Application Security-III
Security Analysis Tools
Lalit Kale
lalitkale@gmail.com
http://lalitkale.wordpress.com
Overview
• OWASP Top 10 Threats
• Security Analysis Tools Landscape
• Attack Simulation Tools
• Defense Assisting Tools
• ...
OWASP Top 10 Threats
• Injection
• Broken Authentication and Session Management
• Cross-Site Scripting (XSS)
• Insecure Di...
OWASP Top 10 Threats
• Sensitive Data Exposure
• Missing Function Level Access Control (e.g. Failure to Restrict URL
Acces...
5
Security Analysis Tools Landscape
XSS Me
• XSS-Me is the Firefox add on used to test for reflected Cross-Site Scripting
(XSS). It does not currently test fo...
XSS Me
• Demo Website
http://www.testfire.net
• Search for Normal string
http://www.testfire.net/search.aspx?txtSearch=tes...
SQL Inject Me
• SQL Inject -Me is the Firefox add on used to test for SQL Injection.
• It is only used for run-time applic...
SQL Inject Me
• Demo Website
http://testfire.net/bank/login.aspx
• UserName/Password: Jsmith/Demo1234, Navigate to followi...
Hackbar
• Hackbar is the Firefox add on used to test for XSS and SQL Injection.
• It is useful while handcrafting attacks ...
Tamper Data
• Firefox add on used to modify HTTP Request and response
• Trace and time http request/response
• Modify POST...
Cookie Manager +
• Firefox add on used to view, Modify, create and backup and restore cookies.
• Features includes
• Abili...
Wappalyzer
• Firefox add-on for revealing internals of websites/web-applications
• Analyzes DOM and HTTP Response Headers ...
FxCop
• Static Code Analysis Tool for applications written in Microsoft .NET Framework
• Has security and security transpa...
Fiddler Plugin: Ammonite
• URL: http://ammonite.ryscc.com/
• Paid Web Security Tool
• Detect Critical Vulnerabilities
• Ul...
Fiddler Plugin: Watcher
• URL: http://websecuritytool.codeplex.com
• Free Web Security Tool
• Passively monitors traffic f...
AntiXSS Library
• AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form,
LDAP, CSS, JScript and VBScrip...
Asafaweb
• Non invasive vulnerability scanner
• Individual effort from Security Consultant Troy Hunt
• Good for “Already i...
CAT.NET
• identify common variants of certain
prevailing vulnerabilities that can
give rise to common attack vectors
such ...
W3af.org
• W3af to identify more than 200 vulnerabilities and reduce your
site’s overall risk exposure.
• Open source pyth...
Acunetix
• website analysis and vulnerability detection
• Comprehensive scanning for SQL Injection and Cross Site
• Script...
NetSparker
• The only False-positive-free web application security scanner
• Ajax/JavaScript Support
• Support Basic, Form...
Resources
• OWASP (Open Web Application Security Project):
https://www.owasp.org
• XSS-Me
https://addons.mozilla.org/en-us...
.
This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More ...
Upcoming SlideShare
Loading in …5
×

Application Security Tools

1,577 views

Published on

This presentation is part of one of talk, I gave in Microsoft .NET Bootcamp. The contents are slightly edited to share the information in public domain. In this presentation, I tried to cover Application Security Tools that can be helpful for analyzing security threats as well as putting up some defense . This presentation will be useful for software architects/Managers,developers and QAs. Do share your feedback in comments.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,577
On SlideShare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Application Security Tools

  1. 1. Application Security-III Security Analysis Tools Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com
  2. 2. Overview • OWASP Top 10 Threats • Security Analysis Tools Landscape • Attack Simulation Tools • Defense Assisting Tools • Risk mitigation for Injection Attacks • Risk mitigation for XSS Attacks • Resources 2
  3. 3. OWASP Top 10 Threats • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration 3
  4. 4. OWASP Top 10 Threats • Sensitive Data Exposure • Missing Function Level Access Control (e.g. Failure to Restrict URL Access) • Cross-Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities (e.g. Security Misconfiguration) • Invalidated Redirects and Forwards 4
  5. 5. 5 Security Analysis Tools Landscape
  6. 6. XSS Me • XSS-Me is the Firefox add on used to test for reflected Cross-Site Scripting (XSS). It does not currently test for stored XSS. • It is only used for run-time application security testing and not related to static code analysis. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. • XSS Filter Evasion Cheat Sheet: • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • Devise your own attack! http://ha.ckers.org/xsscalc.html 6
  7. 7. XSS Me • Demo Website http://www.testfire.net • Search for Normal string http://www.testfire.net/search.aspx?txtSearch=test • Search for XSS induced attack http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</ script> 7
  8. 8. SQL Inject Me • SQL Inject -Me is the Firefox add on used to test for SQL Injection. • It is only used for run-time application security testing. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack. • Advanced attacks, such as blind SQL injection, may require additional manual testing (e.g. attempting to bypass authentication). 8
  9. 9. SQL Inject Me • Demo Website http://testfire.net/bank/login.aspx • UserName/Password: Jsmith/Demo1234, Navigate to following page after login http://testfire.net/bank/transaction.aspx • Observe the ‘After’ Field: • Normal Input: 01/01/2013 • 01/01/2006 union select userid,null,username+','+password,null from users-- 9
  10. 10. Hackbar • Hackbar is the Firefox add on used to test for XSS and SQL Injection. • It is useful while handcrafting attacks or doing penetration testing. • Features include • Loading URL • Slicing URL • Character encoding • Executing crafted url request 10
  11. 11. Tamper Data • Firefox add on used to modify HTTP Request and response • Trace and time http request/response • Modify POST parameters • Add HTTP Headers • Encode/Decode strings • Limited ability for testing XSS and SQL Injection 11
  12. 12. Cookie Manager + • Firefox add on used to view, Modify, create and backup and restore cookies. • Features includes • Ability to filter cookies based on domain • Option to backup and restore cookies • Ability to change expire date on expire header of cookie 12
  13. 13. Wappalyzer • Firefox add-on for revealing internals of websites/web-applications • Analyzes DOM and HTTP Response Headers and identifies libraries and frameworks and components used for building websites • Once attacker get more details about internal components, s/he can use that information for exploiting known vulnerabilities in those components/libraries or frameworks or servers 13
  14. 14. FxCop • Static Code Analysis Tool for applications written in Microsoft .NET Framework • Has security and security transparency Rules • Determine whether HTML output includes input parameters • Form fields, • Query strings, • Databases and data access methods • Cookie collection • Session and application variables 14
  15. 15. Fiddler Plugin: Ammonite • URL: http://ammonite.ryscc.com/ • Paid Web Security Tool • Detect Critical Vulnerabilities • Ultimate Control: Manual and Automatic mode for testing • Fuzz Multiple Request Formats • Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST bodies. • Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query string, and request body. • passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors and verbose error messages. • Export results as HTML Report 15
  16. 16. Fiddler Plugin: Watcher • URL: http://websecuritytool.codeplex.com • Free Web Security Tool • Passively monitors traffic for 40+ checks • Can also work offline on SAZ files from Fiddler • Results of various checks can be exported in the form of html or xml • DEMO • Live Session • Report 16
  17. 17. AntiXSS Library • AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.  White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.  Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages. 17
  18. 18. Asafaweb • Non invasive vulnerability scanner • Individual effort from Security Consultant Troy Hunt • Good for “Already in Production” project • baseline of scans for common ASP.NET configuration related vulnerabilities. • Also checks for click jacking, Hash Do's patch • DEMO 18
  19. 19. CAT.NET • identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection. • works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each Binscope Binary Analyzer • verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL • inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used. 19 CAT.NET & Binscope Binary Analyzer Note: Only compatible with visual studio 2005 and visual studio 2008
  20. 20. W3af.org • W3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure. • Open source python based core engine with plug-in architecture • w3af is a Web Application Attack and Audit Framework. 20
  21. 21. Acunetix • website analysis and vulnerability detection • Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities • Scan’s password protected areas as well automatically • Comprehensive reports for legal and regulatory compliance • Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector • Detect HTTP Parameter Pollution (HPP) vulnerabilities • Compare scans and find differences with previous scans. • Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms. 21
  22. 22. NetSparker • The only False-positive-free web application security scanner • Ajax/JavaScript Support • Support Basic, Forms, NTLM, Digest, Kerberos Authentication • Vulnerability Retest • Also supports manual testing • Support for well-known compliance specifications reporting like PCI, OWASP, CAPEC, OWASP etc. • Custom Reports 22
  23. 23. Resources • OWASP (Open Web Application Security Project): https://www.owasp.org • XSS-Me https://addons.mozilla.org/en-us/firefox/addon/xss-me/ • SQL Inject Me • Microsoft Security http://www.microsoft.com/security http://www.Microsoft.com/sdl • Wikipedia: http://en.wikipedia.org/wiki/Threat_model 23
  24. 24. . This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/ All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation. Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com

×