Your SlideShare is downloading. ×
0
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Application Security Tools
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Application Security Tools

572

Published on

This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover …

This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
572
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Application Security-III Security Analysis Tools Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com
  • 2. Overview • OWASP Top 10 Threats • Security Analysis Tools Landscape • Attack Simulation Tools • Defense Assisting Tools • Risk mitigation for Injection Attacks • Risk mitigation for XSS Attacks • Resources 2
  • 3. OWASP Top 10 Threats • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration 3
  • 4. OWASP Top 10 Threats • Sensitive Data Exposure • Missing Function Level Access Control (e.g. Failure to Restrict URL Access) • Cross-Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities (e.g. Security Misconfiguration) • Invalidated Redirects and Forwards 4
  • 5. 5 Security Analysis Tools Landscape
  • 6. XSS Me • XSS-Me is the Firefox add on used to test for reflected Cross-Site Scripting (XSS). It does not currently test for stored XSS. • It is only used for run-time application security testing and not related to static code analysis. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. • XSS Filter Evasion Cheat Sheet: • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • Devise your own attack! http://ha.ckers.org/xsscalc.html 6
  • 7. XSS Me • Demo Website http://www.testfire.net • Search for Normal string http://www.testfire.net/search.aspx?txtSearch=test • Search for XSS induced attack http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</ script> 7
  • 8. SQL Inject Me • SQL Inject -Me is the Firefox add on used to test for SQL Injection. • It is only used for run-time application security testing. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack. • Advanced attacks, such as blind SQL injection, may require additional manual testing (e.g. attempting to bypass authentication). 8
  • 9. SQL Inject Me • Demo Website http://testfire.net/bank/login.aspx • UserName/Password: Jsmith/Demo1234, Navigate to following page after login http://testfire.net/bank/transaction.aspx • Observe the ‘After’ Field: • Normal Input: 01/01/2013 • 01/01/2006 union select userid,null,username+','+password,null from users-- 9
  • 10. Hackbar • Hackbar is the Firefox add on used to test for XSS and SQL Injection. • It is useful while handcrafting attacks or doing penetration testing. • Features include • Loading URL • Slicing URL • Character encoding • Executing crafted url request 10
  • 11. Tamper Data • Firefox add on used to modify HTTP Request and response • Trace and time http request/response • Modify POST parameters • Add HTTP Headers • Encode/Decode strings • Limited ability for testing XSS and SQL Injection 11
  • 12. Cookie Manager + • Firefox add on used to view, Modify, create and backup and restore cookies. • Features includes • Ability to filter cookies based on domain • Option to backup and restore cookies • Ability to change expire date on expire header of cookie 12
  • 13. Wappalyzer • Firefox add-on for revealing internals of websites/web-applications • Analyzes DOM and HTTP Response Headers and identifies libraries and frameworks and components used for building websites • Once attacker get more details about internal components, s/he can use that information for exploiting known vulnerabilities in those components/libraries or frameworks or servers 13
  • 14. FxCop • Static Code Analysis Tool for applications written in Microsoft .NET Framework • Has security and security transparency Rules • Determine whether HTML output includes input parameters • Form fields, • Query strings, • Databases and data access methods • Cookie collection • Session and application variables 14
  • 15. Fiddler Plugin: Ammonite • URL: http://ammonite.ryscc.com/ • Paid Web Security Tool • Detect Critical Vulnerabilities • Ultimate Control: Manual and Automatic mode for testing • Fuzz Multiple Request Formats • Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST bodies. • Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query string, and request body. • passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors and verbose error messages. • Export results as HTML Report 15
  • 16. Fiddler Plugin: Watcher • URL: http://websecuritytool.codeplex.com • Free Web Security Tool • Passively monitors traffic for 40+ checks • Can also work offline on SAZ files from Fiddler • Results of various checks can be exported in the form of html or xml • DEMO • Live Session • Report 16
  • 17. AntiXSS Library • AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.  White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.  Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages. 17
  • 18. Asafaweb • Non invasive vulnerability scanner • Individual effort from Security Consultant Troy Hunt • Good for “Already in Production” project • baseline of scans for common ASP.NET configuration related vulnerabilities. • Also checks for click jacking, Hash Do's patch • DEMO 18
  • 19. CAT.NET • identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection. • works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each Binscope Binary Analyzer • verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL • inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used. 19 CAT.NET & Binscope Binary Analyzer Note: Only compatible with visual studio 2005 and visual studio 2008
  • 20. W3af.org • W3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure. • Open source python based core engine with plug-in architecture • w3af is a Web Application Attack and Audit Framework. 20
  • 21. Acunetix • website analysis and vulnerability detection • Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities • Scan’s password protected areas as well automatically • Comprehensive reports for legal and regulatory compliance • Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector • Detect HTTP Parameter Pollution (HPP) vulnerabilities • Compare scans and find differences with previous scans. • Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms. 21
  • 22. NetSparker • The only False-positive-free web application security scanner • Ajax/JavaScript Support • Support Basic, Forms, NTLM, Digest, Kerberos Authentication • Vulnerability Retest • Also supports manual testing • Support for well-known compliance specifications reporting like PCI, OWASP, CAPEC, OWASP etc. • Custom Reports 22
  • 23. Resources • OWASP (Open Web Application Security Project): https://www.owasp.org • XSS-Me https://addons.mozilla.org/en-us/firefox/addon/xss-me/ • SQL Inject Me • Microsoft Security http://www.microsoft.com/security http://www.Microsoft.com/sdl • Wikipedia: http://en.wikipedia.org/wiki/Threat_model 23
  • 24. . This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/ All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation. Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com

×