls– Crawling issues, app coverage
46
Automating w3afOption #2
Setup w3af the browsers local proxySelect pre-existing policy file– SpiderMan discovery plugin
Use a “click through” to provide URLsCosts– Upfront time to create scanning policy– Upfront time to create “click through”– Updates to the “click through” for new app areas
47
General Warning about Dynamic Testing
Need to have a browse-able application at end of Sprint.
If app is rapidly adding new areas (pages), “click through” will need to be maintained to ensure coverage.
Some dynamic scans can take a long time
– 8+ hours for w3af with many plugins enabled
• Tweak plugin selection
• May have to be an end of sprint activity
48
Automating Static Testing
Few good free tools in this space– FindBugs, PMD, etc– Look at code quality tools also
Commercial tools– Source vs binary analysis– Local vs SAAS– IDE integration
49
Automating Static Testing
Tie static tools to specific events– Source code check-in– Nightly build processes– Continuous Integration
Watch out for– Long run time (parallel execution)– Manageable output
50
Automating Static Testing
Most commercial tools have (or will sell you) a “Mothership”– Allows for centralized reporting, trending, etc.
Integration with bug tracking systems– Spotty across vendors / projects
Reporting is weak in free tools, varies in commercial tools
A bit about OWASP
52
OWASP
The Open Web Application Security Project (OWASP) is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.