Using Free Tools To Test Web Application Securitypittsburgh.issa.org/...Free_Tools_To_Test_Web_Application_Security.… · Using Free Tools To Test Web Application Security • Matt

Using Free Tools To Test Web Application Security

•  Matt Neely, CISSP, CTGA, GCIH, and GCWN – Manager of the Profiling Team at SecureState – Areas of expertise: wireless, penetration testing,

physical security, security convergence, and incident response

– Over 10 years of security experience •  Outside of work:

– Co-host of the Security Justice podcast

Speaker Biography

SecureState Overview A Management Consulting Firm Specializing in Information Security

•  Founded in September 2001 •  Payment Card Industry (PCI) Certified •  Qualified Security Assessor (QSA) •  Approved Scanning Vendor (ASV) •  Qualified Payment Application

Security Company •  Largest dedicated security company

in the Great Lakes Region •  Number of Employees: 47

3

The Company We Keep The Company We Keep Key Industries: Retail, Financial Services, Healthcare, Critical Infrastructure, Professional Services, Service Providers, Education, Food Service, Entertainment, and Government

SecureState Overview Audit and Compliance

• PCI (Payment Card Industry) • ISO 27001/SAS 70 • SOX, GLBA, HIPAA, TG-3, NERC/CIP etc. • INFOSEC (Information System Security Risk Assessment)

Profiling and Attack • Web Application Security (WAS) • Attack and Penetration Services (internal, external, client, physical, wireless) • Wireless Audits • Training

Risk Management • Security Program Manager (SPM) • StateScan • SecureTime • Architecture Reviews

Business Preservation Services • Data Forensics/Incident Response • Business Impact Analysis

Advisory Services • CISO Advisement • Risk Management • Special Projects

•  Insecure web applications are the most common way attackers penetrate companies from the Internet and gain access to sensitive information

•  As companies harden their perimeter attackers are moving to attacking web applications

•  Vulnerabilities in web applications are the fastest growing type of vulnerability

Importance of Assessing Web Applications

•  Two options to meeting requirement 6.6 •  Option 1: Verify that public-facing web applications are

reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows: –  At least annually –  After any changes –  By an organization that specializes in application security

•  Assessments may be performed by a qualified internal resource or a qualified third party

–  So all vulnerabilities are corrected –  So the application is re-evaluated after the corrections

•  Option 2: Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.

PCI DSS 1.2 Requirement 6.6 Compliance

•  Black Box –  Scanning a site with an automated tool –  Automated tools are prone to false positives and will not find flaws in

business logic •  Grey Box

–  Manually testing a site for vulnerability •  80% manual •  20% automated

–  Assessor should review use case documentation to understand the business logic of the site and tailor attacks to the specific site

–  Quality of the test relies on the experience of the tester •  White Box

–  Source code review –  Very thorough –  Very resource intensive

Web Application Security Assessments

Where Assessments Fit in SDLC

A1 – Injection A2 – Cross-Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 – Insecure Direct Object References A5 – Cross-Site Request Forgery (CSRF) A6 – Security Misconfiguration A7 – Insecure Cryptographic Storage A8 – Failure to Restrict URL Access A9 – Insufficient Transport Layer Protection A10 – Unvalidated Redirects and Forwards

OWASP Top 10 - 2010

•  Grendel Scan •  Nikto •  Paros •  Skipfish •  W3AF

Free Web Vulnerability Scanners

•  Acunetix •  Burp-Pro •  Cenzic Hailstorm •  HP WebInspect •  IBM Rational AppScan

Commercial Web Vulnerability Scanners

•  Burp •  Paros •  WebScarab

Web Proxies

•  Newest versions of Firefox and IE implement client side controls to block certain attacks such as cross-site scripting

•  Complicates testing and leads to validation problems •  Disable controls if possible or test with an older

browser •  Do not use older browsers or browser with

security features disabled for general web surfing

Warning: Testing with the Newest Versions of IE and Firefox

•  Set up the scanner •  Crawl and spider the site •  Run scan •  Validate results

Web Application Scanning Process

Lab Setup

•  Connect to the wireless network – SSID: SecureState – Password: gobrowns

Connecting to the Network

•  Browse to: http://192.168.1.102/paros/ •  Download the version of Paros for your OS •  Run installer

Install Paros

•  Tools Options Local Proxy –  Note address and port

•  Note: Default may need to be changed in using multiple proxies

Setting Up Paros as a Proxy: Determine Proxy Port Used by Paros

Setting Up Paros as a Proxy: Configure IE to Use a Proxy Step 1

Setting Up Paros as a Proxy: Configure IE to Use a Proxy Step 2

Setting Up Paros as a Proxy: Configure IE to Use a Proxy Step 3

Setting Up Paros as a Proxy: Configure Firefox to Use a Proxy Step 1

Setting Up Paros as a Proxy: Configure Firefox to Use a Proxy Step 2

Setting Up Paros as a Proxy: Configure Firefox to Use a Proxy Step 3

Tour of Paros

Intercepting and Manipulating Data

•  Spidering is an automated process in which Paros follows links on a page to generate a site map – By default Paros ignores links to external sites

•  Paros uses the site map to determine which pages will be tested

•  Very important to also manually crawl the site to ensure every page is mapped and scanned – Automated spiders often miss links in JavaScript

Spidering and Crawling a Site

Using Paros to Spider and Crawl

Scanning for Vulnerabilities

Reviewing the Results

•  Even the best scanner will produce false positives •  Very important to manually validate all scan results

Validating the Results

•  Cross-Site Scripting (XSS) –  Occurs when attacker sends malicious link, code, email to

victim –  Allows for execution of JavaScript in victim’s browser context –  Allows for cross-site communications

•  Cause –  No input validation of headers, cookies, query strings, form

fields (visible or hidden) •  Possible Outcomes

–  Session Hijacking –  Site Defacement –  Phishing through URL redirection –  Worms

A2 - Cross-Site Scripting (XSS)

•  SwitchProxy •  NoScript •  Firebug •  Hackbar •  SQL Inject ME •  XSS ME •  User Agent Switcher •  Web Developer Toolbar

Useful Firefox Extensions

•  DirBuster •  JBroFuzz •  SwfScan

Other Useful Tools

•  Web Hackers Handbook •  OWASP:

–  Numerous free projects, programs, and educational resources

–  OWASP Podcast –  http://www.owasp.org

•  Practice web applications: –  OWASP Broken Web Applications Project –  Collection of practice web applications in a single

virtual machine –  http://code.google.com/p/owaspbwa/

Where to Learn More

Thank you for your time! Matthew Neely

[email protected] @matthewneely

A Q&

•  Injection Flaws –  SQL Injection is the most common injection flaw –  Occurs when user-supplied data is sent to interpreter as part of a

command or query –  Attacker tricks interpreter into executing unintended commands

via specially crafted input •  Cause

–  User input is not properly sanitized •  Possible Outcomes

–  Create, Read, Update, and/or Delete Data –  Command Execution –  Full Host Compromise

A1 – Injection Flaws