Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer...
Transcript of Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer...
![Page 1: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/1.jpg)
Web Application Penetration TestingSE CTO R 20 17
![Page 2: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/2.jpg)
Who are we?
▪ Information Security Consultants
▪ Web Application Penetration Testers
▪ Padawan Hackers
Harshal Chandorkar Natalia Wadden
![Page 3: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/3.jpg)
How did we get here? Take a ride with us…
![Page 4: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/4.jpg)
▪ Penetration tests executed by vendors include:▪ Severity ratings ▪ Risk ratings▪ Scope▪ False positives▪ Quality and POC▪ Cost
▪ Let’s see if we can go head to head:▪ Execute pentest▪ Adjust ratings/risks▪ Capture full scope▪ Eliminate false positives▪ Provide POCS
Lone Soldier
![Page 5: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/5.jpg)
Interest Desire to Learn Perseverance Technical Skills Assessment Training:Open-Source: FREE (e.g. DVWA,
Mutillidae, metasploitable, Security Shepherd)
Day-to-day technical challenges (e.g. incident handling, etc.)
Hand Holding
Readying the Army on a Shoestring Budget
![Page 6: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/6.jpg)
✓ Inventory of your Web Applications
- nmap, Recon-ng, WhatWeb, EyeWitness and a bash script
✓ Planning
✓ Information Gathering
✓ Execution of Pentests
✓ Reporting
✓ Artifacts
✓ Metrics for Sr. Management
Maturing the Program
![Page 7: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/7.jpg)
PlanningGathering
InformationDiscovering
VulnerabilitiesReporting
Findings Walkthrough
• Working with the project team/support team to clearly define scope and rules of engagement
• Obtain written approval• Confirm timing and agree on a schedule
Security Testing Methodology Life Cycle
![Page 8: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/8.jpg)
Webapp Pentest Tracking
![Page 9: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/9.jpg)
PlanningGathering
InformationDiscovering
VulnerabilitiesReporting
Findings Walkthrough
• Collecting and examining key information• Environment Walkthrough• Review prior test results if available
• Environment Walkthrough• Obtain Credentials if required
Security Testing Methodology Life Cycle
![Page 10: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/10.jpg)
PlanningGathering
InformationDiscovering
VulnerabilitiesReporting
Findings Walkthrough
• Finding existing vulnerabilities using manual and automated techniques
• OWASP Top 10• Company Specific • Business Logic
Security Testing Methodology Life Cycle
![Page 11: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/11.jpg)
PlanningGathering
InformationDiscovering
VulnerabilitiesReporting
Findings Walkthrough
• Providing high level findings, detailed report and POC evidence
• Portswigger Burp• Logs• SQL Map• XSSer
Security Testing Methodology Life Cycle
![Page 12: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/12.jpg)
PlanningGathering
InformationDiscovering
VulnerabilitiesReporting
Findings Walkthrough
• Walkthrough where findings were found• Demonstrate how bad it can be
Security Testing Methodology Life Cycle
![Page 13: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/13.jpg)
The Dirty Talk About Time & Money
Cost of a vendor automated and/or manual pentests vs Internal team
~ ? initial test
~ ? retest
~ $2,000 laptop
~ $500.00 memory and ram
~ $450.00 CDN Burp Pro license
~ $0 Kali
![Page 14: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/14.jpg)
▪ Frequently used:
▪ Portswigger BurpSuite Professional
▪ SQLMap
▪ Supplemental:
▪ XSSer
▪ Nikto
▪ OWASP Zap
Webapp Pentesting Tools
![Page 15: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/15.jpg)
▪ CO2▪ Active Scan ++▪ CSRF Scanner▪ Code DX▪ Logger++▪ Software Vulnerability Scanner▪ Software Version Reporter
A Few Burp Extenders That We Use
![Page 16: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/16.jpg)
Webapp Pentest Report
![Page 17: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/17.jpg)
Webapp Pentest Report
![Page 18: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/18.jpg)
Web Methods1. Did the tester note the site allows
basic web methods (e.g. “PUT, GET, POST, HEAD, OPTIONS, DELETE”)?
Reflected Cross-site Scripting1. Did the tester input a payload? 2. What was the result? Reflected? 3. Did the tester view the source?
Sample: Webapp Pentest Framework based on OWASP Top 10
Clickjacking/Cross Site Framing (XSF)1. X-Frame-Option – set to Deny or
Same-Origin?2. HTML iframe POC create? Successfully
loaded into the site?
CSRF1. Is the token randomly generated?2. Did the tester note if CSRF is noted on
a GET request?3. Did the tester create an POC HTML file
to execute on the site?4. Was the file successfully loaded on the
site?
![Page 19: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/19.jpg)
Leveraging Burp Extenders With Other Free Tools
![Page 20: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/20.jpg)
![Page 21: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/21.jpg)
▪ Understand the incident
▪ Review all evidence presented
▪ Obtain testers logs
▪ Provide proof
▪ Understand impact
Incidents happen, but is it fair to blame us?
![Page 22: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/22.jpg)
Log Extraction
![Page 23: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/23.jpg)
Burp History Converter -> https://github.com/mrts/burp-suite-http-proxy-history-converterPayloads (xss | passwords | directory busters | and more...) -> https://github.com/foospidy/payloadsCORS -> https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomainsPentest Resources (web report tracking | database | checklists) -> http://harshdevx.com/codex/ptest.zip
General reading -> http://www.adeptus-mechanicus.com/learn/nwadden.phpGeneral reading -> http://www.adeptus-mechanicus.com/learn/harshalc.phpGeneral reading and download resources -> http://harshdevx.comOWASP Top Ten -> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectBurp Suite Support Centre -> https://support.portswigger.net/
DVWA -> https://github.com/ethicalhack3r/DVWAMultiladae -> https://sourceforge.net/projects/mutillidae/Metasploitable -> https://sourceforge.net/projects/metasploitable/files/Metasploitable2/SANS -> https://sans.orgOther security resources -> https://www.cisecurity.org/cis-benchmarks/
Questions and Takeaways
![Page 24: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/24.jpg)
Continuing Education
![Page 25: Web Application Penetration Testing€¦ · •Portswigger Burp •Logs •SQL Map •XSSer Security Testing Methodology Life Cycle . Planning Gathering Information Discovering Vulnerabilities](https://reader033.fdocuments.in/reader033/viewer/2022050603/5faa554f7d6c9a188974fb44/html5/thumbnails/25.jpg)
Thank You
@nataliawadden
ca.linkedin.com/in/nataliawadden
Natalia Wadden
@harshdevx
ca.linkedin.com/in/harshalchandorkar
Harshal Chandokar