Your SlideShare is downloading. ×

Self Made Web 2.0 Security Testing

289

Published on

Sicherheitstests mit OWASP ZAP

Sicherheitstests mit OWASP ZAP

Published in: Science
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
289
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Self-Made Web 2.0 Security Testing Sven Großmann, Timo Pagel
  • 2. Vorstellung ● Sven ○ Master Student: Information Technology ■ Schwerpunkt: Web-Technologien ● Timo ○ Fachinformatiker (Systemintegration) ○ Master Student: Information Technology ■ Schwerpunkt: IT-Sicherheit
  • 3. Sicherheits Experte Geschäftsführer
  • 4. Werkzeuge des White Hats Vulnerability Scans (DAST) Web Application Firewalls Code Analysen (SAST) System Härtungen Sicherheits Schulungen Intrusion Detection Systems
  • 5. Werkzeuge des Black Hats Web Application SQL Injection Cross Site Scripting Security Misconfiguration ... DAST
  • 6. DAST-Werkzeuge ● Burp (ca. 200 $) ● OWASP Zap ● w3af ● sqlmap/nosqlmap ● weitere bei sectoolmarket.com [1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  • 7. DAST-Werkzeuge ● Burp (ca. 200 $) ● OWASP Zap ● w3af ● sqlmap/nosqlmap ● weitere bei sectoolmarket.com [1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  • 8. Ein einfacher Scan ● Spider ○ Abdeckung der Seitenstruktur ● Scan ○ Schwachstellen aufdecken
  • 9. Produktivumgebung scannen?
  • 10. Funktionsweise Proxy: Spider/Scanner: In Anlehnung an: https://blog.codecentric.de/files/2013/10/overview.png
  • 11. Ein einfacher Scan Demo: OWASP Zap und WackoPicko
  • 12. Funktionsweise Proxy: Spider/Scanner: AjaxSpider: In Anlehnung an: https://blog.codecentric. de/files/2013/10/overview.png
  • 13. OWASP Top Ten ● A1 Injection ● A2 Broken Authentication and Session Management ● A3 Cross-Site Scripting (XSS) ● A4 Insecure Direct Object References ● A5 Security Misconfiguration ● A6 Sensitive Data Exposure ● A7 Missing Function Level Access Control ● A8 Cross-Site Request Forgery (CSRF) ● A9 Using Components with Known Vulnerabilities ● A10 Unvalidated Redirects and Forwards Quelle: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 14. Vielen Dank Kontakt: Timo Pagel: security@timo-pagel.de Sven Großmann: svennergr@gmail.com
  • 15. Bild Quellen Disney Interactive: http://www.starwars.com/

×