Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp o2 platform november 2010

3,279 views

Published on

Presentation on the OWASP O2 Platform (longer version)

see http://o2platform.com and http://o2platform.wordpress.com

Published in: Technology, Business
  • Be the first to comment

Owasp o2 platform november 2010

  1. 1. O2 PlatformAutomating Security Knowledge through Unit Tests
  2. 2. WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  3. 3. is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  4. 4. forAUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  5. 5. APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  6. 6. KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  7. 7. andWORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  8. 8. O2 developer senior consultant security consultant analyst managerGEEK-O-METER
  9. 9. is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  10. 10. is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
  11. 11. ... and when you start using it ...... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  12. 12. and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  13. 13. O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  14. 14. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  15. 15. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve.The O2 framework provides a very flexible set of toolsfor performing greybox testing. The concept ofMethodStreams makes it radically simpler to get all ofthe source for a single method in one place to easilyfollow the taint. O2 also provides a set of blackboxtools to quickly verify your static analysis findings andrapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  16. 16. O2 Quote, by David Campbell" Earlier this year I gave a presentation about how thefuture of penetration testing is all greybox. We now getsource for almost every assessment we do, and so theblackbox toolset we traditionally used had to evolve.The O2 framework provides a very flexible set of toolsfor performing greybox testing. The concept ofMethodStreams makes it radically simpler to get all ofthe source for a single method in one place to easilyfollow the taint. O2 also provides a set of blackboxtools to quickly verify your static analysis findings andrapidly develop POC exploits.In a nutshell, the pentesting game has changed, and the O2 developerO2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
  17. 17. Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  18. 18. Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
  19. 19. Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  20. 20. Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  21. 21. Other types of PDF’s• As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions.• Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  22. 22. SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  23. 23. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  24. 24. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  25. 25. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF)• The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  26. 26. SPEAKING DEVS LANGUAGE• Delivering security knowledge inside a PDF is a massively inefficient workflow• The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF)• The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2• We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
  27. 27. We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  28. 28. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  29. 29. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  30. 30. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  31. 31. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  32. 32. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  33. 33. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  34. 34. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  35. 35. We need UnitTests• UnitTest are the only ‘language’ we can speak that the developers will understand• Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2• There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
  36. 36. SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  37. 37. SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  38. 38. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  39. 39. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  40. 40. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  41. 41. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITYINVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  42. 42. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITYINVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
  43. 43. Living in an O2 world
  44. 44. WHAT DOES IT LOOK LIKE? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  45. 45. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  46. 46. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  47. 47. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice?• What type of Unit Tests can be created? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  48. 48. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice?• What type of Unit Tests can be created?• Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  49. 49. WHAT DOES IT LOOK LIKE?• By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one• But how does it work in practice?• What type of Unit Tests can be created?• Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2• To answer this, lets look at a number of case developer senior consultant security studies of what O2 can do in the hands of an O2 consultant analyst Power User (i.e in my hands) manager GEEK-O-METER
  50. 50. Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  51. 51. Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
  52. 52. SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  53. 53. SO WHAT IS O2?• Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  54. 54. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  55. 55. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  56. 56. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  57. 57. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  58. 58. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  59. 59. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  60. 60. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC)• Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  61. 61. SO WHAT IS O2?• Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment• Black-Box/Browser-automation environment• Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC)• Data Consumption and API Generation O2 developer• Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
  62. 62. Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  63. 63. Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  64. 64. Automating myself• KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
  65. 65. IN PRACTICE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  66. 66. IN PRACTICE• To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  67. 67. IN PRACTICE• To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world• Hopefully this will clear the myth that security consultants still have today that there is no way to automate their workflows and security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  68. 68. Real world O2 usage
  69. 69. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  70. 70. PROBLEM:Create a scripting environment that:- allows maximum customisation and extensibility,- has Intelisense/CodeComplete,- with full access to rich APIs- allows to quickly create new APIS and new methods- allows one-click execution of scripts createdI’m basically looking for: Strongly Typed Python O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  71. 71. PROBLEM:Create a scripting environment that:- allows maximum customisation and extensibility,- has Intelisense/CodeComplete,- with full access to rich APIs- allows to quickly create new APIS and new methods- allows one-click execution of scripts createdI’m basically looking for: Strongly Typed PythonSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  72. 72. PROBLEM:Create a scripting environment that:- allows maximum customisation and extensibility,- has Intelisense/CodeComplete,- with full access to rich APIs- allows to quickly create new APIS and new methods- allows one-click execution of scripts createdI’m basically looking for: Strongly Typed PythonSOLUTION:O2 Scripting environment based on C#ExtensionMethods, code refactoring anddynamic compilation of script (and supporting O2C# files) developer senior consultant security consultant analyst manager GEEK-O-METER
  73. 73. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  74. 74. PROBLEM:Analyse Source Code Findings (Created byOunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  75. 75. PROBLEM:Analyse Source Code Findings (Created byOunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developerSOLUTION: senior consultant security consultant analyst manager GEEK-O-METER
  76. 76. PROBLEM:Analyse Source Code Findings (Created byOunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developerSOLUTION: senior consultant security consultantCreated a bunch of O2 modules that solved analystthese and many more problems manager GEEK-O-METER
  77. 77. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  78. 78. PROBLEM:Source Code: Handle the lack-of-visibility thatstatic analysis engines have (in this caseAppScan/OunceLabs engine) with identifyingweb services (i.e. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  79. 79. PROBLEM:Source Code: Handle the lack-of-visibility thatstatic analysis engines have (in this caseAppScan/OunceLabs engine) with identifyingweb services (i.e.SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  80. 80. PROBLEM:Source Code: Handle the lack-of-visibility thatstatic analysis engines have (in this caseAppScan/OunceLabs engine) with identifyingweb services (i.e.SOLUTION:Parse the source code to find the ‘formula’ thatdefines the Web Services in the Frameworksused, and mass-create rules that allow itseffective scanning O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  81. 81. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  82. 82. PROBLEM:Analyse an Spring MVC application (fromboth a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  83. 83. PROBLEM:Analyse an Spring MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  84. 84. PROBLEM:Analyse an Spring MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  85. 85. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  86. 86. PROBLEM:Analyse an Struts with Java Facesapplication (from both a BlackBox andWhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  87. 87. PROBLEM:Analyse an Struts with Java Facesapplication (from both a BlackBox andWhiteBox point of view)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  88. 88. PROBLEM:Analyse an Struts with Java Facesapplication (from both a BlackBox andWhiteBox point of view)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  89. 89. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  90. 90. PROBLEM:Analyse an ASP.NET MVC application (fromboth a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  91. 91. PROBLEM:Analyse an ASP.NET MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  92. 92. PROBLEM:Analyse an ASP.NET MVC application (fromboth a BlackBox and WhiteBox point of view)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  93. 93. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  94. 94. PROBLEM:Automating Browser actions: list fields, enterdata, click on buttons, manipulate html/javascript, etc... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  95. 95. PROBLEM:Automating Browser actions: list fields, enterdata, click on buttons, manipulate html/javascript, etc...SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  96. 96. PROBLEM:Automating Browser actions: list fields, enterdata, click on buttons, manipulate html/javascript, etc...SOLUTION:Found a great C# Browser Automation API(WatiN) and wrote a large API that simplifiesWatiN’s behaviour (using extension methods) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  97. 97. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  98. 98. PROBLEM:BlackBox: Deploy payloads in post login pages O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  99. 99. PROBLEM:BlackBox: Deploy payloads in post login pagesSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  100. 100. PROBLEM:BlackBox: Deploy payloads in post login pagesSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  101. 101. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  102. 102. PROBLEM:BlackBox: Test for reflected vulnerabilities, forexample XSS where there are two unique (andcomplex) web-browsing paths: one to put thepayload and one to confirm exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  103. 103. PROBLEM:BlackBox: Test for reflected vulnerabilities, forexample XSS where there are two unique (andcomplex) web-browsing paths: one to put thepayload and one to confirm exploitabilitySOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  104. 104. PROBLEM:BlackBox: Test for reflected vulnerabilities, forexample XSS where there are two unique (andcomplex) web-browsing paths: one to put thepayload and one to confirm exploitabilitySOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  105. 105. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  106. 106. PROBLEM:BlackBox: Easily create XSS PoCs that arespecific to the application and are much morethan the ALERT pop-up box that nobodyoutside the WebAppSecurity space understand’sit implication O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  107. 107. PROBLEM:BlackBox: Easily create XSS PoCs that arespecific to the application and are much morethan the ALERT pop-up box that nobodyoutside the WebAppSecurity space understand’sit implicationSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  108. 108. PROBLEM:BlackBox: Easily create XSS PoCs that arespecific to the application and are much morethan the ALERT pop-up box that nobodyoutside the WebAppSecurity space understand’sit implicationSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  109. 109. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  110. 110. PROBLEM:BlackBox: Create exploit that leverages datainside ASP.NET Viewstate O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  111. 111. PROBLEM:BlackBox: Create exploit that leverages datainside ASP.NET ViewstateSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  112. 112. PROBLEM:BlackBox: Create exploit that leverages datainside ASP.NET ViewstateSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  113. 113. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  114. 114. PROBLEM:BlackBox: Confirm that an XSS vulnerability hasbeen fixed, by retesting the original payload(with its automation) using the FuzzDBdatabase O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  115. 115. PROBLEM:BlackBox: Confirm that an XSS vulnerability hasbeen fixed, by retesting the original payload(with its automation) using the FuzzDBdatabaseSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  116. 116. PROBLEM:BlackBox: Confirm that an XSS vulnerability hasbeen fixed, by retesting the original payload(with its automation) using the FuzzDBdatabaseSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  117. 117. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  118. 118. PROBLEM:BlackBox: Try to open (in web browser) all filesavailable in the web app’s root (i.e. file system),and create authorisation mapping table formultiple users O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  119. 119. PROBLEM:BlackBox: Try to open (in web browser) all filesavailable in the web app’s root (i.e. file system),and create authorisation mapping table formultiple usersSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  120. 120. PROBLEM:BlackBox: Try to open (in web browser) all filesavailable in the web app’s root (i.e. file system),and create authorisation mapping table formultiple usersSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  121. 121. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  122. 122. PROBLEM:BlackBox: Automatically Test/Fuzz WebServiceswhere each request needs to be a valid XML/SOAP request (or the payloads will never reachthe application) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  123. 123. PROBLEM:BlackBox: Automatically Test/Fuzz WebServiceswhere each request needs to be a valid XML/SOAP request (or the payloads will never reachthe application)SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  124. 124. PROBLEM:BlackBox: Automatically Test/Fuzz WebServiceswhere each request needs to be a valid XML/SOAP request (or the payloads will never reachthe application)SOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  125. 125. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  126. 126. PROBLEM:BlackBox: perform brute force authentication(username & password) attacks in multipleforms, each having unique signatures, behavioursand workflows O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  127. 127. PROBLEM:BlackBox: perform brute force authentication(username & password) attacks in multipleforms, each having unique signatures, behavioursand workflowsSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  128. 128. PROBLEM:BlackBox: perform brute force authentication(username & password) attacks in multipleforms, each having unique signatures, behavioursand workflowsSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  129. 129. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  130. 130. PROBLEM:BlackBox: Perform multiple requests, where foreach request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTMLAfter completion, visualise and analyse the createddata O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  131. 131. PROBLEM:BlackBox: Perform multiple requests, where foreach request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTMLAfter completion, visualise and analyse the createddataSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  132. 132. PROBLEM:BlackBox: Perform multiple requests, where foreach request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTMLAfter completion, visualise and analyse the createddataSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  133. 133. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  134. 134. PROBLEM:BlackBox: Give developers the ability toreproduce the security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  135. 135. PROBLEM:BlackBox: Give developers the ability toreproduce the security findingsSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  136. 136. PROBLEM:BlackBox: Give developers the ability toreproduce the security findingsSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  137. 137. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  138. 138. PROBLEM:BlackBox: Show developers the multiple waysand variations that a particular vulnerability canbe exploited O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  139. 139. PROBLEM:BlackBox: Show developers the multiple waysand variations that a particular vulnerability canbe exploitedSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  140. 140. PROBLEM:BlackBox: Show developers the multiple waysand variations that a particular vulnerability canbe exploitedSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  141. 141. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  142. 142. PROBLEM:Show end-client (and developers) the testsmade during the security and its coverage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  143. 143. PROBLEM:Show end-client (and developers) the testsmade during the security and its coverageSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  144. 144. PROBLEM:Show end-client (and developers) the testsmade during the security and its coverageSOLUTION:O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  145. 145. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  146. 146. PROBLEM:BlackBox: test for CRSF on complex webapplications with multiple workflows andcomplex state O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  147. 147. PROBLEM:BlackBox: test for CRSF on complex webapplications with multiple workflows andcomplex stateSOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  148. 148. PROBLEM:BlackBox: test for CRSF on complex webapplications with multiple workflows andcomplex stateSOLUTION:Create an API that exposes the application’sbehaviour as a set of methods, which can the beinvoked in a foreach(var payload in payloads) loopwhich handles the payload submission and datacollection (i.e. screenshots and html datareturned) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  149. 149. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER

×