Web Application Penetration Testing - SecTor 2017 · PDF fileWeb Application Penetration...

Click here to load reader

  • date post

    26-Mar-2018
  • Category

    Documents

  • view

    218
  • download

    4

Embed Size (px)

Transcript of Web Application Penetration Testing - SecTor 2017 · PDF fileWeb Application Penetration...

  • Web Application Penetration TestingSE CTO R 20 17

  • Who are we?

    Information Security Consultants

    Web Application Penetration Testers

    Padawan Hackers

    Harshal Chandorkar Natalia Wadden

  • How did we get here? Take a ride with us

  • Penetration tests executed by vendors include: Severity ratings Risk ratings Scope False positives Quality and POC Cost

    Lets see if we can go head to head: Execute pentest Adjust ratings/risks Capture full scope Eliminate false positives Provide POCS

    Lone Soldier

  • Interest Desire to Learn Perseverance Technical Skills Assessment Training:Open-Source: FREE (e.g. DVWA,

    Mutillidae, metasploitable, Security Shepherd)

    Day-to-day technical challenges (e.g. incident handling, etc.)

    Hand Holding

    Readying the Army on a Shoestring Budget

  • Inventory of your Web Applications

    - nmap, Recon-ng, WhatWeb, EyeWitness and a bash script

    Planning

    Information Gathering

    Execution of Pentests

    Reporting

    Artifacts

    Metrics for Sr. Management

    Maturing the Program

  • PlanningGathering

    InformationDiscovering

    VulnerabilitiesReporting

    Findings Walkthrough

    Working with the project team/support team to clearly define scope and rules of engagement

    Obtain written approval Confirm timing and agree on a schedule

    Security Testing Methodology Life Cycle

  • Webapp Pentest Tracking

  • PlanningGathering

    InformationDiscovering

    VulnerabilitiesReporting

    Findings Walkthrough

    Collecting and examining key information Environment Walkthrough Review prior test results if available

    Environment Walkthrough Obtain Credentials if required

    Security Testing Methodology Life Cycle

  • PlanningGathering

    InformationDiscovering

    VulnerabilitiesReporting

    Findings Walkthrough

    Finding existing vulnerabilities using manual and automated techniques

    OWASP Top 10 Company Specific Business Logic

    Security Testing Methodology Life Cycle

  • PlanningGathering

    InformationDiscovering

    VulnerabilitiesReporting

    Findings Walkthrough

    Providing high level findings, detailed report and POC evidence

    Portswigger Burp Logs SQL Map XSSer

    Security Testing Methodology Life Cycle

  • PlanningGathering

    InformationDiscovering

    VulnerabilitiesReporting

    Findings Walkthrough

    Walkthrough where findings were found Demonstrate how bad it can be

    Security Testing Methodology Life Cycle

  • The Dirty Talk About Time & Money

    Cost of a vendor automated and/or manual pentests vs Internal team

    ~ ? initial test

    ~ ? retest

    ~ $2,000 laptop

    ~ $500.00 memory and ram

    ~ $450.00 CDN Burp Pro license

    ~ $0 Kali

  • Frequently used:

    Portswigger BurpSuite Professional

    SQLMap

    Supplemental:

    XSSer

    Nikto

    OWASP Zap

    Webapp Pentesting Tools

  • CO2 Active Scan ++ CSRF Scanner Code DX Logger++ Software Vulnerability Scanner Software Version Reporter

    A Few Burp Extenders That We Use

  • Webapp Pentest Report

  • Webapp Pentest Report

  • Web Methods1. Did the tester note the site allows

    basic web methods (e.g. PUT, GET, POST, HEAD, OPTIONS, DELETE)?

    Reflected Cross-site Scripting1. Did the tester input a payload? 2. What was the result? Reflected? 3. Did the tester view the source?

    Sample: Webapp Pentest Framework based on OWASP Top 10

    Clickjacking/Cross Site Framing (XSF)1. X-Frame-Option set to Deny or

    Same-Origin?2. HTML iframe POC create? Successfully

    loaded into the site?

    CSRF1. Is the token randomly generated?2. Did the tester note if CSRF is noted on

    a GET request?3. Did the tester create an POC HTML file

    to execute on the site?4. Was the file successfully loaded on the

    site?

  • Leveraging Burp Extenders With Other Free Tools

  • Understand the incident

    Review all evidence presented

    Obtain testers logs

    Provide proof

    Understand impact

    Incidents happen, but is it fair to blame us?

  • Log Extraction

  • Burp History Converter -> https://github.com/mrts/burp-suite-http-proxy-history-converterPayloads (xss | passwords | directory busters | and more...) -> https://github.com/foospidy/payloadsCORS -> https://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomainsPentest Resources (web report tracking | database | checklists) -> http://harshdevx.com/codex/ptest.zip

    General reading -> http://www.adeptus-mechanicus.com/learn/nwadden.phpGeneral reading -> http://www.adeptus-mechanicus.com/learn/harshalc.phpGeneral reading and download resources -> http://harshdevx.comOWASP Top Ten -> https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectBurp Suite Support Centre -> https://support.portswigger.net/

    DVWA -> https://github.com/ethicalhack3r/DVWAMultiladae -> https://sourceforge.net/projects/mutillidae/Metasploitable -> https://sourceforge.net/projects/metasploitable/files/Metasploitable2/SANS -> https://sans.orgOther security resources -> https://www.cisecurity.org/cis-benchmarks/

    Questions and Takeaways

    https://github.com/mrts/burp-suite-http-proxy-history-converterhttps://github.com/foospidy/payloadshttps://www.geekboy.ninja/blog/exploiting-misconfigured-cors-via-wildcard-subdomainshttp://harshdevx.com/codex/ptest.ziphttp://www.adeptus-mechanicus.com/learn/nwadden.phphttp://www.adeptus-mechanicus.com/learn/harshalc.phphttp://harshdevx.com/https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projecthttps://support.portswigger.net/https://github.com/ethicalhack3r/DVWAhttps://sourceforge.net/projects/mutillidae/https://sourceforge.net/projects/metasploitable/files/Metasploitable2/https://sans.org/https://www.cisecurity.org/cis-benchmarks/

  • Continuing Education

  • Thank You

    [email protected]

    @nataliawadden

    ca.linkedin.com/in/nataliawadden

    Natalia Wadden

    [email protected]

    @harshdevx

    ca.linkedin.com/in/harshalchandorkar

    Harshal Chandokar