Successfully reported this slideshow.
Your SlideShare is downloading. ×

Owasp o2 platform november 2010

Ad

O2 Platform
Automating Security Knowledge
     through Unit Tests

Ad

WHAT IS                       ?
  and the OWASP O2 PLATFORM




                                     O2
                  ...

Ad

is an:

          OPEN

         PLATFORM.




                        O2
                        developer
              ...

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Loading in …3
×

Check these out next

1 of 334 Ad
1 of 334 Ad
Advertisement

More Related Content

Advertisement

More from Dinis Cruz (20)

Advertisement

Owasp o2 platform november 2010

  1. 1. O2 Platform Automating Security Knowledge through Unit Tests
  2. 2. WHAT IS ? and the OWASP O2 PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  3. 3. is an: OPEN PLATFORM. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  4. 4. for AUTOMATING. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  5. 5. APPLICATION SECURITY . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  6. 6. KNOWLEDGE . O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  7. 7. and WORKFLOWS. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  8. 8. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  9. 9. is an: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  10. 10. is an: OPEN PLATFORM for AUTOMATING APPLICATION SECURITY KNOWLEDGE and O2 developer WORKFLOWS senior consultant security consultant analyst manager GEEK-O-METER
  11. 11. ... and when you start using it ... ... you will be able to do impossible things ... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  12. 12. and your clients will love you O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  13. 13. O2 Quote, by David Campbell O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  14. 14. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  15. 15. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  16. 16. O2 Quote, by David Campbell " Earlier this year I gave a presentation about how the 'future of penetration testing' is all greybox. We now get source for almost every assessment we do, and so the blackbox toolset we traditionally used had to evolve. The O2 framework provides a very flexible set of tools for performing greybox testing. The concept of 'MethodStreams' makes it radically simpler to get all of the source for a single method in one place to easily 'follow the taint'. O2 also provides a set of blackbox tools to quickly verify your static analysis findings and rapidly develop POC exploits. In a nutshell, the pentesting game has changed, and the O2 developer O2 is the swiss army knife you need to carry. " senior consultant security consultant analyst manager GEEK-O-METER
  17. 17. Key message of this presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  18. 18. Key message of this presentation NO MORE O2 developer WITH senior consultant security consultant SECURITY FINDINGS analyst manager GEEK-O-METER
  19. 19. Other types of PDF’s O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  20. 20. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  21. 21. Other types of PDF’s • As bad as delivering a PDF, is delivering Automated Tools results (Static Code Analysis, Website Scanners) which deliver tons of results/findings but have little context or actionable actions. • Any client’s deliverable that is not easily consumed by the end user (from developers to managers) is what I’m calling a ‘PDF’ O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  22. 22. SPEAKING DEVS LANGUAGE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  23. 23. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  24. 24. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  25. 25. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  26. 26. SPEAKING DEVS LANGUAGE • Delivering security knowledge inside a PDF is a massively inefficient workflow • The Client is going to spend more money trying to figure out what the PDF says and how to deal with it, than they spent in creating it (the PDF) • The developers will struggle to reproduce the findings and in most cases fix the vulnerabilities by making the exploit not work O2 • We need to speak the developer’s language, developer senior consultant leverage their knowledge and create two-way security consultant analyst communication channels manager GEEK-O-METER
  27. 27. We need UnitTests O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  28. 28. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  29. 29. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  30. 30. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  31. 31. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  32. 32. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  33. 33. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  34. 34. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  35. 35. We need UnitTests • UnitTest are the only ‘language’ we can speak that the developers will understand • Security-Driven Unit tests will allow the developers to: • Reproduce Security Findings • Debug Security Exploits • Write Fixes and Confirm its non- exploitability • Use as part of normal app QA/Testing • Ensure vulnerabilities are not re- introduced at a later stage O2 • There are lots of other advantages: better developer senior consultant security management reports, WAF rules, etc... consultant analyst manager GEEK-O-METER
  36. 36. SECURITY BY DESIGN & DEFAULT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  37. 37. SECURITY BY DESIGN & DEFAULT DELIVERING O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  38. 38. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  39. 39. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  40. 40. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  41. 41. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  42. 42. SECURITY BY DESIGN & DEFAULT DELIVERING SECURITY UNIT TESTS WILL ALLOW US TO MAKE SECURITY INVISIBLE/TRANSPARENT O2 developer senior consultant security consultant analyst TO DEVELOPERS manager GEEK-O-METER
  43. 43. Living in an O2 world
  44. 44. WHAT DOES IT LOOK LIKE? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  45. 45. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  46. 46. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  47. 47. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  48. 48. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  49. 49. WHAT DOES IT LOOK LIKE? • By now (hopefully) you agree that the concept of creating Security-Driven-UnitTest vs PDFs is a good one • But how does it work in practice? • What type of Unit Tests can be created? • Don’t the current tools in the market (including O2) suck at automating security consultant’s knowledge, workflows and exploits? O2 • To answer this, lets look at a number of case developer senior consultant security studies of what O2 can do in the hands of an O2 consultant analyst Power User (i.e in my hands) manager GEEK-O-METER
  50. 50. Recapping: OWASP O2 PLATFORM PLATFORM O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  51. 51. Recapping: OWASP O2 PLATFORM PLATFORM The O2 platform represents a new paradigm for how to perform, document and distribute Web Application security reviews. O2 is designed to Automate Security Consultants Knowledge and Workflows O2 and to developer senior consultant security Allow non-security experts to access and consultant analyst consume Security Knowledge and Unit Tests manager GEEK-O-METER
  52. 52. SO WHAT IS O2? O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  53. 53. SO WHAT IS O2? • Scripting Engine and development environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  54. 54. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  55. 55. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  56. 56. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  57. 57. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  58. 58. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  59. 59. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  60. 60. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  61. 61. SO WHAT IS O2? • Scripting Engine and development environment • I write “O2 in O2” using its “C#, Python-like, reflection-on-steroids, dynamically-compiled-extension-methods” environment • Black-Box/Browser-automation environment • Source Code analysis environment: • It’s own .NET Static Analysis engine (with taint-flow analysis) • Supports Java ByteCode/classes call-flow analysis (and source code mappings) • Multiple visualizers for Development Frameworks (Spring MVC, Struts, ASP.NET MVC) • Data Consumption and API Generation O2 developer • Powerful search engine, Graphical Engines, senior consultant security multiple APIs for popular tools/websites and consultant analyst tons of utilities manager GEEK-O-METER
  62. 62. Automating myself O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  63. 63. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  64. 64. Automating myself • KEY CONCEPT: Today (Nov 2010) when I do a security assessment: IT IS FASTER FOR ME TO AUTOMATE MYSELF VIA CUSTOM APIs THAN IT IS DO KEEP O2 developer senior consultant DOING IT BY HAND security consultant analyst manager GEEK-O-METER
  65. 65. IN PRACTICE O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  66. 66. IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  67. 67. IN PRACTICE • To really understand what this all means, lets look at a number of case studies of where I have successfully used O2 in the real world • Hopefully this will clear the myth that security consultants still have today that there is no way to automate their workflows and security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  68. 68. Real world O2 usage
  69. 69. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  70. 70. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  71. 71. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  72. 72. PROBLEM: Create a scripting environment that: - allows maximum customisation and extensibility, - has Intelisense/CodeComplete, - with full access to rich APIs - allows to quickly create new APIS and new methods - allows one-click execution of scripts created I’m basically looking for: Strongly Typed Python SOLUTION: O2 Scripting environment based on C# ExtensionMethods, code refactoring and dynamic compilation of script (and supporting O2 C# files) developer senior consultant security consultant analyst manager GEEK-O-METER
  73. 73. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  74. 74. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  75. 75. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant analyst manager GEEK-O-METER
  76. 76. PROBLEM: Analyse Source Code Findings (Created by OunceLabs tool) and: •list unique sources and sinks •filter findings based on complex criteria •join and visualise similar findings and identify patterns •join traces (getters and setters, interfaces, reflection calls, etc...) •mass create rules based on analysis targets •dump Ounce’s Intermediate Representation (i.e. the analysed code as an Object Model) •Handle 1+ Million Findings and 300Mb+ Findings file O2 developer SOLUTION: senior consultant security consultant Created a bunch of O2 modules that solved analyst these and many more problems manager GEEK-O-METER
  77. 77. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  78. 78. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  79. 79. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  80. 80. PROBLEM: Source Code: Handle the lack-of-visibility that static analysis engines have (in this case AppScan/OunceLabs engine) with identifying web services (i.e. SOLUTION: Parse the source code to find the ‘formula’ that defines the Web Services in the Frameworks used, and mass-create rules that allow its effective scanning O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  81. 81. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  82. 82. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  83. 83. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  84. 84. PROBLEM: Analyse an Spring MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  85. 85. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  86. 86. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  87. 87. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  88. 88. PROBLEM: Analyse an Struts with Java Faces application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  89. 89. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  90. 90. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  91. 91. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  92. 92. PROBLEM: Analyse an ASP.NET MVC application (from both a BlackBox and WhiteBox point of view) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  93. 93. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  94. 94. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  95. 95. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  96. 96. PROBLEM: Automating Browser actions: list fields, enter data, click on buttons, manipulate html/ javascript, etc... SOLUTION: Found a great C# Browser Automation API (WatiN) and wrote a large API that simplifies WatiN’s behaviour (using extension methods) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  97. 97. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  98. 98. PROBLEM: BlackBox: Deploy payloads in post login pages O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  99. 99. PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  100. 100. PROBLEM: BlackBox: Deploy payloads in post login pages SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  101. 101. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  102. 102. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  103. 103. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  104. 104. PROBLEM: BlackBox: Test for reflected vulnerabilities, for example XSS where there are two unique (and complex) web-browsing paths: one to put the payload and one to confirm exploitability SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  105. 105. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  106. 106. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  107. 107. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  108. 108. PROBLEM: BlackBox: Easily create XSS PoCs that are specific to the application and are much more than the ALERT pop-up box that nobody outside the WebAppSecurity space understand’s it implication SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  109. 109. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  110. 110. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  111. 111. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  112. 112. PROBLEM: BlackBox: Create exploit that leverages data inside ASP.NET Viewstate SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  113. 113. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  114. 114. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  115. 115. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  116. 116. PROBLEM: BlackBox: Confirm that an XSS vulnerability has been fixed, by retesting the original payload (with its automation) using the FuzzDB database SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  117. 117. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  118. 118. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  119. 119. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  120. 120. PROBLEM: BlackBox: Try to open (in web browser) all files available in the web app’s root (i.e. file system), and create authorisation mapping table for multiple users SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  121. 121. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  122. 122. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  123. 123. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  124. 124. PROBLEM: BlackBox: Automatically Test/Fuzz WebServices where each request needs to be a valid XML/ SOAP request (or the payloads will never reach the application) SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  125. 125. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  126. 126. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  127. 127. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  128. 128. PROBLEM: BlackBox: perform brute force authentication (username & password) attacks in multiple forms, each having unique signatures, behaviours and workflows SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  129. 129. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  130. 130. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  131. 131. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  132. 132. PROBLEM: BlackBox: Perform multiple requests, where for each request do the following actions: - take screenshot of page with payload in forms - submit payload - take screenshot of resulting page - save HTML After completion, visualise and analyse the created data SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  133. 133. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  134. 134. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  135. 135. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  136. 136. PROBLEM: BlackBox: Give developers the ability to reproduce the security findings SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  137. 137. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  138. 138. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  139. 139. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  140. 140. PROBLEM: BlackBox: Show developers the multiple ways and variations that a particular vulnerability can be exploited SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  141. 141. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  142. 142. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  143. 143. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  144. 144. PROBLEM: Show end-client (and developers) the tests made during the security and its coverage SOLUTION: O2 :) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  145. 145. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  146. 146. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  147. 147. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  148. 148. PROBLEM: BlackBox: test for CRSF on complex web applications with multiple workflows and complex state SOLUTION: Create an API that exposes the application’s behaviour as a set of methods, which can the be invoked in a foreach(var payload in payloads) loop which handles the payload submission and data collection (i.e. screenshots and html data returned) O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  149. 149. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  150. 150. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  151. 151. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  152. 152. PROBLEM: BlackBox: After during code review, finding some ‘this CRSF token looks like poor crypto to me’ vulnerability, correctly identify and exploit it. SOLUTION: Isolate the original code into a testable component, which is then used to map its entropy behaviour, confirm vulnerable scenario, write “CRSF token generator” and write javascript based exploit/PoC to detect Login timings O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  153. 153. PROBLEM: O2 developer senior consultant security consultant analyst manager GEEK-O-METER
  154. 154. PROBLEM: Create a PoC for the “Google Wireless MAC Address Location exposure” As made famous by Sammy’s “How I meet your girlfriend” presentation O2 developer senior consultant security consultant analyst manager GEEK-O-METER

Editor's Notes

  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n

×