Daniel billing exploring the security testers toolbox
-
Upload
romania-testing -
Category
Documents
-
view
775 -
download
0
description
Transcript of Daniel billing exploring the security testers toolbox
![Page 1: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/1.jpg)
Exploring the
Security Testers
Toolkit
Dan Billing – New Voice Media
@thetestdoctor | thetestdoctor.wordpress.com
![Page 2: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/2.jpg)
Objectives for the day Introductions
An introduction to threat modelling and an activity to
generate test ideas
An introduction to the OWASP Top 10
An introduction to some useful tools and how to use them
Explore an application to discover some vulnerabilities
Talk about threats and what they mean in context
Talk about attacks and how they can be used in testing
Practice some attacks
Consolidate and challenge our thinking
![Page 3: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/3.jpg)
Introduction Tester for 13 years, 4 years as a self employed consultant
Worked in the private and public sector in the UK
AOL Time Warner
Capita
Northgate
UK Government
Brightpearl
Now a Test Engineer at New Voice Media
@TheTestDoctor
www.thetestdoctor.wordpress.com
![Page 4: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/4.jpg)
Introductions
About you?
What do you want to get out of
the day?
![Page 5: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/5.jpg)
A Security Testing MnemonicEX – EXPLORE
T – THREATS
E – EXPERIMENT
R – RISKS
M – MONITOR
IN – INTERROGATE
A – ANALYSIS
T – TARGETED
E - EXPEDITED
Image courtesy of Andy
Glover @cartoontester
![Page 6: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/6.jpg)
Gruyere – the cheesy web app
Navigate your browser of choice to:
http://google-gruyere.appspot.com/start
Built by Google
Deliberately vulnerable web application for training
Don’t enter personal data into it!
![Page 7: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/7.jpg)
AltoroMutual – the reliable
banking application Navigate your browser of choice to:
http://altoromutual.com/
Built by IBM (as a marketing tool for AppScan)
Deliberately vulnerable web application for training
Don’t enter personal data into it!
![Page 8: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/8.jpg)
Explore the application
Work in groups
Explore the application 10-15 mins
What can you find out?
User scenarios?
What can you do with the application?
Critical assets?
Features and functionality?
Areas for testing?
Feedback to the group
![Page 9: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/9.jpg)
Tools of the Trade
Browser tools
Built in DOM tools and consoles – available in all modern browsers
Firebug
Monitor errors, resources, traffic and scripts
Add, delete and modify cookies
Plugins e.g. Tamper Data, EditThisCookie
OWASP Mantra
API tools e.g The Postman, Advanced Rest Client
![Page 10: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/10.jpg)
Tools of the Trade Proxy tools
Fiddler
Zed Attack Proxy,
BurpSuite
Intercepting HTTP/HTTPS traffic
Modify requests, headers, cookies and other session data
Craft attacks and other harmful scenarios
Spider
Fuzzers
Port Scanning
CSRF
![Page 11: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/11.jpg)
Tools of the Trade Network monitors
Protocol and packet sniffing e.g. Wireshark
Network mapping e.g Nmap
Source Code Analysers
OWASP 02 Platform
OWASP LAPSE
![Page 12: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/12.jpg)
Fiddler
Download and Install Fiddler
http://www.telerik.com/fiddler
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8080
Configure Fiddler
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8080
You may need to close and restart the browser/Fiddler
![Page 13: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/13.jpg)
Zed Attack Proxy (ZAP) Download and install Zed Attack Proxy
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8181
Configure Zed Attack Proxy
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8181
You may need to close and restart the browser/ZAP
![Page 14: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/14.jpg)
BurpSuite
Download and Install Burpsuite (Free Edition)
http://portswigger.net/burp/download.html
Configure your Browser
Set the Proxy Server to 127.0.0.1
Set the Port to 8080
Configure Burpsuite
Install certificate if required
Set the Local Proxy to 127.0.0.1
Set the Port to 8282
You may need to close and restart the browser/ZAP
![Page 15: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/15.jpg)
Threat Modelling
STRIDE S – SPOOFING
T – TAMPERING
R – REPUDIATION
I – INFORMATION DISCLOSURE
D – DENIAL OF SERVICE
E – ESCALATION OF PRIVILEGE
![Page 16: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/16.jpg)
Spoofing
Threat action aimed to illegally
access and use another user's
credentials, such as username and
password.
![Page 17: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/17.jpg)
Tampering
Threat action aimed to maliciously
change/modify persistent data,
such as persistent data in a
database, and the alteration of
data in transit between two
computers over an open network,
such as the Internet.
![Page 18: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/18.jpg)
Repudiation
Threat action aimed to perform
illegal operations in a system that
lacks the ability to trace the
prohibited operations.
![Page 19: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/19.jpg)
Information Disclosure
Threat action to read a file that
one was not granted access to, or
to read data in transit.
![Page 20: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/20.jpg)
Denial of Service
Threat aimed to deny access to
valid users, such as by making a
web server temporarily unavailable
or unusable.
![Page 21: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/21.jpg)
Escalation of Privilege
Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.
![Page 22: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/22.jpg)
Threat Mind Map
Grab some post-its
Identify threats to your application – Gruyere or
Altoromutual
How might they happen?
What are the risks?
What might be the impact?
Mind-map them as a team on the board
Feedback to the group
![Page 23: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/23.jpg)
OWASP Top 10 2013
1 – Injection
2 – Broken Authentication and Session Management
3 – Cross Site Scripting (XSS)
4 – Insecure Direct Object References
5 – Security Misconfiguration
6 – Sensitive Data Exposure
7 – Missing Function Level Access Control
8 – Cross Site Request Forgery (CSRF)
9 – Using Components with Known Vulnerabilities
10 – Unvalidated Redirects and Forwards
![Page 24: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/24.jpg)
SQL Injection
Exploits of a Mom – www.xkcd.com/327
![Page 25: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/25.jpg)
Cross Site Scripting (XSS)1. Sends URL containing a
hidden script
4. Browser executes script
and sends private data
2. Follows URL containing
script
3. Serves page containing
script
5. Impersonates user at
website
![Page 26: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/26.jpg)
Cross Site Request Forgery (CSRF)
1. Victim browses a
malicious page with
content
2. Script or image
executed in
browser
3. Attacker can
access browser
sessions, modify
config or send
malicious content
![Page 27: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/27.jpg)
Using Scanning Tools
Practice on a training website or on a virtual
machine
Agree with stakeholders
Don’t use against a site you don’t have permission
to test on
Understand risks to assets
Schedule appropriately
![Page 28: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/28.jpg)
Passive Scanning
Explore the website under test
Observe the behaviour of the scanning tool
What information does it provide?
How is the information structured?
Any testing ideas?
What would you test first?
![Page 29: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/29.jpg)
Spidering
Discovers more areas of your application to test
Physically interacts with the application
Use with caution
What information does it provide?
How is the information structured?
Any testing ideas?
![Page 30: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/30.jpg)
Active Scanning
Performs physical attacks against the application
under test
Injection
XSS
Cookie Poisoning
What information does it provide?
How is the information structured?
Any testing ideas?
What do we test next?
![Page 31: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/31.jpg)
Fuzzing
Inputs random, invalid or unexpected data
Might indicate an exception that could cause
crashes, performance issues or memory leaks
What information does it provide?
How is the information structured?
Any testing ideas?
![Page 32: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/32.jpg)
Proxy Chaining
All tools work differently
They all have similar but varied features and
functions
Linking them together will enhance your testing
Comparison of results from different tools
Try modifying the upstream and downstream
proxy settings
![Page 33: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/33.jpg)
Extending your toolset
Can be built into a continuous integration solution
Scripting interfaces e.g. Python, Ruby
API
Reporting
![Page 34: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/34.jpg)
Wrap Up
Is there something we haven’t covered that you
want to talk about?
Has this workshop met your expectations?
Any questions?
Thanks for taking part
![Page 35: Daniel billing exploring the security testers toolbox](https://reader033.fdocuments.in/reader033/viewer/2022051610/549ecf62b4795956208b47fd/html5/thumbnails/35.jpg)
Getting in Touch
Twitter @TheTestDoctor
Blog thetestdoctor.wordpress.com
www.newvoicemedia.com