Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What the fuzz


Published on

Basic Introduction to fuzzing Web applications

Published in: Software
  • Be the first to comment

  • Be the first to like this

What the fuzz

  1. 1. WHAT THE FUZZ??? Christopher Frenz
  2. 2. NEED FOR APPLICATION SECURITY • According to SANS • 60% of all internet attacks target Web applications • SQL Injection and XSS constitute 80% of all recently discovered vulnerabilities • Application vulnerabilities now exceed OS vulnerabilities Applications Operating Systems Network # Vulnerabilities
  3. 3. OWASP TOP 10
  4. 4. WHAT TO DO??? • More developers need to be made aware of the need for secure software development as well as the practices associated with secure software development • Education is key • Security needs to be part of the mindset of any software development project from day 1 • Security CANNOT be an afterthought • Security CANNOT be effectively added on later (e.g. firewalls)
  5. 5. WHY EDUCATION? • Response from development team – There is no issue here, you encountered this error while using Mozilla. Our product documentation says the application is only compatible with IE.
  6. 6. A QUESTION OF CASE • What the Fuzz? • Basic testing or fuzzing would have discovered that capitalizing a letter would result in all data being returned and not just the authorized set • Validation was only being done client side
  7. 7. SECURING THE SDLC • Requirements • Security needs to be a requirement • Risk Assessment • Design • Security controls to ensure all requirements are met • Design review • Implementation • Coding standards • Static code analysis • Peer code review • Testing • Abuse Cases • Fuzzing • Vulnerability scans • Pen Testing • Release/Maintenance • Patching/Updating Security needs to be a factor in all phases of the software development lifecycle
  8. 8. THREAT MODELING • Spoofing • Tampering • Repudiation • Information disclosure • Denial of Service • Elevation of privilege • Makes programmers think like an attacker in order to identify potential ways in which their application could be abused
  9. 9. RISK ASSESSMENT • Damage potential • Reproducibility • Exploitability • Affected Users • Discoverability • Each threat is ranked in each category on a scale of 1 to 3, with 1 being a threat with minimal potential impact and 3 being a serious threat
  10. 10. STRIDE + DREAD EXAMPLE Helps to identify which threats pose the biggest risk
  11. 11. FUZZING • Fuzzing is an automated process of providing invalid and random inputs into an application and monitoring the application for crashes • It can help to identify inputs that the application cannot properly handle and that hence could be used as potential attack
  12. 12. OWASP MUTILLIDAE A deliberately vulnerable web application for training security testing skills
  14. 14. MUTILLIDAE Mutillidae unzips into the htdocs folder of the Apache install
  15. 15. BURP Suite of tools for performing Web application security testing
  16. 16. FOXY PROXY Enables you to quickly switch between the Burp intercepting proxy and non-proxied browsing
  17. 17. START BURP Start Burp and use Foxy Proxy to ensure that our Web browser requests go through Burp
  18. 18. FIND TARGET Burp lets us see the pages loaded through the browser as well as spider a target site to identify additional web pages
  19. 19. FUZZ TARGET Lets Identify the page we want to target for fuzzing and send it to the Burp Intruder Module
  20. 20. IDENTIFY POSITIONS Identify which positions we want to receive our fuzzed input strings
  21. 21. LAUNCH THE ATTACK Interesting, one attack returned a different page than the rest. Let’s try it out.
  22. 22. TEST THE ATTACK We used an SQLi attack to bypass the authentication mechanism
  23. 23. QUESTIONS