Self Made Web 2.0 Security Testing
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Self Made Web 2.0 Security Testing

  • 240 views
Uploaded on

Sicherheitstests mit OWASP ZAP

Sicherheitstests mit OWASP ZAP

More in: Science
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
240
On Slideshare
239
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 1

http://www.slideee.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Self-Made Web 2.0 Security Testing Sven Großmann, Timo Pagel
  • 2. Vorstellung ● Sven ○ Master Student: Information Technology ■ Schwerpunkt: Web-Technologien ● Timo ○ Fachinformatiker (Systemintegration) ○ Master Student: Information Technology ■ Schwerpunkt: IT-Sicherheit
  • 3. Sicherheits Experte Geschäftsführer
  • 4. Werkzeuge des White Hats Vulnerability Scans (DAST) Web Application Firewalls Code Analysen (SAST) System Härtungen Sicherheits Schulungen Intrusion Detection Systems
  • 5. Werkzeuge des Black Hats Web Application SQL Injection Cross Site Scripting Security Misconfiguration ... DAST
  • 6. DAST-Werkzeuge ● Burp (ca. 200 $) ● OWASP Zap ● w3af ● sqlmap/nosqlmap ● weitere bei sectoolmarket.com [1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  • 7. DAST-Werkzeuge ● Burp (ca. 200 $) ● OWASP Zap ● w3af ● sqlmap/nosqlmap ● weitere bei sectoolmarket.com [1] http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
  • 8. Ein einfacher Scan ● Spider ○ Abdeckung der Seitenstruktur ● Scan ○ Schwachstellen aufdecken
  • 9. Produktivumgebung scannen?
  • 10. Funktionsweise Proxy: Spider/Scanner: In Anlehnung an: https://blog.codecentric.de/files/2013/10/overview.png
  • 11. Ein einfacher Scan Demo: OWASP Zap und WackoPicko
  • 12. Funktionsweise Proxy: Spider/Scanner: AjaxSpider: In Anlehnung an: https://blog.codecentric. de/files/2013/10/overview.png
  • 13. OWASP Top Ten ● A1 Injection ● A2 Broken Authentication and Session Management ● A3 Cross-Site Scripting (XSS) ● A4 Insecure Direct Object References ● A5 Security Misconfiguration ● A6 Sensitive Data Exposure ● A7 Missing Function Level Access Control ● A8 Cross-Site Request Forgery (CSRF) ● A9 Using Components with Known Vulnerabilities ● A10 Unvalidated Redirects and Forwards Quelle: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 14. Vielen Dank Kontakt: Timo Pagel: security@timo-pagel.de Sven Großmann: svennergr@gmail.com
  • 15. Bild Quellen Disney Interactive: http://www.starwars.com/