Lalit Kale, profile picture
Uploaded byLalit Kale
PPTX, PDF2,099 views

Application Security Tools

The document presents an overview of application security, highlighting the OWASP top 10 threats and various security analysis tools used for testing and mitigating risks associated with common vulnerabilities such as XSS and SQL injection. It details specific tools like XSS-Me, SQL Inject-Me, HackBar, and various Firefox add-ons, explaining their functionalities and use cases in identifying security flaws. Additionally, it includes references to external resources and licensing information.

Embed presentation

Downloaded 36 times
Application Security-III Security Analysis Tools Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com
Overview • OWASP Top 10 Threats • Security Analysis Tools Landscape • Attack Simulation Tools • Defense Assisting Tools • Risk mitigation for Injection Attacks • Risk mitigation for XSS Attacks • Resources 2
OWASP Top 10 Threats • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration 3
OWASP Top 10 Threats • Sensitive Data Exposure • Missing Function Level Access Control (e.g. Failure to Restrict URL Access) • Cross-Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities (e.g. Security Misconfiguration) • Invalidated Redirects and Forwards 4
5 Security Analysis Tools Landscape
XSS Me • XSS-Me is the Firefox add on used to test for reflected Cross-Site Scripting (XSS). It does not currently test for stored XSS. • It is only used for run-time application security testing and not related to static code analysis. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. • XSS Filter Evasion Cheat Sheet: • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • Devise your own attack! http://ha.ckers.org/xsscalc.html 6
XSS Me • Demo Website http://www.testfire.net • Search for Normal string http://www.testfire.net/search.aspx?txtSearch=test • Search for XSS induced attack http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</ script> 7
SQL Inject Me • SQL Inject -Me is the Firefox add on used to test for SQL Injection. • It is only used for run-time application security testing. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack. • Advanced attacks, such as blind SQL injection, may require additional manual testing (e.g. attempting to bypass authentication). 8
SQL Inject Me • Demo Website http://testfire.net/bank/login.aspx • UserName/Password: Jsmith/Demo1234, Navigate to following page after login http://testfire.net/bank/transaction.aspx • Observe the ‘After’ Field: • Normal Input: 01/01/2013 • 01/01/2006 union select userid,null,username+','+password,null from users-- 9
Hackbar • Hackbar is the Firefox add on used to test for XSS and SQL Injection. • It is useful while handcrafting attacks or doing penetration testing. • Features include • Loading URL • Slicing URL • Character encoding • Executing crafted url request 10
Tamper Data • Firefox add on used to modify HTTP Request and response • Trace and time http request/response • Modify POST parameters • Add HTTP Headers • Encode/Decode strings • Limited ability for testing XSS and SQL Injection 11
Cookie Manager + • Firefox add on used to view, Modify, create and backup and restore cookies. • Features includes • Ability to filter cookies based on domain • Option to backup and restore cookies • Ability to change expire date on expire header of cookie 12
Wappalyzer • Firefox add-on for revealing internals of websites/web-applications • Analyzes DOM and HTTP Response Headers and identifies libraries and frameworks and components used for building websites • Once attacker get more details about internal components, s/he can use that information for exploiting known vulnerabilities in those components/libraries or frameworks or servers 13
FxCop • Static Code Analysis Tool for applications written in Microsoft .NET Framework • Has security and security transparency Rules • Determine whether HTML output includes input parameters • Form fields, • Query strings, • Databases and data access methods • Cookie collection • Session and application variables 14
Fiddler Plugin: Ammonite • URL: http://ammonite.ryscc.com/ • Paid Web Security Tool • Detect Critical Vulnerabilities • Ultimate Control: Manual and Automatic mode for testing • Fuzz Multiple Request Formats • Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST bodies. • Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query string, and request body. • passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors and verbose error messages. • Export results as HTML Report 15
Fiddler Plugin: Watcher • URL: http://websecuritytool.codeplex.com • Free Web Security Tool • Passively monitors traffic for 40+ checks • Can also work offline on SAZ files from Fiddler • Results of various checks can be exported in the form of html or xml • DEMO • Live Session • Report 16
AntiXSS Library • AntiXSS provides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.  White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.  Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages. 17
Asafaweb • Non invasive vulnerability scanner • Individual effort from Security Consultant Troy Hunt • Good for “Already in Production” project • baseline of scans for common ASP.NET configuration related vulnerabilities. • Also checks for click jacking, Hash Do's patch • DEMO 18
CAT.NET • identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection. • works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each Binscope Binary Analyzer • verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL • inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used. 19 CAT.NET & Binscope Binary Analyzer Note: Only compatible with visual studio 2005 and visual studio 2008
W3af.org • W3af to identify more than 200 vulnerabilities and reduce your site’s overall risk exposure. • Open source python based core engine with plug-in architecture • w3af is a Web Application Attack and Audit Framework. 20
Acunetix • website analysis and vulnerability detection • Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities • Scan’s password protected areas as well automatically • Comprehensive reports for legal and regulatory compliance • Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector • Detect HTTP Parameter Pollution (HPP) vulnerabilities • Compare scans and find differences with previous scans. • Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms. 21
NetSparker • The only False-positive-free web application security scanner • Ajax/JavaScript Support • Support Basic, Forms, NTLM, Digest, Kerberos Authentication • Vulnerability Retest • Also supports manual testing • Support for well-known compliance specifications reporting like PCI, OWASP, CAPEC, OWASP etc. • Custom Reports 22
Resources • OWASP (Open Web Application Security Project): https://www.owasp.org • XSS-Me https://addons.mozilla.org/en-us/firefox/addon/xss-me/ • SQL Inject Me • Microsoft Security http://www.microsoft.com/security http://www.Microsoft.com/sdl • Wikipedia: http://en.wikipedia.org/wiki/Threat_model 23
. This presentation is shared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/ All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation. Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com

More Related Content

PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PPTX
Cyber ppt
bykarthik menon
 
PPTX
Security Testing - Zap It
byManjyot Singh
 
PDF
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
PPT
Web attacks
byhusnara mohammad
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
PDF
Api security-testing
byn|u - The Open Security Community
 
PDF
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Cyber ppt
bykarthik menon
 
Security Testing - Zap It
byManjyot Singh
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
byThreatReel Podcast
 
Web attacks
byhusnara mohammad
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
byraj upadhyay
 
Api security-testing
byn|u - The Open Security Community
 
A5-Security misconfiguration-OWASP 2013
bySorina Chirilă
 

What's hot

PDF
Security Testing using ZAP in SFDC
byThinqloud
 
PPTX
Owasp top 10 security threats
byVishal Kumar
 
PDF
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
PDF
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
PPTX
The OWASP Zed Attack Proxy
byAditya Gupta
 
PDF
Security Automation using ZAP
byVaibhav Gupta
 
PDF
Web Application Penetration Testing - 101
byAndrea Hauser
 
PDF
Beyond OWASP Top 10 - TASK October 2017
byAaron Hnatiw
 
PPTX
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPSX
Scaling-up and Automating Web Application Security Tech Talk
byNetsparker
 
PPTX
Web application security
byKapil Sharma
 
PPTX
Introduction to Web Application Penetration Testing
byRana Khalil
 
PDF
Tw noche geek quito webappsec
byThoughtworks
 
PPT
Secure Web Applications Ver0.01
byVasan Ramadoss
 
PPTX
Platform Security IRL: Busting Buzzwords & Building Better
byEqual Experts
 
PPT
Web Hacking
byInformation Technology
 
PDF
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
PDF
The Web Application Hackers Toolchain
byjasonhaddix
 
Security Testing using ZAP in SFDC
byThinqloud
 
Owasp top 10 security threats
byVishal Kumar
 
Zed Attack Proxy (ZAP)
byJAINAM KAPADIYA
 
Web Application Firewall: Suckseed or Succeed
byPrathan Phongthiproek
 
The OWASP Zed Attack Proxy
byAditya Gupta
 
Security Automation using ZAP
byVaibhav Gupta
 
Web Application Penetration Testing - 101
byAndrea Hauser
 
Beyond OWASP Top 10 - TASK October 2017
byAaron Hnatiw
 
Learn to pen-test with OWASP ZAP
byPaul Ionescu
 
Secure code practices
byHina Rawal
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Scaling-up and Automating Web Application Security Tech Talk
byNetsparker
 
Web application security
byKapil Sharma
 
Introduction to Web Application Penetration Testing
byRana Khalil
 
Tw noche geek quito webappsec
byThoughtworks
 
Secure Web Applications Ver0.01
byVasan Ramadoss
 
Platform Security IRL: Busting Buzzwords & Building Better
byEqual Experts
 
Web Hacking
byInformation Technology
 
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
The Web Application Hackers Toolchain
byjasonhaddix
 

Similar to Application Security Tools

PDF
Web hackingtools cf-summit2014
byColdFusionConference
 
PDF
Web Applications Assessment Tools: Comparison and Discussion
byEECJOURNAL
 
PDF
Daniel billing exploring the security testers toolbox
byRomania Testing
 
PDF
Web hackingtools 2015
byColdFusionConference
 
PDF
Web hackingtools 2015
bydevObjective
 
PDF
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
PPTX
Web application vulnerability assessment
byRavikumar Paghdal
 
PPTX
Security testing for web developers
bymatthewhughes
 
KEY
How to break web applications
byDinis Cruz
 
KEY
EISA Considerations for Web Application Security
byLarry Ball
 
PPTX
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
PPTX
OWASP TOP 10
byRobert MacLean
 
PDF
Common Web Application Attacks
byAhmed Sherif
 
PPTX
How to Test for The OWASP Top Ten
bySecurity Innovation
 
PDF
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
byIRJET Journal
 
PPTX
Web application Security tools
byNico Penaredondo
 
PDF
API Upload Test
bydecatv
 
PDF
API Upload Test
bydecatv
 
PDF
API Upload Test
bydecatv
 
PDF
API Upload Test
bydecatv
 
Web hackingtools cf-summit2014
byColdFusionConference
 
Web Applications Assessment Tools: Comparison and Discussion
byEECJOURNAL
 
Daniel billing exploring the security testers toolbox
byRomania Testing
 
Web hackingtools 2015
byColdFusionConference
 
Web hackingtools 2015
bydevObjective
 
Web Application Security: Introduction to common classes of security flaws an...
byThoughtworks
 
Web application vulnerability assessment
byRavikumar Paghdal
 
Security testing for web developers
bymatthewhughes
 
How to break web applications
byDinis Cruz
 
EISA Considerations for Web Application Security
byLarry Ball
 
Application and Website Security -- Fundamental Edition
byDaniel Owens
 
OWASP TOP 10
byRobert MacLean
 
Common Web Application Attacks
byAhmed Sherif
 
How to Test for The OWASP Top Ten
bySecurity Innovation
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
byIRJET Journal
 
Web application Security tools
byNico Penaredondo
 
API Upload Test
bydecatv
 
API Upload Test
bydecatv
 
API Upload Test
bydecatv
 
API Upload Test
bydecatv
 

More from Lalit Kale

PPTX
Serverless microservices
byLalit Kale
 
PPTX
Develop in ludicrous mode with azure serverless
byLalit Kale
 
PPTX
For Business's Sake, Let's focus on AppSec
byLalit Kale
 
PPTX
Introduction To Microservices
byLalit Kale
 
PPTX
Dot net platform and dotnet core fundamentals
byLalit Kale
 
PPTX
Code refactoring
byLalit Kale
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
PPTX
Application Security-Understanding The Horizon
byLalit Kale
 
DOCX
Coding guidelines
byLalit Kale
 
DOCX
Code review guidelines
byLalit Kale
 
PPT
State management
byLalit Kale
 
PPT
Implementing application security using the .net framework
byLalit Kale
 
PPT
Data normailazation
byLalit Kale
 
PPT
Opps
byLalit Kale
 
DOCX
Versioning guidelines for product
byLalit Kale
 
PPT
Bowling Game Kata by Robert C. Martin
byLalit Kale
 
PPTX
Domain Driven Design
byLalit Kale
 
PPT
Web 2.0 concept
byLalit Kale
 
PPT
Jump Start To Ooad And Design Patterns
byLalit Kale
 
PPT
How To Create Strategic Marketing Plan
byLalit Kale
 
Serverless microservices
byLalit Kale
 
Develop in ludicrous mode with azure serverless
byLalit Kale
 
For Business's Sake, Let's focus on AppSec
byLalit Kale
 
Introduction To Microservices
byLalit Kale
 
Dot net platform and dotnet core fundamentals
byLalit Kale
 
Code refactoring
byLalit Kale
 
Threat Modeling And Analysis
byLalit Kale
 
Application Security-Understanding The Horizon
byLalit Kale
 
Coding guidelines
byLalit Kale
 
Code review guidelines
byLalit Kale
 
State management
byLalit Kale
 
Implementing application security using the .net framework
byLalit Kale
 
Data normailazation
byLalit Kale
 
Opps
byLalit Kale
 
Versioning guidelines for product
byLalit Kale
 
Bowling Game Kata by Robert C. Martin
byLalit Kale
 
Domain Driven Design
byLalit Kale
 
Web 2.0 concept
byLalit Kale
 
Jump Start To Ooad And Design Patterns
byLalit Kale
 
How To Create Strategic Marketing Plan
byLalit Kale
 

Recently uploaded

PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
final.pdf
byomarbishtawi04
 
Introducing VisualSim 2610 The Next Leap in System Level Modeling
byDeepak Shankar
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Agent to agent service discovery using HashiCorp Consul and Vault
byBram Vogelaar
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Workflow and decision Automation with Flowable
bychakib ch
 
Explaining specific examples of purpose-specific BOM
byakipii ogaoga
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
GenerationAI_Paris_2025_Architecting_Intelligence.pdf
byapidays
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
apidays New York 2025 | AI in Application Security
byapidays
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 

Application Security Tools

  • 1.
    Application Security-III Security AnalysisTools Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com
  • 2.
    Overview • OWASP Top10 Threats • Security Analysis Tools Landscape • Attack Simulation Tools • Defense Assisting Tools • Risk mitigation for Injection Attacks • Risk mitigation for XSS Attacks • Resources 2
  • 3.
    OWASP Top 10Threats • Injection • Broken Authentication and Session Management • Cross-Site Scripting (XSS) • Insecure Direct Object References • Security Misconfiguration 3
  • 4.
    OWASP Top 10Threats • Sensitive Data Exposure • Missing Function Level Access Control (e.g. Failure to Restrict URL Access) • Cross-Site Request Forgery (CSRF) • Using Components with Known Vulnerabilities (e.g. Security Misconfiguration) • Invalidated Redirects and Forwards 4
  • 5.
  • 6.
    XSS Me • XSS-Meis the Firefox add on used to test for reflected Cross-Site Scripting (XSS). It does not currently test for stored XSS. • It is only used for run-time application security testing and not related to static code analysis. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an XSS attack. • XSS Filter Evasion Cheat Sheet: • https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet • Devise your own attack! http://ha.ckers.org/xsscalc.html 6
  • 7.
    XSS Me • DemoWebsite http://www.testfire.net • Search for Normal string http://www.testfire.net/search.aspx?txtSearch=test • Search for XSS induced attack http://www.testfire.net/search.aspx?txtSearch=<script>alert(‘xss’)</ script> 7
  • 8.
    SQL Inject Me •SQL Inject -Me is the Firefox add on used to test for SQL Injection. • It is only used for run-time application security testing. • The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack. • Advanced attacks, such as blind SQL injection, may require additional manual testing (e.g. attempting to bypass authentication). 8
  • 9.
    SQL Inject Me •Demo Website http://testfire.net/bank/login.aspx • UserName/Password: Jsmith/Demo1234, Navigate to following page after login http://testfire.net/bank/transaction.aspx • Observe the ‘After’ Field: • Normal Input: 01/01/2013 • 01/01/2006 union select userid,null,username+','+password,null from users-- 9
  • 10.
    Hackbar • Hackbar isthe Firefox add on used to test for XSS and SQL Injection. • It is useful while handcrafting attacks or doing penetration testing. • Features include • Loading URL • Slicing URL • Character encoding • Executing crafted url request 10
  • 11.
    Tamper Data • Firefoxadd on used to modify HTTP Request and response • Trace and time http request/response • Modify POST parameters • Add HTTP Headers • Encode/Decode strings • Limited ability for testing XSS and SQL Injection 11
  • 12.
    Cookie Manager + •Firefox add on used to view, Modify, create and backup and restore cookies. • Features includes • Ability to filter cookies based on domain • Option to backup and restore cookies • Ability to change expire date on expire header of cookie 12
  • 13.
    Wappalyzer • Firefox add-onfor revealing internals of websites/web-applications • Analyzes DOM and HTTP Response Headers and identifies libraries and frameworks and components used for building websites • Once attacker get more details about internal components, s/he can use that information for exploiting known vulnerabilities in those components/libraries or frameworks or servers 13
  • 14.
    FxCop • Static CodeAnalysis Tool for applications written in Microsoft .NET Framework • Has security and security transparency Rules • Determine whether HTML output includes input parameters • Form fields, • Query strings, • Databases and data access methods • Cookie collection • Session and application variables 14
  • 15.
    Fiddler Plugin: Ammonite •URL: http://ammonite.ryscc.com/ • Paid Web Security Tool • Detect Critical Vulnerabilities • Ultimate Control: Manual and Automatic mode for testing • Fuzz Multiple Request Formats • Ammonite understands how to stuff faults into XML, JSON, URL Encoded, and Multi-Part POST bodies. • Test All Request Sections including: cookies, headers, URL path elements (Restful apps), query string, and request body. • passive checks that scan responses for credit card numbers, hidden form fields, HTTP/500 errors and verbose error messages. • Export results as HTML Report 15
  • 16.
    Fiddler Plugin: Watcher •URL: http://websecuritytool.codeplex.com • Free Web Security Tool • Passively monitors traffic for 40+ checks • Can also work offline on SAZ files from Fiddler • Results of various checks can be exported in the form of html or xml • DEMO • Live Session • Report 16
  • 17.
    AntiXSS Library • AntiXSSprovides a myriad of encoding functions for Html, XML, Url, Form, LDAP, CSS, JScript and VBScript encoding methods.  White Lists: AntiXSS differs from the standard .NET framework encoding by using a white list approach. All characters not on the white list will be encoded using the correct rules for the encoding type.  Secure Globalization: An attack can be coded anywhere, and Anti-XSS now protects against XSS attacks coded in dozens of languages. 17
  • 18.
    Asafaweb • Non invasivevulnerability scanner • Individual effort from Security Consultant Troy Hunt • Good for “Already in Production” project • baseline of scans for common ASP.NET configuration related vulnerabilities. • Also checks for click jacking, Hash Do's patch • DEMO 18
  • 19.
    CAT.NET • identify commonvariants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection. • works by reading the target assembly and all reference assemblies used in the application -- module-by-module -- and then analyzing all of the methods contained within each Binscope Binary Analyzer • verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance MS-SDL • inScope checks that SDL-required compiler/linker flags are being set, strong-named assemblies are in use, up-to-date build tools are in place, and the latest good ATL headers are being used. 19 CAT.NET & Binscope Binary Analyzer Note: Only compatible with visual studio 2005 and visual studio 2008
  • 20.
    W3af.org • W3af toidentify more than 200 vulnerabilities and reduce your site’s overall risk exposure. • Open source python based core engine with plug-in architecture • w3af is a Web Application Attack and Audit Framework. 20
  • 21.
    Acunetix • website analysisand vulnerability detection • Comprehensive scanning for SQL Injection and Cross Site • Scripting (XSS) Vulnerabilities • Scan’s password protected areas as well automatically • Comprehensive reports for legal and regulatory compliance • Includes HTTP sniffer, HTTP fuzzer, Blind SQL Injector • Detect HTTP Parameter Pollution (HPP) vulnerabilities • Compare scans and find differences with previous scans. • Support for CAPTCHA, Single Sign-On and Two Factor authentication • mechanisms. 21
  • 22.
    NetSparker • The onlyFalse-positive-free web application security scanner • Ajax/JavaScript Support • Support Basic, Forms, NTLM, Digest, Kerberos Authentication • Vulnerability Retest • Also supports manual testing • Support for well-known compliance specifications reporting like PCI, OWASP, CAPEC, OWASP etc. • Custom Reports 22
  • 23.
    Resources • OWASP (OpenWeb Application Security Project): https://www.owasp.org • XSS-Me https://addons.mozilla.org/en-us/firefox/addon/xss-me/ • SQL Inject Me • Microsoft Security http://www.microsoft.com/security http://www.Microsoft.com/sdl • Wikipedia: http://en.wikipedia.org/wiki/Threat_model 23
  • 24.
    . This presentation isshared under Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International license. More information for this license is available at http://creativecommons.org/licenses/by-nc-sa/4.0/ All trademarks are the property of their respective owners. Lalit Kale makes no warranties, express, implied or statutory, as to the information in this presentation. Lalit Kale lalitkale@gmail.com http://lalitkale.wordpress.com