The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
OWASP WebGoat and PANTERA Web Assessment Studio Project.Philippe Bogaerts
I had the pleasure to talk at Belgium OWASP chapter. Here is a copy of the introduction presentation on WEBGOAT and the PANTERA Web Assessment Studio Project
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
OWASP WebGoat and PANTERA Web Assessment Studio Project.Philippe Bogaerts
I had the pleasure to talk at Belgium OWASP chapter. Here is a copy of the introduction presentation on WEBGOAT and the PANTERA Web Assessment Studio Project
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
This is the course outline for the Strathmore Mobile Boot Camp in Nov 2010.
Facilitator: Michael Wakahe, Director, Shujaa Solutions Ltd
Date: Nov 18th - 20th, 2010
Venue: Strathmore University Mobile Boot Camp
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Web Test Automation Framework - IndicThreads ConferenceIndicThreads
Amid Nails, Nuts and Bolts the hammer is not enough.
TeKila is an aggregation of several Open Source powers – Google Web Driver, HTML Unit, Java Robots, TestNG & many more … It offers a tool kit to test Web Application at different levels & in modes.
Attempting a task of writing test automation framework which does more than UI testing for rapidly growing web-based applications is a tough task. Many find it tormenting, some attempt it & only a few succeed. You have to apply lots creative ideas and innovative approaches for your test automation project rather than just selecting ONE tool which will do everything for you.
Often the search for a Silver Bullet tool for automating ends in a compromise. In the demanding times when everything is changing rapidly, speed and flexibility cannot be compromised.
In our attempt of combating Automation we came up with TeKila. TeKila is an aggregation of best of various Open Source Powers enabling us to do:
- UI testing on multiple browsers & OS
- Business Logic layer testing using APIs
- Profiling data
- UI Object Repository is kept independent so that later any other tool/framework can be effortlessly incorporated
Real World SharePoint Framework and Azure ServicesBrian Culver
Building Solution in Office 365 requires leveraging other cloud services, such as Azure Services. For those new to SharePoint and all SharePoint veterans, building cloud ready “Full Trust” solutions for Office 365 introduces a huge paradigm shift over the traditional on-premise full-trust development model.
In this session, we will look at a couple common full trust solutions and move them to Office365 and Azure. We will leverage various Azure services such as Azure Functions, Event Grids and WebJobs. See demonstrations on how event receivers become Azure Function and Event Grids, and timer jobs become Azure WebJobs. Learn about other useful Azure services for replacing full trust functionality. Don’t pass up this opportunity to learn skills and knowledge you need to build Office 365 Solutions leveraging Cloud Services
Attendee Takeaways:
1. Understand how to take Full Trust solutions from On-premise to the Office365.
2. Learn how to use Azure Functions, Event Grids, WebJobs and several other Azure Services.
3. See demonstrations of a couple common Full Trust Solutions converted to cloud solutions on Office365 and Azure.
AppSec & OWASP Top 10 Primer
By Matt Scheurer (@c3rkah)
Cincinnati, Ohio
Date: 03/21/2019
Momentum Developer Conference
Sharonville Convention Center
#momentumdevcon
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
This is the course outline for the Strathmore Mobile Boot Camp in Nov 2010.
Facilitator: Michael Wakahe, Director, Shujaa Solutions Ltd
Date: Nov 18th - 20th, 2010
Venue: Strathmore University Mobile Boot Camp
Technology First
16th Annual Ohio Information Security Conference
OISC 2019
#OISC19
The OWASP Top 10 & AppSec Primer
By Matt Scheurer (@c3rkah)
Dayton, Ohio
Date: 03/13/2019
Abstract:
Are you testing the security of your web applications, web sites, and web servers? The malicious threat actors on the Internet almost certainly are. We will cover AppSec along with a brief review of the 2017 OWASP Top 10 List. The focus of the presentation is how to get started with AppSec and where to continue learning more. Accompanying the presentation are live demos of Nikto and the OWASP Zed Attack Proxy (ZAP).
Bio:
Matt Scheurer serves as Chair of the Cincinnati Networking Professionals Association Security Special Interest Group (CiNPA Security SIG) and works as a Systems Security Engineer in the Financial Services industry. He holds a CompTIA Security+ Certification and possesses multiple Microsoft Certifications including MCP, MCPS, MCTS, MCSA, and MCITP. He has presented on numerous Information Security topics as a featured speaker at many local area technology groups and large Information Security conferences all over the Ohio, Indiana, and Kentucky Tri-State. Matt maintains active memberships in a number of professional organizations including the Association for Computing Machinery (ACM), Cincinnati Networking Professionals Association (CiNPA), Financial Services - Information Sharing and Analysis Center (FS-ISAC), and Information Systems Security Association (ISSA).
Web Test Automation Framework - IndicThreads ConferenceIndicThreads
Amid Nails, Nuts and Bolts the hammer is not enough.
TeKila is an aggregation of several Open Source powers – Google Web Driver, HTML Unit, Java Robots, TestNG & many more … It offers a tool kit to test Web Application at different levels & in modes.
Attempting a task of writing test automation framework which does more than UI testing for rapidly growing web-based applications is a tough task. Many find it tormenting, some attempt it & only a few succeed. You have to apply lots creative ideas and innovative approaches for your test automation project rather than just selecting ONE tool which will do everything for you.
Often the search for a Silver Bullet tool for automating ends in a compromise. In the demanding times when everything is changing rapidly, speed and flexibility cannot be compromised.
In our attempt of combating Automation we came up with TeKila. TeKila is an aggregation of best of various Open Source Powers enabling us to do:
- UI testing on multiple browsers & OS
- Business Logic layer testing using APIs
- Profiling data
- UI Object Repository is kept independent so that later any other tool/framework can be effortlessly incorporated
Real World SharePoint Framework and Azure ServicesBrian Culver
Building Solution in Office 365 requires leveraging other cloud services, such as Azure Services. For those new to SharePoint and all SharePoint veterans, building cloud ready “Full Trust” solutions for Office 365 introduces a huge paradigm shift over the traditional on-premise full-trust development model.
In this session, we will look at a couple common full trust solutions and move them to Office365 and Azure. We will leverage various Azure services such as Azure Functions, Event Grids and WebJobs. See demonstrations on how event receivers become Azure Function and Event Grids, and timer jobs become Azure WebJobs. Learn about other useful Azure services for replacing full trust functionality. Don’t pass up this opportunity to learn skills and knowledge you need to build Office 365 Solutions leveraging Cloud Services
Attendee Takeaways:
1. Understand how to take Full Trust solutions from On-premise to the Office365.
2. Learn how to use Azure Functions, Event Grids, WebJobs and several other Azure Services.
3. See demonstrations of a couple common Full Trust Solutions converted to cloud solutions on Office365 and Azure.
OWASP OWTF THE OFFENSIVE (WEB) TESTING
FRAMEWORK + PTES PENETRATION TESTING EXECUTION
STANDARD = KALI POWER AUTO WEB PENTESTS
Mauro Risonho de Paula Assumpção
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Peripheral Devices
Aditya K Sood , SecNiche Security
Mauro Risonho de Paula Assumpção
1. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Mauro Risonho de Paula
Assumpção
firebits
firebits@backtrack.com.br
mauro.risonho@nsec.com.br
2010
2. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
● Mauro Risonho de Paula
Assumpção A.K.A firebits
● I'm from Brazil!
● I work in pentest (and others
services) remoting the world
Contact US!
firebits@backtrack.com.br
mauro.risonho@nsec.com.br
2010
3. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
● Looking for a good opportunity in a
company's security information in my
profile;)
● Anywhere in the world.
● And make a quick course in English to
speak better:)
Contact US!
firebits@backtrack.com.br
mauro.risonho@nsec.com.br
2010
4. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
● Unfortunately, I do not speak English
fluently, but write and understand well!
● Thanks for all who are here and maybe in
2011, I know everyone personally. It will
be an honor.
Contact US!
firebits@backtrack.com.br
mauro.risonho@nsec.com.br
2010
5. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Who I am?
● Pentester, Writer Exploits, Developer,
Security Analyst and Research
Vulnerable. In Brazil is “Autodidata”.
2010
6. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Who I am?
● Director, Security Consultant and Security Systems pentest
the NSEC (little Company in Brasil). Carried out projects
for security and development in Petrobras REVAP,
Microsiga, Unilever, Rhodia, Tostines, Avon, CMS Energy,
Stefanini IT,Solutions, NeoIT, Intel, Google, Degussa,
Niplan and others. Leader / Founder of "Backtrack Brazil"
www.backtrack.com.br and Moderator and Translator
Backtrack USA www.backtrack-linux.org
2010
7. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
● The focus of this presentation is to develop a
new Lab for Penetration of information security
professionals as well as some who wish to
improve or deepen their knowledge.
● Let's show some skills of these frameworks,
with some commands and techniques, but we
will not consummate the técncia pentest to the
end, as a matter of time and also the curiosity
of those concerned.;)
2010
8. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
PAPER
Pentest Labs
Vulnerable Web Apps Frameworks
And
Pentest
2010
9. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
OWASP Broken Web Applications
Excelent Learning Tool
http://code.google.com/p/owaspbwa/
● OWASP WebGoat – Java
● OWASP Vicnum – Perl
● OWASP Mutillidae – PHP
● Damn Vulnerable Web Application - PHP
2010
10. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
OWASP Broken Web Applications
Excelent Learning Tool
http://code.google.com/p/owaspbwa/
● OWASP CSRFGuard Test Application – Java
● Mandiant Struts Forms – Java/Struts
● Simple ASP.NET Forms (ASP.NET/C#)
● Simple Form with DOM Cross Site Scripting
(HTML/JavaScript)
2010
11. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
OWASP Broken Web Applications
Excelent Learning Tool
http://code.google.com/p/owaspbwa/
● WordPress version 2.0.0 (PHP, released December 31,
2005)
● phpBB version 2.0.0 (PHP, released April 4, 2002,
home page)
● Yazd version 1.0 (Java, released February 20, 2002,
home page)
2010
13. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Broken Web Applications
Paper Web 2.0 AJAX
http://www.fortifysoftware.com/servlet/downloads/pu
blic/JavaScript_Hijacking.pdf
2010
14. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
BadStore
Link: http://www.badstore.net/
Platform: Perl, Apache and MySQL
Install: Meant to run by booting a Live CD, but I'd
recommend using my Live CD VMX
Notes: Easy to set up, and it's nice that you can run it from a
VM with a little work. Just make sure you set the VM to use
the IP addresses that are only available from the local host
OS (NAT or Host-only).
2010
15. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Damn Vulnerable Web App
Link: http://www.ethicalhack3r.co.uk/damn-vulnerable-web-app/
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install
Apache/PHP/MySQL on.
Notes: When I first posted Mutillidae, Ryan Dewhurst emailed me
and told be about a project he started a few months before mine.
His is also PHP/MySQL based, and looks prettier than mine. :)
I've yet to play with it much, but I may be using some of his code
in the near future to expand Mutillidae.
2010
16. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Hacme Travel
Link:http://www.foundstone.com/us/resources/proddesc/hacmetr
avel.htm
Platform: Windows XP, MSDE 2000 Release A, Microsoft .NET
Framework v1.1, C++
Install:
Notes:
2010
17. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Hacme Bank
Link:http://www.foundstone.com/us/resources/proddesc/hacmeb
ank.htm
Platform: Windows, IIS, .Net 1.1
Install:
Notes:
2010
18. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Hacme Shipping
Link:http://www.foundstone.com/us/resources/proddesc/hacmes
hipping.htm
Platform: Windows XP, Microsoft IIS, Adobe ColdFusion MX
Server 7.0 for Windows, MySQL (4.x or 5.x with strict mode
disabled)
Install:
Notes:
2010
19. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Hacme Casino
Link:http://www.foundstone.com/us/resources/proddesc/hacmec
asino.htm
Platform: Ruby on Rails
Install:Installer that sets up a built in WEBrick server
Notes:
2010
21. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Hacme Books
Link:http://www.foundstone.com/us/resources/proddesc/hacmeb
ooks.htm
Platform: J2EE application, Java Development Kit
Install:
Notes:
2010
22. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Moth
Link:http://www.bonsai-sec.com/en/research/moth.php
Platform: Linux VMWare image
Install: Just download the VM and open it in VMWare player
Notes:
● Nanbiquara 2.0 (PHP + MySQL)
● Riotpix .61p (PHP + MySQL)
● Vanilla 1.1.4 (PHP + MySQL)
● Wordpress 2.6.5 (PHP + MySQL)
● Yazd war 3.0r (Tomcat 6 + MySQL)
24. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Mutillidae
Link:http://www.irongeek.com/i.php?page=security/mutillidae-
deliberately-vulnerable-php-owasp-top-10
Platform: PHP, Apache and MySQL
Install: Should work on any box you can install
Apache/PHP/MySQL on. I have personally tested it in XAMPP
under Windows and Linux.
Notes:Mutillidae is my personal project to implement the
OWASP Top 10 Vulnerabilities. It's designed to be easy to
follow and geared towards a classroom environment. Think
of it as a noob's WebGoat.
25. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
Vicnum
Link:http://sourceforge.net/projects/vicnum/
Platform: PHP and Perl
Install: Should work on any box you can install
Apache/PHP/MySQL on. Try it with XAMPP.
Notes:Mordecai Kraushar sent me an email about his
project. The more the merrier. Here is how it is described: "A
web application showing common vulnerabilities such as
cross site scripting and session management issues. Helpful
to IT auditors honing web security skills and to those setting
up 'capture the flag' exercises. For the VM login as
root/vicnum"
26. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
WebGoat
Link:http://www.owasp.org/index.php/Category:OWASP_WebGo
at_Project
Platform: J2EE web application
Install: Self contained Tomcat server you can run from a
directory under Windows or Linux
Notes:Love the fact it's so self contained and easy to run. By
default it only listens on the loopback address, so you can
run it from your workstation a production network with little
worries.
2010
28. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
WebMaven (AKA: Buggy Bank)
Link:http://www.mavensecurity.com/WebMaven.php
Platform: Perl CGI scripts
Install: You have to install this on a box with a web server and
Perl CGI support. The creators recommend Xitami for the sake
of ease.Makes sure that you don't put the server on a production
networ
Notes:I've not played with this one much. The website for
WebMaven says it was the basis for WebGoat v1.
2010
29. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
References
Link:http://www.irongeek.com
Link:http://www.owasp.org
Link:http://www.google.com
Link:http://www.backtrack-linux.org
2010
30. Pentest Labs
Vulnerable Web Apps Frameworks and Pentest
THANKS FOR ALL!!!
Mauro Risonho de Paula
Assumpção
http://www.informationsecurityday.com/c0c0n/
firebits@backtrack.com.br
mauro.risonho@nsec.com.br
2010